Date: Wed, 22 May 2002 18:57:15 -0700 (PDT) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 11755 for review Message-ID: <200205230157.g4N1vFg73803@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11755 Change 11755 by chris@chris_holly on 2002/05/22 18:56:55 Mark up some more usernames, filenames and applications. Re-format screen/program listings. Other clean-ups. Re-wrap paragraphs. Affected files ... ... //depot/projects/trustedbsd/doc/en_US.ISO8859-1/articles/lomac/article.sgml#5 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/articles/lomac/article.sgml#5 (text+ko) ==== @@ -1,3 +1,40 @@ +<!-- + Copyright (c) 2002 Networks Associates Technology, Inc. + All rights reserved. + + This software was developed for the FreeBSD Project by Chris + Costello at Safeport Network Services and NAI Labs, the Security + Research Division of Network Associates, Inc. under DARPA/SPAWAR + contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS + research program. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The names of the authors may not be used to endorse or promote + products derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + $FreeBSD$ +--> + <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN"> <article> <articleinfo> @@ -29,9 +66,10 @@ available on a number of UNIX kernels. LOMAC provides Low Water-Mark Mandatory Access Control functionality to protect the integrity of processes and data from viruses, Trojan - horses, malicious remote users, and compromised root daemons. - LOMAC is designed to be largely invisible to users, and - largely painless to administrators.</para> + horses, malicious remote users, and compromised + <username>root</username> daemons. LOMAC is designed to be + largely invisible to users, and largely painless to + administrators.</para> <para>This is the operations manual for LOMAC. It describes LOMAC and the protection LOMAC provides. Please note that the @@ -102,30 +140,32 @@ (<filename>/bin</filename>, <filename>/lib</filename>) and configuration files (<filename>/etc</filename>). The low side contains the processes that interact with remote users (remote - login sessions, httpd) and the files they download from the net - (mail attachments). Low files may contain viruses or Trojan - Horses. Low processes take input from remote users that may - cause buffer overflows. During run-time, LOMAC protects high - files and processes by preventing low processes from modifying - or signalling them. Thanks to is generic default configuration, - LOMAC handles the division of the system into high and low parts - automatically, without administrative direction.</para> + login sessions, <application>httpd</application>) and the files + they download from the net (mail attachments). Low files may + contain viruses or Trojan Horses. Low processes take input from + remote users that may cause buffer overflows. During run-time, + LOMAC protects high files and processes by preventing low + processes from modifying or signalling them. Thanks to is + generic default configuration, LOMAC handles the division of the + system into high and low parts automatically, without + administrative direction.</para> <para>LOMAC does not override the existing FreeBSD protection mechanisms. Instead, its permission checks are done in addition - to the existing ones - the kernel permits an operation only if - both the existing mechanisms and LOMAC decide it should permit - it. Unlike the existing FreeBSD protection mechanisms, LOMAC - makes decisions based solely on integrity level, not on user - identity. With LOMAC, a low-level root process is just as - powerless as a low-level non-root process. Since LOMAC - automatically places all network servers in the low part of the - system, this fact prevents compromised root-privileged network - servers from harming the high-integrity part of the + to the existing ones—the kernel permits an operation only + if both the existing mechanisms and LOMAC decide it should + permit it. Unlike the existing FreeBSD protection mechanisms, + LOMAC makes decisions based solely on integrity level, not on + user identity. With LOMAC, a low-level <username>root</username> + process is just as powerless as a low-level + non-<username>root</username> process. Since LOMAC automatically + places all network servers in the low part of the system, this + fact prevents compromised <username>root</username>-privileged + network servers from harming the high-integrity part of the system.