From owner-freebsd-security Sun Jul 9 12:08:02 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA07461 for security-outgoing; Sun, 9 Jul 1995 12:08:02 -0700 Received: from eikon.regent.e-technik.tu-muenchen.de (root@eikon.regent.e-technik.tu-muenchen.de [129.187.42.3]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id MAA07449 for ; Sun, 9 Jul 1995 12:08:00 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de ([129.187.142.36]) by eikon.regent.e-technik.tu-muenchen.de with SMTP id <55371>; Sun, 9 Jul 1995 21:07:54 +0200 Received: (from jhs@localhost) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) id NAA05627 for security@freebsd.org; Sun, 9 Jul 1995 13:17:59 +0200 Date: Sun, 9 Jul 1995 13:17:59 +0200 From: Julian Howard Stacey Message-Id: <199507091117.NAA05627@vector.eikon.e-technik.tu-muenchen.de> To: security@freebsd.org Subject: Byet April 95 no ref to screennd Sender: security-owner@freebsd.org Precedence: bulk FYI In Byte Mag. April 95 P.96 Col 2 Para 2: "A version of DECs screennd kernel screening software is avail. for BSD386, NetBSD, & BSDI" No mention of FreeBSD tho' Author was 5051339@mcimail.com John Bryan Julian S From owner-freebsd-security Sun Jul 9 12:21:06 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA08347 for security-outgoing; Sun, 9 Jul 1995 12:21:06 -0700 Received: from dsw.com (root@[206.43.30.129]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA08339 for ; Sun, 9 Jul 1995 12:21:04 -0700 Received: from dsw.dsw.com by dsw.com (8.6.12) id NAA15331; Sun, 9 Jul 1995 13:20:45 -0600 Date: Sun, 9 Jul 1995 13:20:45 -0600 (MDT) From: Pete Kruckenberg To: Julian Howard Stacey cc: security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-Reply-To: <199507091117.NAA05627@vector.eikon.e-technik.tu-muenchen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Sun, 9 Jul 1995, Julian Howard Stacey wrote: > In Byte Mag. April 95 P.96 Col 2 Para 2: > "A version of DECs screennd kernel screening software is avail. > for BSD386, NetBSD, & BSDI" > No mention of FreeBSD tho' > Author was 5051339@mcimail.com John Bryan Any mention of where to get it? If it's available for these, it should compile with little or no modification on FreeBSD. Pete Kruckenberg pete@dsw.com From owner-freebsd-security Sun Jul 9 12:58:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA10892 for security-outgoing; Sun, 9 Jul 1995 12:58:37 -0700 Received: from eikon.regent.e-technik.tu-muenchen.de (root@eikon.regent.e-technik.tu-muenchen.de [129.187.42.3]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id MAA10882 for ; Sun, 9 Jul 1995 12:58:35 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de ([129.187.142.36]) by eikon.regent.e-technik.tu-muenchen.de with SMTP id <55302>; Sun, 9 Jul 1995 21:58:24 +0200 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id VAA22517; Sun, 9 Jul 1995 21:50:47 +0200 Message-Id: <199507091950.VAA22517@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: Pete Kruckenberg cc: security@freebsd.org, 5051339@mcimail.com Subject: Re: Byet April 95 no ref to screennd In-reply-to: Your message of "Sun, 09 Jul 1995 21:20:45 +0200." Date: Sun, 9 Jul 1995 21:50:46 +0200 From: "Julian Stacey " Sender: security-owner@freebsd.org Precedence: bulk > Any mention of where to get it? If it's available for these, it should > compile with little or no modification on FreeBSD. > Author was 5051339@mcimail.com John Bryan No, none that i saw, why not ask 5051339@mcimail.com John Bryan (wh I've just cc'd :-) Julian S jhs@freebsd.org From owner-freebsd-security Sun Jul 9 13:20:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAB12772 for security-outgoing; Sun, 9 Jul 1995 13:20:29 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA12751 for ; Sun, 9 Jul 1995 13:20:18 -0700 Received: by haven.uniserve.com id <30744>; Sun, 9 Jul 1995 13:21:16 +0100 Date: Sun, 9 Jul 1995 13:21:09 -0700 (PDT) From: Tom Samplonius To: Pete Kruckenberg cc: Julian Howard Stacey , security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Sun, 9 Jul 1995, Pete Kruckenberg wrote: > On Sun, 9 Jul 1995, Julian Howard Stacey wrote: > > > In Byte Mag. April 95 P.96 Col 2 Para 2: > > "A version of DECs screennd kernel screening software is