From owner-freebsd-security Sun Jan 3 08:36:35 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09937 for freebsd-security-outgoing; Sun, 3 Jan 1999 08:36:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA09932 for ; Sun, 3 Jan 1999 08:36:34 -0800 (PST) (envelope-from FreeBSD-security@darkart.com) Received: from dynamic62.pm08.sf3d.best.com (dynamic37.pm04.sf3d.best.com [209.24.234.229]) by proxy4.ba.best.com (8.9.1/8.9.0/best.out) with ESMTP id IAA23164 for ; Sun, 3 Jan 1999 08:35:17 -0800 (PST) Message-Id: In-Reply-To: <199901012041.PAA11110@khavrinen.lcs.mit.edu> References: <199901011958.OAA11009@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 3 Jan 1999 08:34:05 -0800 To: security@FreeBSD.ORG From: Eric Hall Subject: Re: Anyone know of a free X.509 CA? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >< >said: > >> On Fri, 1 Jan 1999, Garrett Wollman wrote: > >>> Does anyone out there know of a free X.509 CA that works under FreeBSD >>> (obviously) and supports PKCS#12 for interoperability with Netscrape? >>> > >> I haven't actually tried or tested it (this is probably the gotcha) but >> isn't SSLeay (/usr/ports/SSLeay) capable of that? > >I have, and it isn't. (It doesn't do PKCS#12, and the patches that I >found to do it still don't generate output that Netscrape is happy >with.) > I built SSLeay 0.9.0b under Solaris x86 and it worked just fine w/ Netscape (umm, 4.0x I think). Don't see why it should be any different under FreeBSD. I wasn't paying attention to which flavor of PKCS it was using at the time though. -eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 06:32:13 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20632 for freebsd-security-outgoing; Tue, 5 Jan 1999 06:32:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from komitex.komitex.ru (komitex.komitex.ru [194.135.154.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20415 for ; Tue, 5 Jan 1999 06:31:56 -0800 (PST) (envelope-from dark@sbis.komi.ru) Received: from sbis (picoder@[194.135.154.46]) by komitex.komitex.ru with SMTP id OAA12520; (8.8.5/vak/1.9.l) Tue, 5 Jan 1999 14:33:12 GMT Received: by sbis (2.13i.sbis) id RAA106.15; Tue, 5 Jan 1999 17:27:44 +0300 Message-Id: <199901051427.RAA106.15@sbis> From: "Wolokhov Alex" To: Subject: auth 7c4e2f2c subscribe freebsd-security dark@sbis.komi.ru Date: Tue, 5 Jan 1999 17:28:04 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 7c4e2f2c subscribe freebsd-security dark@sbis.komi.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 11:35:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA24911 for freebsd-security-outgoing; Tue, 5 Jan 1999 11:35:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA24870; Tue, 5 Jan 1999 11:35:47 -0800 (PST) (envelope-from grios@netshell.vicosa.com.br) Received: from netshell.vicosa.com.br [200.236.148.196] by guepardo.vicosa.com.br with ESMTP (SMTPD32-4.03) id AB5F1B67007C; Tue, 05 Jan 1999 16:43:27 +03d00 Message-ID: <36925FC2.12EC490F@netshell.vicosa.com.br> Date: Tue, 05 Jan 1999 16:53:54 -0200 From: Gustavo Vieira G C Rios X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, folks, i am trying to increase my system security, but the main problem i would like to solve is: I DON'T wanna my user to send their passwords via a connect over internet. for instance, when getting email they need to send it! Isn't there any way to send this passwd encrypted? The same happens with ftp, etc. For shell session i am using ssh, but how to do about other services ? -- +-------------------------------------------------------------------+ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 11:53:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA27435 for freebsd-security-outgoing; Tue, 5 Jan 1999 11:53:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kalypso.iqm.unicamp.br (kalypso.iqm.unicamp.br [143.106.51.