</para> </sect1> - <sect1> + <sect1 id="short-tour"> <title>A Short Tour</title> <para>This section introduces LOMAC's major features. You may @@ -134,25 +174,28 @@ <orderedlist> <listitem> - <para>Log in as root, from the system console.</para> + <para>Log in as <username>root</username>, from the system + console.</para> </listitem> <listitem> <para>Check to make sure that the LOMAC LKM is loaded:</para> - - <screen>&prompt.root; <userinput>/sbin/kldstat | grep - lomac.ko</userinput> 5 1 0xc13e0000 c000 lomac.ko</screen> + + <screen># /sbin/kldstat | grep lomac.ko +5 1 0xc13e0000 c000 lomac.ko</screen> </listitem> <listitem> <para>Look at the levels of your processes:</para> - <screen>&prompt.root; <userinput>ps</userinput> PID LVL TT - STAT TIME COMMAND 251 2 v6 Is 0:00.37 login -p root 650 2 v6 - S 0:00.56 -csh (csh) 665 2 v6 R+ 0:00.05 ./ps</screen> + <screen># ps + PID LVL TT STAT TIME COMMAND + 251 2 v6 Is 0:00.37 login -p root + 650 2 v6 S 0:00.56 -csh (csh) + 665 2 v6 R+ 0:00.05 ./ps</screen> <para>Note that all your processes are running at level - 2—LOMAC's highest level of privilege.</para> + 2—LOMAC's highest level of privilege.</para> </listitem> <!-- XXX --> @@ -160,14 +203,16 @@ <para>Look at the levels of your files. (<literal>-Z</literal> shows levels.)</para> - <screen>&prompt.root; <userinput>ls -lZ</userinput> total 62 - -rw-r--r-- 2 root wheel 2 802 Apr 21 2001 .cshrc -rw------- - 1 root wheel 2 2973 Oct 12 09:41 .history -rw-r--r-- 1 root - wheel 2 142 Apr 21 2001 .klogin -rw-r--r-- 1 root wheel 2 - 297 Apr 21 2001 .login</screen> + <screen># ls -lZ +total 62 +-rw-r--r-- 2 root wheel 2 802 Apr 21 2001 .cshrc +-rw------- 1 root wheel 2 2973 Oct 12 09:41 .history +-rw-r--r-- 1 root wheel 2 142 Apr 21 2001 .klogin +-rw-r--r-- 1 root wheel 2 297 Apr 21 2001 .login +...</screen> <para>Note that all your files are also at level 2. Level-2 - files are high-integrity—LOMAC assumes that they + files are high-integrity—LOMAC assumes that they contain no viruses or Trojan horses at boot time, and limits the behavior of processes during run-time to keep them that way.</para> @@ -178,12 +223,12 @@ the user tfraser in the example; you'll have to use one of your own users.</para> - <screen>&prompt.root; <userinput>ls -laZ - /home/tfraser</userinput> total 47 drwxr-xr-x 8 tfraser - staff 1 1024 Oct 25 14:30 . drwxr-xr-x 4 root wheel 2 512 - Aug 27 10:47 .. -rw------- 1 tfraser staff 1 114 Aug 27 - 11:11 .Xauthority -rw------- 1 tfraser staff 1 42 Oct 4 - 10:17 .bash_history</screen> + <screen># ls -laZ /home/tfraser +total 47 +drwxr-xr-x 8 tfraser staff 1 1024 Oct 25 14:30 . +drwxr-xr-x 4 root wheel 2 512 Aug 27 10:47 .. +-rw------- 1 tfraser staff 1 114 Aug 27 11:11 .Xauthority +-rw------- 1 tfraser staff 1 42 Oct 4 10:17 .bash_history</screen> <para>Note that while <filename>/home</filename> is level 2 (high integrity), all of the user's files are level 1 (low @@ -196,80 +241,90 @@ in the background with ctrl-Z. Then run ps to look at your processes.