avail. > > for BSD386, NetBSD, & BSDI" > > No mention of FreeBSD tho' > > Author was 5051339@mcimail.com John Bryan > > Any mention of where to get it? If it's available for these, it should > compile with little or no modification on FreeBSD. screend was discussed on hackers a while ago. Check the archives. screend is on ftp.vix.com (Paul Vixie's FTP site). Tom From owner-freebsd-security Sun Jul 9 16:16:17 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id QAA17604 for security-outgoing; Sun, 9 Jul 1995 16:16:17 -0700 Received: from statler.csc.calpoly.edu (statler.csc.calpoly.edu [129.65.17.8]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id QAA17598 for ; Sun, 9 Jul 1995 16:16:16 -0700 Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id QAA02069; Sun, 9 Jul 1995 16:16:11 -0700 From: Nathan Lawson Message-Id: <199507092316.QAA02069@statler.csc.calpoly.edu> Subject: Re: Byet April 95 no ref to screennd To: jhs@vector.eikon.e-technik.tu-muenchen.de (Julian Howard Stacey) Date: Sun, 9 Jul 1995 16:16:10 -0700 (PDT) Cc: security@freebsd.org In-Reply-To: <199507091117.NAA05627@vector.eikon.e-technik.tu-muenchen.de> from "Julian Howard Stacey" at Jul 9, 95 01:17:59 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 529 Sender: security-owner@freebsd.org Precedence: bulk > FYI > In Byte Mag. April 95 P.96 Col 2 Para 2: > "A version of DECs screennd kernel screening software is avail. > for BSD386, NetBSD, & BSDI" > No mention of FreeBSD tho' > Author was 5051339@mcimail.com John Bryan IPFW works great and is equivalent in packet filtering to screend, I assume. It's included with FreeBSD -- Nathan Lawson \ Never let your schooling interfere with your education. CSL 490/News Admin \ (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson --------------------- From owner-freebsd-security Sun Jul 9 18:16:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id SAA20582 for security-outgoing; Sun, 9 Jul 1995 18:16:16 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id SAA20576 for ; Sun, 9 Jul 1995 18:16:14 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id SAA09765; Sun, 9 Jul 1995 18:16:00 -0700 From: "Rodney W. Grimes" Message-Id: <199507100116.SAA09765@gndrsh.aac.dev.com> Subject: Re: Byet April 95 no ref to screennd To: pete@dsw.com (Pete Kruckenberg) Date: Sun, 9 Jul 1995 18:16:00 -0700 (PDT) Cc: jhs@vector.eikon.e-technik.tu-muenchen.de, security@freebsd.org In-Reply-To: from "Pete Kruckenberg" at Jul 9, 95 01:20:45 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2442 Sender: security-owner@freebsd.org Precedence: bulk > > On Sun, 9 Jul 1995, Julian Howard Stacey wrote: > > > In Byte Mag. April 95 P.96 Col 2 Para 2: > > "A version of DECs screennd kernel screening software is avail. > > for BSD386, NetBSD, & BSDI" > > No mention of FreeBSD tho' > > Author was 5051339@mcimail.com John Bryan > > Any mention of where to get it? If it's available for these, it should > compile with little or no modification on FreeBSD. Some one on the core team is working on this, and from other mail on the hackers list here are the proper pointers: >From owner-freebsd-hackers@freefall.cdrom.com Mon Apr 17 00:18:42 1995 Received: from freefall.cdrom.com (freefall.cdrom.com [192.216.222.4]) by gndrsh.aac.dev.com (8.6.11/8.6.9) with ESMTP id AAA09064 for ; Mon, 17 Apr 1995 00:18:39 -0700 Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA09158 for hackers-outgoing; Mon, 17 Apr 1995 00:11:56 -0700 Received: from gw.home.vix.com (gw.home.vix.com [192.5.5.1]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id AAA09152 for ; Mon, 17 Apr 1995 00:11:53 -0700 Received: by gw.home.vix.com id AA05143; Mon, 17 Apr 95 00:11:36 -0700 Message-Id: <9504170711.AA05143@gw.home.vix.com> X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us To: Edward Wang Cc: hackers@freefall.cdrom.com Subject: Re: DEC screend in core FreeBSD In-Reply-To: Your message of "Sat, 15 Apr 1995 17:35:14 PDT." <199504160035.RAA14144@edcom.com> Date: Mon, 17 Apr 1995 00:11:36 -0700 From: Paul A Vixie Sender: hackers-owner@FreeBSD.org Precedence: bulk Status: OR The patches that need to be applied to ip_input.c are license-free. The new files (ip_screen.*, gw_screen.