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA27403; Tue, 5 Jan 1999 11:53:32 -0800 (PST) (envelope-from vazquez@iqm.unicamp.br) Received: by kalypso.iqm.unicamp.br (V-MTA, from userid 105) id 834BC2EB; Tue, 5 Jan 1999 17:52:51 -0200 (EDT) Message-ID: <19990105175250.E25338@iqm.unicamp.br> Date: Tue, 5 Jan 1999 17:52:50 -0200 From: Pedro A M Vazquez To: Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security References: <36925FC2.12EC490F@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <36925FC2.12EC490F@netshell.vicosa.com.br>; from Gustavo Vieira G C Rios on Tue, Jan 05, 1999 at 04:53:54PM -0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tue, Jan 05, 1999 at 04:53:54PM -0200, Gustavo Vieira G C Rios wrote: > Hi, folks, i am trying to increase my system security, but the main > problem i would like to solve is: > I DON'T wanna my user to send their passwords via a connect over > internet. for instance, when getting email they need to send it! Isn't > there any way to send this passwd encrypted? The same happens with ftp, > etc. For shell session i am using ssh, but how to do about other > services ? Use stunnel with the IMAP/SSL or POP/SSL clients available in nerdscape and outlook: http://mike.daewoo.com.pl/computer/stunnel/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 13:23:18 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA10234 for freebsd-security-outgoing; Tue, 5 Jan 1999 13:23:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA10127 for ; Tue, 5 Jan 1999 13:22:55 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id AAA10655 for ; Wed, 6 Jan 1999 00:19:33 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id AAA27583 for freebsd-security@freebsd.org; Wed, 6 Jan 1999 00:21:35 +0300 (MSK) Date: Wed, 6 Jan 1999 00:21:35 +0300 From: Vadim Kolontsov To: freebsd-security@FreeBSD.ORG Subject: kernel/syslogd hack Message-ID: <19990106002135.A27566@tversu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, UNIX syslog mechanism (both concept & implementation) is very insecure. I'll not try to describe here all syslog's problems (it worth making separate web page for it), but I'll propose a hack for solving at least one. I call it "fake local logs" problem. Syslog messages are too easy to forge; for example, it can be sendmail error messages or some other important information (imagine that you're really analyzing your syslogd output with logsurfer :). Any user can do it. syslogd uses UNIX domain socket (/var/run/log, for example) and trusts every information from it (usually sent by syslog(3)). I think it would be nice if syslogd would have an ability to determine euid/uid/egid/egid/pid of process which sends log information (directly to socket or via syslog(3)). It's impossible to use lsof-like approach for it (walking through kernel structures), because socket may be in not-connected state or process which sent datagram may be already dead. I've added additional socket option: SO_UNIXPRIVS. It's argument is just int (true/false). It has sense only for UNIX domain datagram socket. When kernel delivers datagrams for such socket, it adds a special structure before the message: struct unixprivs { uid_t uid,euid; gid_t gid,egid; pid_t pid; } So syslogd can easily extract this information from incoming message. Advantages: it doesn't require to recompile client applications or shared libraries, it's completely transparent for clients, can be used in other applications (I'm also thinking about some getpeeruid() call for stream-based UNIX domain sockets -- I think it will just walk through kernel structures (proc, p_fd, f_data, so_proto, pr_domain..)) By the way, reading freebsd-security for a several years I can't remember a question about getpeeruid()-like function, why? nobody need it? Disadvantages: after all, it's dirty hack. I understand that syslogd should probably be rewritten (the best solution is to redesign the whole syslog() mechanism). But I want to see pid/uid/gid for log messages! Can you suggest anything better? I'm interested in feedback. I'm going to release patches for FreeBSD 3.0's kernel and syslogd in a few days (it already works, but I want to make it more clear). Here is example of output from my syslogd (at home): Jan 5 22:50:43 sb vadim/wheel/398 vadim: just test from logger (uid) (gid)(pid) Of course this patch doesn't solve problem with syslog/514 UDP. I know it See http://sb.123.org/syslogd_hack.html for updates - if any. Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 13:28:30 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA11076 for freebsd-security-outgoing; Tue, 5 Jan 1999 13:28:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from diamond.csuchico.edu (diamond.CSUChico.EDU [132.241.84.