</para> - <screen>&prompt.root; <userinput>less - /home/tfraser/.bash_history</userinput> <output not - included in document to save space> - <userinput>^Z</userinput> Suspended &prompt.root; - <userinput>ps</userinput> PID LVL TT STAT TIME COMMAND 251 2 - v6 Is 0:00.37 login -p root 650 2 v6 S 0:01.28 -csh (csh) - 733 1 v6 T 0:00.08 less /home/tfraser/.bash_history 735 2 v6 - R+ 0:00.05 ./ps</screen> + <screen># less /home/tfraser/.bash_history +<output not included in document to save space> +^Z +Suspended +# ps + PID LVL TT STAT TIME COMMAND + 251 2 v6 Is 0:00.37 login -p root + 650 2 v6 S 0:01.28 -csh (csh) + 733 1 v6 T 0:00.08 less /home/tfraser/.bash_history + 735 2 v6 R+ 0:00.05 ./ps</screen> - <para>Note that, although your shell (csh in my case) is still - at level 2, the process running less is at level 1. Here's - why: Processes generally inherit the level of their parent. - So, any process you start with your level-2 shell will - initially execute at level 2. The less process was no - exception - it began running at level 2. However, the less - process went on to read the user's .cshrc file. This file is - a level-1 file - it contains low-integrity data. Whenever - LOMAC sees a level-2 process read a level-1 file, LOMAC - "demotes" the process. That is, it reduces the process to - level 1.</para> + <para>Note that, although your shell + (<application>csh</application> in my case) is still at + level 2, the process running less is at level 1. Here's why: + Processes generally inherit the level of their parent. So, + any process you start with your level-2 shell will initially + execute at level 2. The less process was no exception - it + began running at level 2. However, the less process went on + to read the user's <filename>.cshrc</filename> file. This + file is a level-1 file—it contains low-integrity data. + Whenever LOMAC sees a level-2 process read a level-1 file, + LOMAC "demotes" the process. That is, it reduces the process + to level 1.</para> - <para>Level-2 processes have maximum privileges (like "root" - in standard UNIX). Level-1 processes have greatly reduced - privileges. For example, they cannot write to level-2 files, - or signal level-2 processes. When a level-2 process reads a - level-1 file, it puts itself at risk. The file may be a - Trojan horse or may contain data designed to cause buffer - overflows. Because of this risk, LOMAC demotes level-2 - processes that read level-1 files to level 1. Once at level - 1, these processes have insufficient privilege to harm - level-2 processes and files.</para> + <para>Level-2 processes have maximum privileges (like + <username>root</username> in standard UNIX). Level-1 + processes have greatly reduced privileges. For example, they + cannot write to level-2 files, or signal level-2 processes. + When a level-2 process reads a level-1 file, it puts itself + at risk. The file may be a Trojan horse or may contain data + designed to cause buffer overflows. Because of this risk, + LOMAC demotes level-2 processes that read level-1 files to + level 1. Once at level 1, these processes have insufficient + privilege to harm level-2 processes and files.</para> <para>Many cautious UNIX administrators avoid putting "." in their PATH environment variable, in order to avoid executing some Trojan horses. In standard UNIX, a malicious user might give an attack program the same name as a commonly-used - command like ls. If the administrator, running as root, were - to cd to the malicious user's directory and type ls, if the - "." preceded <filename>/bin</filename> in their path, they - would accidentally execute the malicious + command like ls. If the administrator, running as + <username>root</username>, were to cd to the malicious + user's directory and type ls, if the "." preceded + <filename>/bin</filename> in their path, they would + accidentally execute the malicious <application>ls</application> rather than - <filename>/bin/ls</filename> . This act would effectively - execute the malicious user's Trojan horse program with root - privileges, perhaps to modify the login program or The - passwd file.</para> + <filename>/bin/ls</filename>. This act would effectively + execute the malicious user's Trojan horse program with + <username>root</username> privileges, perhaps to modify the + login program or the <filename>passwd</filename> + file.