*, screend/*) are all restricted by a DEC license such that no third party redistribution is permitted. (This is an improvement over the previous license, let me assure you -- and it's also the best I was able to get.) I advise FreeBSD to do as BSD/OS does -- put the patches in, control them with "#ifdef GWSCREEN" and "options GWSCREEN", and include in your release notes something about , which is the public screend's official home. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Sun Jul 9 19:11:03 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id TAA21891 for security-outgoing; Sun, 9 Jul 1995 19:11:03 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id TAA21885 for ; Sun, 9 Jul 1995 19:11:00 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id TAA09881; Sun, 9 Jul 1995 19:11:02 -0700 From: "Rodney W. Grimes" Message-Id: <199507100211.TAA09881@gndrsh.aac.dev.com> Subject: Re: Byet April 95 no ref to screennd To: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Date: Sun, 9 Jul 1995 19:11:02 -0700 (PDT) Cc: jhs@vector.eikon.e-technik.tu-muenchen.de, security@freebsd.org In-Reply-To: <199507092316.QAA02069@statler.csc.calpoly.edu> from "Nathan Lawson" at Jul 9, 95 04:16:10 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 799 Sender: security-owner@freebsd.org Precedence: bulk > > > FYI > > In Byte Mag. April 95 P.96 Col 2 Para 2: > > "A version of DECs screennd kernel screening software is avail. > > for BSD386, NetBSD, & BSDI" > > No mention of FreeBSD tho' > > Author was 5051339@mcimail.com John Bryan > > IPFW works great and is equivalent in packet filtering to screend, I assume. > It's included with FreeBSD Given code review of both I would trust my security to screend over ip_fw any day. Remeber, security code needs to be simple, clean and very clear, something that ip_fw misses on all 3 points :-(. It may work, but it is very hard to verify from a security stand point due to the above 3 things. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Mon Jul 10 05:28:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id FAA06835 for security-outgoing; Mon, 10 Jul 1995 05:28:28 -0700 Received: from mgs.mgsinc.com (root@[204.183.227.2]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id FAA06826 for ; Mon, 10 Jul 1995 05:28:18 -0700 Received: from loc10.mgsinc.com ([204.183.227.10]) by mgs.mgsinc.com (8.6.12/8.6.9) with SMTP id IAA02248; Mon, 10 Jul 1995 08:21:04 -0400 Date: Mon, 10 Jul 95 08:18:31 PDT From: "Michael J. Caughey" Subject: Re: Byet April 95 no ref to screennd To: Pete Kruckenberg , Tom Samplonius Cc: Julian Howard Stacey , security@freebsd.org X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk > screend was discussed on hackers a while ago. Check the archives. > > screend is on ftp.vix.com (Paul Vixie's FTP site). > The only problem that I found with screend, is that there is no support for screend. I tried for a month to work out a deal with the author to get support. He couldn't guarantee the security of his product, he said his hands were legally tied. I never found out what kind of product it was. It could very well be a good firewall. I simply can't rely on a product whos author can't legally validate its security. END ------------------------------------------ Name : Michael Caughey E-mail : mcaughey@mgsinc.com MGS, Inc. Phone (804) 379-0230 Richmond, Va Fax (804) 379-1299 Eastern Daylight Time: 08:18:31 , 07/10/95 ------------------------------------------ From owner-freebsd-security Mon Jul 10 08:29:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA12451 for security-outgoing; Mon, 10 Jul 1995 08:29:15 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id IAA12444 for ; Mon, 10 Jul 1995 08:29:13 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id IAA01577; Mon, 10 Jul 1995 08:27:28 -0700 Message-Id: <199507101527.IAA01577@precipice.shockwave.com> To: "Michael J. Caughey" cc: Pete Kruckenberg , Tom Samplonius , Julian Howard Stacey , security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-reply-to: Your message of "Mon, 10 Jul 1995 08:18:31 PDT." Date: Mon, 10 Jul 1995 08:27:28 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: "Michael J. Caughey" Subject: Re: Byet April 95 no ref to