</para> <para>This precaution is not required in a system running LOMAC. LOMAC considers the execution of a program to be equivalent to a read (since the process reads the program - file in order to execute it). Since all non-root user's - files are at level 1, LOMAC would demote the process - executing the Trojan ls, just as it demoted less in our - example, above. Once at level 1, LOMAC would prevent the - Trojan ls from modifying level-2 files such as the login - program or the passwd file.</para> + file in order to execute it). Since all + non-<username>root</username> user's files are at level 1, + LOMAC would demote the process executing the Trojan ls, just + as it demoted less in our example, above. Once at level 1, + LOMAC would prevent the Trojan ls from modifying level-2 + files such as the login program or the passwd file.</para> <para>Demotion is a key part of the LOMAC's integrity protection scheme. Now that we've demonstrated how it works, we're now done with less. Quit the less program.</para> - <screen>&prompt.root; <userinput>fg</userinput> <output not - included in document to save space> q</screen> + <screen># fg +<output not included in document to save space> +q</screen> </listitem> <listitem> <para>Create a test file. We'll use this test file to - demonstrate LOMAC's integrity protection later on. # cat - > /root/foo This file contains test data. ^D</para> + demonstrate LOMAC's integrity protection later on.</para> + + <screen># cat > /root/foo +This file contains test data. +^D</screen> </listitem> <listitem> - <para>tail -f /var/log/messages Leave this running while you - continue the tour. It's output will contain LOMAC log - messages as we proceed.</para> + <para><command>tail -f /var/log/messages</command></para> + + <para>Leave this running while you continue the tour. It's + output will contain LOMAC log messages as we proceed.</para> </listitem> <listitem> @@ -277,15 +332,16 @@ user. Once logged in, examine the levels of your processes:</para> - <screen>&prompt.user; <userinput>ps</userinput> PID LVL TT - STAT TIME COMMAND 742 1 v7 S 0:00.48 -tcsh (tcsh) 750 1 v7 - R+ 0:00.05 ps</screen> + <screen>$ ps + PID LVL TT STAT TIME COMMAND + 742 1 v7 S 0:00.48 -tcsh (tcsh) + 750 1 v7 R+ 0:00.05 ps</screen> <para>Note that as a normal user, all of your processes are at level 1. Why? Switch back to the virtual console where you - are logged in as root. You should see a log message similar - to:</para> - + are logged in as <username>root</username>. You should see a + log message similar to:</para> + <programlisting>Oct 25 14:44:54 myhost /boot/kernel/kernel: LOMAC: level-2 subject p252g252u1002:login demoted to level 1 after reading under "/usr/home"</programlisting> @@ -294,52 +350,63 @@ 2. When a user attempts to log in, they run the login program, which also runs at level 2. Upon supplying the proper password, the login program starts a shell for the - user (tcsh in this case). The shell starts at level 2, but - LOMAC demotes it to level 1 when it reads the user's .cshrc - file, just as it demoted the less program, above. Once the - user's shell is running at level 1, all of the programs + user (<application>tcsh</application> in this case). The + shell starts at level 2, but LOMAC demotes it to level 1 + when it reads the user's <filename>.cshrc</filename> file, + just as it demoted the less program, above. Once the user's + shell is running at level 1, all of the programs subsequently executed by the user will run at level 1, also.</para> - <para>Our root shell from the start of the tour remains at - level-2 because LOMAC has set all of root's files at level - 2. A level-2 process may read level-2 files without being - demoted. The user's shell is demoted because it reads the - user's level-1 files. LOMAC does not assign levels to - processes based on the user's root/non-root identity. LOMAC - assigns levels to files by starting the first process (init) - at level 2, allowing child processes to inherit their - parent's level, and by demoting processes that read level-1 - files. LOMAC does not pay any attention to user identity. - Consequently, LOMAC is not vulnerable to any of the - traditional attacks on UNIX security that involve obtaining - root identity.</para> + <para>Our <username>root</username> shell from the start of + the tour remains at level-2 because LOMAC has set all of + <username>root</username>'s files at level 2. A level-2 + process may read level-2 files without being demoted. The + user's shell is demoted because it reads the user's level-1 + files. LOMAC does not assign levels to processes based on + the user's + <username>root</username>/non-<username>root</username> + identity. LOMAC assigns levels to files by starting the + first process (init) at level 2, allowing child processes to + inherit their parent's level, and by demoting processes that + read level-1 files. LOMAC does not pay any attention to user + identity. Consequently, LOMAC is not vulnerable to any of + the traditional attacks on UNIX security that involve + obtaining <username>root</username> identity.</para> </listitem> <listitem> <para>Test the above assertion that LOMAC does not give any - extra privileges to processes with root identity. Switch - back to the normal user's shell and become root.</para> + extra privileges to processes with <username>root</username> + identity. Switch back to the normal user's shell and become + <username>root</username>.</para> - <screen>&prompt.user; <userinput>su</userinput> Password: - &prompt.root; <userinput>ps</userinput> PID LVL TT STAT - TIME COMMAND 252 1 v7 Is 0:00.39 login -p tfraser 751 1 v7 I - 0:00.18 su 752 1 v7 S 0:00.43 _su (csh) 755 1 v7 R+ 0:00.05 - ps</screen> + <screen>&prompt.user; su +Password: +# ps + PID LVL TT STAT TIME COMMAND + 252 1 v7 Is 0:00.39 login -p tfraser + 751 1 v7 I 0:00.18 su + 752 1 v7 S 0:00.43 _su (csh) + 755 1 v7 R+ 0:00.05 ps</screen> - <para>Note that, despite the su, your shell is still at level - 1. LOMAC never increases the level of a process. Now attempt - to delete the /root/foo file you created earlier.</para> + <para>Note that, despite the <command>su</command>, your shell + is still at level 1. LOMAC never increases the level of a + process. Now attempt to delete the + <filename>/root/foo</filename> file you created + earlier.</para> - <screen>&prompt.root; <userinput>ls -lZ /root/foo</userinput> - -rw-r--r-- 1 root wheel 2 30 Oct 25 14:44 /root/foo - &prompt.root; <userinput>rm /root/foo</userinput> rm: - /root/foo: Operation not permitted</screen> + <screen># ls -lZ /root/foo +-rw-r--r-- 1 root wheel 2 30 Oct 25 14:44 /root/foo +# rm /root/foo +rm: /root/foo: Operation not permitted</screen> - <para>Even though you are root, LOMAC will not allow a level-1 - process (rm in this case) to delete a level-2 file. You - should see a log message similar to this one in on the root - virtual console that is tailing /var/log/messages:</para> + <para>Even though you are <username>root</username>, LOMAC + will not allow a level-1 process (<command>rm</command> in + this case) to delete a level-2 file. You should see a log + message similar to this one in on the + <username>root</username> virtual console that is tailing + /var/log/messages:</para> <programlisting>Oct 25 14:50:52 myhost /boot/kernel/kernel: LOMAC: level-1 proc p763g763u0:rm denied delete to level-2 @@ -355,12 +422,14 @@ <para>This section explains how LOMAC uses its demotion behavior to ensure that all remote users and servers that serve remote - users (httpd, ftpd, etc.) run at level 1. At this level, - malicious remote users and compromised network servers can do - little harm to the level-2 part of the system, even if they have - root privilege. It also discusses a few of the finer points - concerning LOMAC's protection scheme not already covered