screennd > screend was discussed on hackers a while ago. Check the archives. > > screend is on ftp.vix.com (Paul Vixie's FTP site). > The only problem that I found with screend, is that there is no support for s >>creend. I tried for a month to work out a deal with the author to get support. He coul >>dn't guarantee the security of his product, he said his hands were legally tied. >>I never found out what kind of product it was. It could very well be a good firewall >>. I simply can't rely on a product whos author can't legally validate its securit >>y. I'd be surprised if you could find -any- firewall package that would "legally validate its security." An author or company would have to be positively and absolutely insane to do so, and I'd run away from them as quickly as possible, because I'd figure if they're that stupid then their product is probably crap too. From owner-freebsd-security Mon Jul 10 10:20:02 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA16024 for security-outgoing; Mon, 10 Jul 1995 10:20:02 -0700 Received: from mgs.mgsinc.com (root@[204.183.227.2]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA16011 for ; Mon, 10 Jul 1995 10:19:48 -0700 Received: from loc10.mgsinc.com ([204.183.227.10]) by mgs.mgsinc.com (8.6.12/8.6.9) with SMTP id NAA02503; Mon, 10 Jul 1995 13:16:24 -0400 Date: Mon, 10 Jul 95 12:54:37 PDT From: "Michael J. Caughey" Subject: Re: Byet April 95 no ref to screennd To: "Michael J. Caughey" , Paul Traina Cc: Pete Kruckenberg , Tom Samplonius , Julian Howard Stacey , security@freebsd.org X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk >I'd be surprised if you could find -any- firewall package that would >"legally validate its security." An author or company would have to >be positively and absolutely insane to do so, and I'd run away from >them as quickly as possible, because I'd figure if they're that stupid >then their product is probably crap too. > I can see what your trying to say. I don't want to get into a heated flame war here, so let me explain myself. I simply asked if I could purchase the Product from him, Paul Vixie, and he said he could not legally do so. I never mentioned "legally validate its security". He said, his hands were tied legally to sell it. When I tried to set up some kind of support plan with him he said, no problem. Then said he wasn't sure if he could legally do that. Of course this wasn't definate, but it was left to that about three weeks ago and I have yet to here from him. I started talking with him about three or four weeks pirior to that. As far selling a product that is secure that is supposed to provide security, I would expect some sort of legal statement that it can provide some level of security. Quite obiviously, certian limitations would be expectable, such as if someone got root on your system because you failed to properly configure it. The level of security I was looking for to make sure there were no "BACK DOORS" that someone could use. I don't believe that is to much to ask for from the author of a product, especially one that is to be part of your network security. But he said he could not do so. I'm sorry if you miss understood me. END ------------------------------------------ Name : Michael Caughey E-mail : mcaughey@mgsinc.com MGS, Inc. Phone (804) 379-0230 Richmond, Va Fax (804) 379-1299 Eastern Daylight Time: 12:54:37 , 07/10/95 ------------------------------------------ From owner-freebsd-security Mon Jul 10 10:37:41 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA16524 for security-outgoing; Mon, 10 Jul 1995 10:37:41 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA16518 for ; Mon, 10 Jul 1995 10:37:38 -0700 Received: by haven.uniserve.com id <30731>; Mon, 10 Jul 1995 10:38:55 +0100 Date: Mon, 10 Jul 1995 10:38:52 -0700 (PDT) From: Tom Samplonius To: "Michael J. Caughey" cc: "Michael J. Caughey" , Paul Traina , Pete Kruckenberg , Julian Howard Stacey , security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Mon, 10 Jul 1995, Michael J. Caughey wrote: > I can see what your trying to say. I don't want to get into a heated flame war > here, so let me explain myself. I simply asked if I could purchase the Product from > him, Paul