in the - SHORT TOUR section, above. The basic elements of LOMAC's + users (<application>httpd</application>, + <application>ftpd</application>, etc.) run at level 1. At this + level, malicious remote users and compromised network servers + can do little harm to the level-2 part of the system, even if + they have <username>root</username> privilege. It also discusses + a few of the finer points concerning LOMAC's protection scheme + not already covered in the <link linkend="short-tour">Short + Tour</link> section, above. The basic elements of LOMAC's integrity protection scheme are summarized here:</para> <orderedlist> @@ -429,11 +498,13 @@ first request. Note that the httpd server is comprised of 5 processes, all at level 2.</para> - <screen>&prompt.root; <userinput>ps -U nobody</userinput> PID LVL - TT STAT TIME COMMAND 369 2 ?? I 0:00.03 /usr/local/sbin/httpd - 370 2 ?? I 0:00.03 /usr/local/sbin/httpd 371 2 ?? I 0:00.03 - /usr/local/sbin/httpd 372 2 ?? I 0:00.03 /usr/local/sbin/httpd - 373 2 ?? I 0:00.03 /usr/local/sbin/httpd</screen> + <screen># ps -U nobody + PID LVL TT STAT TIME COMMAND + 369 2 ?? I 0:00.03 /usr/local/sbin/httpd + 370 2 ?? I 0:00.03 /usr/local/sbin/httpd + 371 2 ?? I 0:00.03 /usr/local/sbin/httpd + 372 2 ?? I 0:00.03 /usr/local/sbin/httpd + 373 2 ?? I 0:00.03 /usr/local/sbin/httpd</screen> <para>After httpd reads its first request from the network, you should see a message similar to this one in @@ -445,12 +516,14 @@ <para>And running ps again will produce:</para> - <programlisting>PID LVL TT STAT TIME COMMAND 369 1 ?? S 0:00.30 - /usr/local/sbin/httpd 370 2 ?? I 0:00.03 /usr/local/sbin/httpd - 371 2 ?? I 0:00.03 /usr/local/sbin/httpd 372 2 ?? I 0:00.03 - /usr/local/sbin/httpd 373 2 ?? I 0:00.03 /usr/local/sbin/httpd - 1572 2 ?? S 0:00.06 /usr/local/sbin/httpd</programlisting> - + <programlisting> PID LVL TT STAT TIME COMMAND + 369 1 ?? S 0:00.30 /usr/local/sbin/httpd + 370 2 ?? I 0:00.03 /usr/local/sbin/httpd + 371 2 ?? I 0:00.03 /usr/local/sbin/httpd + 372 2 ?? I 0:00.03 /usr/local/sbin/httpd + 373 2 ?? I 0:00.03 /usr/local/sbin/httpd + 1572 2 ?? S 0:00.06 /usr/local/sbin/httpd</programlisting> + <para>LOMAC demoted httpd process 369 as soon as it read its first client request.</para> </sect1> @@ -485,9 +558,10 @@ designed to prevent the flow of potentially dangerous data from low-integrity objects to high-integrity objects. That is, from files owned by one user to those owned by another - - even to those owned by root. The Trojan ls scenario in the - SHORT TOUR section describes one wellknown example of this - vulnerability, and how LOMAC counters it.</para> + even to those owned by <username>root</username>. The Trojan + ls scenario in the <link linkend="short-tour">Short + Tour</link> section describes one well-known example of + this vulnerability, and how LOMAC counters it.</para> </listitem> <listitem> @@ -534,8 +608,9 @@ will prevent a compromised level-1 network server from harming the level-2 part of the system, LOMAC will not prevent such a server from doing harm in the level-1 remainder of the system. A - compromised root-privileged network server could, for example, - send kill signals to another level-1 server.</para> + compromised <username>root</username>-privileged network server + could, for example, send kill signals to another level-1 + server.</para> <!-- BIBLIO REFERENCE --> <para>The second drawback of the Low Water-Mark MAC scheme is its @@ -612,7 +687,7 @@ list will be shown here. However, since the FreeBSD version of LOMAC is still under development, the membership of the list is still fluid. The best reference is the LOMAC source code, - specifically <filename>policy_plm.h</filename> .</para> + specifically <filename>policy_plm.h</filename>.</para> <para>If you create symlinks to <filename>env</filename> named <filename>env-nonetdemote</filename> and To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205230157.g4N1vFg73803>