Vixie, and he said he could not legally do so. I never mentioned "legally > validate its security". He said, his hands were tied legally to sell it. When I > tried to set up some kind of support plan with him he said, no problem. Then said he > wasn't sure if he could legally do that. Of course this wasn't definate, but it was > left to that about three weeks ago and I have yet to here from him. I started talking > with him about three or four weeks pirior to that. What does this have to do with the security of the screend? That is just a licensing problem with DEC (who by the way includes screend with Ultrix and OSF). Tom From owner-freebsd-security Mon Jul 10 11:27:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA17436 for security-outgoing; Mon, 10 Jul 1995 11:27:16 -0700 Received: from mgs.mgsinc.com (root@[204.183.227.2]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA17429 for ; Mon, 10 Jul 1995 11:27:04 -0700 Received: from loc10.mgsinc.com ([204.183.227.10]) by mgs.mgsinc.com (8.6.12/8.6.9) with SMTP id OAA02657; Mon, 10 Jul 1995 14:17:11 -0400 Date: Mon, 10 Jul 95 14:19:09 PDT From: "Michael J. Caughey" Subject: Re: Byet April 95 no ref to screennd To: "Michael J. Caughey" , Tom Samplonius Cc: "Michael J. Caughey" , Paul Traina , Pete Kruckenberg , Julian Howard Stacey , security@freebsd.org X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk > What does this have to do with the security of the screend? That is >just a licensing problem with DEC (who by the way includes screend with >Ultrix and OSF). > >Tom > Thats, cool. I was not aware that it was actually forsale by anyone. That was what I was mentioning. Paul said it was not forsale. Is it for sale for FreeBSD and BSDI's BSD/OS? If it is not whos to say what back doors some one might have stuck in it. If it is then its on them to insure that there is no blatent security holes. Of course I'm not saying there liable for damage, but there reputation could be. END ------------------------------------------ Name : Michael Caughey E-mail : mcaughey@mgsinc.com MGS, Inc. Phone (804) 379-0230 Richmond, Va Fax (804) 379-1299 Eastern Daylight Time: 14:19:09 , 07/10/95 ------------------------------------------ From owner-freebsd-security Mon Jul 10 11:49:06 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA17948 for security-outgoing; Mon, 10 Jul 1995 11:49:06 -0700 Received: from everest (dtr.rain.com [204.119.8.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA17940 for ; Mon, 10 Jul 1995 11:49:03 -0700 Received: (from root@localhost) by everest (8.6.11/8.6.9) id LAA08285 for security@freebsd.org; Mon, 10 Jul 1995 11:49:04 -0700 From: Brant Katkansky Message-Id: <199507101849.LAA08285@everest> Subject: FreeBSD group execute permission To: security@freebsd.org Date: Mon, 10 Jul 1995 11:49:02 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1032 Sender: security-owner@freebsd.org Precedence: bulk At my site, I want to be able to have two classes of users: normal users with access to a full suite of binaries, and restricted users with a limited selection of binaries. Due to some additional requirements, a chroot environment is not desirable. One way I've thought of to do this is to assign all of the restricted users to group 'restrict' and make all the system bin directories "chgrp restrict" with no group read or execute permission. In other words: directory /usr/local/bin owner=bin group=restrict mode=0505 An additional directory with unrestricted binaries would be provided: directory /usr/local/rbin owner=bin group=bin mode=0555 The users in the restricted group would have no shell or ftp access, so should not be able to load thier own binaries. Access would be provided via a menu, and only "safe" programs would be allowed. I've tested this method and it appears to achieve what I want, but I'd like to know a few things: * is there a better way? * are there additional security concerns? From owner-freebsd-security Mon Jul 10 11:50:10 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA18049 for security-outgoing; Mon, 10 Jul 1995 11:50:10 -0700 Received: from server.netcraft.co.uk (server.netcraft.co.uk [194.72.238.2]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA18038 for ; Mon, 10 Jul 1995 11:50:04 -0700 Received: (from paul@localhost) by server.netcraft.co.uk (8.6.11/8.6.9) id TAA02976; Mon, 10 Jul 1995 19:49:01 +0100 From: Paul Richards Message-Id: <199507101849.TAA02976@server.netcraft.co.uk> Subject: Re: Byet April 95 no ref to screennd To: pete@dsw.com (Pete Kruckenberg) Date: Mon, 10 Jul 1995 19:49:01 +0100 (BST) Cc: jhs@vector.eikon.e-technik.tu-muenchen.de, security@FreeBSD.org In-Reply-To: from "Pete Kruckenberg" at Jul 9, 95 01:20:45 pm Reply-to: paul@FreeBSD.org X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 899 Sender: security-owner@FreeBSD.org Precedence: bulk In reply to Pete Kruckenberg who said > > On Sun, 9 Jul 1995, Julian Howard Stacey wrote: > > > In Byte Mag. April 95 P.96 Col 2 Para 2: > > "A version of DECs screennd kernel screening software is avail. > > for BSD386, NetBSD, & BSDI" > > No mention of FreeBSD tho' > > Author was 5051339@mcimail.com John Bryan > > Any mention of where to get it? If it's available for these, it should > compile with little or no modification on FreeBSD. > It ports very easily. I've worked on it a bit to the point where I can compile a kernel and run it. Haven't tested it out much since it's for a gateway and I'm not running one. I'll try and get around to committing the necessary kernel hooks sometime soon. -- Paul Richards, Bluebird Computer Systems. FreeBSD core team member. Internet: paul@FreeBSD.org, http://www.freebsd.org/~paul Phone: 0370 462071 (Mobile), +44 1222 457651 (home) From owner-freebsd-security Mon Jul 10 12:03:30 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA18691 for security-outgoing; Mon, 10 Jul 1995 12:03:30 -0700 Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA18670 for ; Mon, 10 Jul 1995 12:03:23 -0700 Received: by haven.uniserve.com id <30747>; Mon, 10 Jul 1995 12:04:38 +0100 Date: Mon, 10 Jul 1995 12:04:33 -0700 (PDT) From: Tom Samplonius To: "Michael J. Caughey" cc: Paul Traina , Pete Kruckenberg , Julian Howard Stacey , security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Mon, 10 Jul 1995, Michael J. Caughey wrote: > > What does this have to do with the security of the screend? That is > >just a licensing problem with DEC (who by the way includes screend with > >Ultrix and OSF). > > > > Thats, cool. I was not aware that it was actually forsale by anyone. That was what I > > was mentioning. Paul said it was not forsale. Is it for sale for FreeBSD and BSDI's > BSD/OS? If it is not whos to say what back doors some one might have stuck in it. If > > it is then its on them to insure that there is no blatent security holes. Of course > I'm not saying there liable for damage, but there reputation could be. BSDI does not have screend built in. The license is very prohibitive (it was even worse). However BSDI does have hooks to screend built in, you can just get the source from ftp.vixie.com and rebuild the kernel. I'm confused why you think that you must buy something to make sure that no back doors have been built in? Tom From owner-freebsd-security Mon Jul 10 12:41:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA19764 for security-outgoing; Mon, 10 Jul 1995 12:41:08 -0700 Received: from everest (dtr.rain.com [204.119.8.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA19757 for ; Mon, 10 Jul 1995 12:41:05 -0700 Received: (from bmk@localhost) by everest (8.6.11/8.6.9) id MAA09406 for security@freebsd.org; Mon, 10 Jul 1995 12:41:03 -0700 Date: Mon, 10 Jul 1995 12:41:03 -0700 From: Brant Katkansky Message-Id: <199507101941.MAA09406@everest> To: security@freebsd.org Subject: Restricted shell? Sender: security-owner@freebsd.org Precedence: bulk Is there a restricted shell available for FreeBSD 2.0.5R? From owner-freebsd-security Mon Jul 10 12:47:30 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA19910 for security-outgoing; Mon, 10 Jul 1995 12:47:30 -0700 Received: from statler.csc.calpoly.edu (statler.csc.calpoly.edu [129.65.17.8]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA19903 for ; Mon, 10 Jul 1995 12:47:27 -0700 Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id MAA03912 for security@freebsd.org; Mon, 10 Jul 1995 12:47:26 -0700 Date: Mon, 10 Jul 1995 12:47:26 -0700 From: Nathan Lawson Message-Id: <199507101947.MAA03912@statler.csc.calpoly.edu> To: security@freebsd.org Subject: nfs auth structure for mountd Content-Length: 318 Sender: security-owner@freebsd.org Precedence: bulk Earlier on this list, someone brought up the fact that mountd always relies on the AUTH_UNIX structure to determine client credentials instead of checking for a secure port. Has anyone written a patch for mountd to check the port? I am willing to do so, but it would be way down my list of things to do. Thanks Nate From owner-freebsd-security Mon Jul 10 12:49:41 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA19993 for security-outgoing; Mon, 10 Jul 1995 12:49:41 -0700 Received: from statler.csc.calpoly.edu (statler.csc.calpoly.edu [129.65.17.8]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA19986 for ; Mon, 10 Jul 1995 12:49:40 -0700 Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id MAA03939; Mon, 10 Jul 1995 12:49:27 -0700 From: Nathan Lawson Message-Id: <199507101949.MAA03939@statler.csc.calpoly.edu> Subject: Re: Restricted shell? To: bmk@dtr.com (Brant Katkansky) Date: Mon, 10 Jul 1995 12:49:27 -0700 (PDT) Cc: security@freebsd.org In-Reply-To: <199507101941.MAA09406@everest> from "Brant Katkansky" at Jul 10, 95 12:41:03 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 431 Sender: security-owner@freebsd.org Precedence: bulk > Is there a restricted shell available for FreeBSD 2.0.5R? If bash is invoked as rbash, it acts like a restricted shell. Be sure to run it chrooted if security is your concern. (Bash is available in the ports distribution) -- Nathan Lawson \ Never let your schooling interfere with your education. CSL 490/News Admin \ (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson --------------------- From owner-freebsd-security Mon Jul 10 17:47:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA28191 for security-outgoing; Mon, 10 Jul 1995 17:47:08 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA28185 for ; Mon, 10 Jul 1995 17:47:06 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id RAA02743; Mon, 10 Jul 1995 17:44:10 -0700 Message-Id: <199507110044.RAA02743@precipice.shockwave.com> To: "Michael J. Caughey" cc: Pete Kruckenberg , Tom Samplonius , Julian Howard Stacey , security@freebsd.org Subject: Re: Byet April 95 no ref to screennd In-reply-to: Your message of "Mon, 10 Jul 1995 12:54:37 PDT." Date: Mon, 10 Jul 1995 17:44:09 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk No flames here, but quite frankly, one would still be insane to do that. Say I write a piece of firewall code and it has a -bug- in it. Is that bug a back-door or what? It leaves the author with way too much liability. From owner-freebsd-security Mon Jul 10 18:07:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id SAA28665 for security-outgoing; Mon, 10 Jul 1995 18:07:29 -0700 Received: from netcom7.netcom.com (cove@netcom7.netcom.com [192.100.81.115]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id SAA28659 for ; Mon, 10 Jul 1995 18:07:28 -0700 Received: by netcom7.netcom.com (8.6.12/Netcom) id SAA17043; Mon, 10 Jul 1995 18:06:10 -0700 From: cove@netcom.com (Cove Schneider) Message-Id: <199507110106.SAA17043@netcom7.netcom.com> Subject: Re: Restricted shell? To: bmk@dtr.com (Brant Katkansky) Date: Mon, 10 Jul 1995 18:06:10 -0700 (PDT) Cc: security@freebsd.org In-Reply-To: <199507101941.MAA09406@everest> from "Brant Katkansky" at Jul 10, 95 12:41:03 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 718 Sender: security-owner@freebsd.org Precedence: bulk > > Is there a restricted shell available for FreeBSD 2.0.5R? > Yes there is -- I guess you got Nate's reply. In any event I thought I'd just mention a few words of caution.. A common mistake by many ISPs, schools etc. is to let people use unmodified versions of more, elm and pine -- I'm sure the list goes on. If a user can make it to vi, he or she is home free.. Remember you can change enviormental vars. in vi.. I'm sure this isn't the only editor that can do this, but watch out for programs that have this ability in reguars to a restricted shell.. I'm sure you alredy know to check know your software though.. Good luck.. -- Cove Schneider cove@netcom.com