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA11066; Tue, 5 Jan 1999 13:28:28 -0800 (PST) (envelope-from aaronl@diamond.csuchico.edu) Received: (from aaronl@localhost) by diamond.csuchico.edu (8.8.8/8.8.8) id NAA20387; Tue, 5 Jan 1999 13:27:29 -0800 (PST) Message-ID: <19990105132728.A20222@diamond.csuchico.edu> Date: Tue, 5 Jan 1999 13:27:28 -0800 From: "A. L." To: Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security References: <36925FC2.12EC490F@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93 In-Reply-To: <36925FC2.12EC490F@netshell.vicosa.com.br>; from Gustavo Vieira G C Rios on Tue, Jan 05, 1999 at 04:53:54PM -0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well there is always the ol'standby...Kerberos. Eudora supports this protocol. It will also take care of ftp and telnet. Of course version 5 only supports 56bit encryption for data. But it's hard to beat for keeping passwords off the wire, specially for large networks. Aaron On Tue, Jan 05, 1999 at 04:53:54PM -0200, Gustavo Vieira G C Rios wrote: > Hi, folks, i am trying to increase my system security, but the main > problem i would like to solve is: > I DON'T wanna my user to send their passwords via a connect over > internet. for instance, when getting email they need to send it! Isn't > there any way to send this passwd encrypted? The same happens with ftp, > etc. For shell session i am using ssh, but how to do about other > services ? > -- > +-------------------------------------------------------------------+ > " ... Overall we've found FreeBSD to excel in performace, stability, > technical support, and of course price. Two years after discovering > FreeBSD, we have yet to find a reason why we switch to anything else" > -David Filo, Yahoo! > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 13:45:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA14164 for freebsd-security-outgoing; Tue, 5 Jan 1999 13:45:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thelab.hub.org (nat0050.mpoweredpc.net [142.177.188.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA14158 for ; Tue, 5 Jan 1999 13:45:43 -0800 (PST) (envelope-from scrappy@hub.org) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.1/8.9.1) with ESMTP id RAA35634 for ; Tue, 5 Jan 1999 17:45:05 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Tue, 5 Jan 1999 17:45:05 -0400 (AST) From: The Hermit Hacker To: freebsd-security@FreeBSD.ORG Subject: ssh "error" message .. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone seen the following before? I'm thinking a port-attack, since I've gotten two reports so far, each reporting the same host, but different IP... hub> logout Waiting for forwarded connections to terminate... The following connections are open: X11 connection from tntport0581.cwjamaica.com port 1488 X11 connection from tntport0581.cwjamaica.com port 1918 Marc G. Fournier Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 14:16:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18725 for freebsd-security-outgoing; Tue, 5 Jan 1999 14:16:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18720 for ; Tue, 5 Jan 1999 14:16:17 -0800 (PST) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.2/8.9.2) id OAA19362; Tue, 5 Jan 1999 14:15:38 -0800 (PST) Message-Id: <199901052215.OAA19362@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: The Hermit Hacker Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh "error" message .. In-Reply-To: Your message of "Tue, 05 Jan 1999 17:45:05 -0400." From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-361153620P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 05 Jan 1999 14:15:38 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-361153620P Content-Type: text/plain; charset=us-ascii If memory serves me right, The Hermit Hacker wrote: > Has anyone seen the following before? I'm thinking a port-attack, since > I've gotten two reports so far, each reporting the same host, but > different IP... > > hub> logout > Waiting for forwarded connections to terminate... > The following connections are open: > X11 connection from tntport0581.cwjamaica.com port 1488 > X11 connection from tntport0581.cwjamaica.com port 1918 Yes, many many times. These are the error messages that you see when you ssh to another machine, fire up some X clients on the remote host, then try to logout. The X protocol messages from the X clients are tunneled over the encrypted SSH connection, so the SSH connection can't go away without killing the clients. The behavior you see gives you (the user) a chance to gracefully shut down the X clients first. If I don't care about those X clients, I'll usually kill the window from which I ran ssh. Bruce. --==_Exmh_-361153620P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNpKPCajOOi0j7CY9AQEbTAP/S3j8mTse65K58z1TLHKOpoqrdhuYBRtt gDN10m4+icrf75yO3/AyYVHS4TwyL8/14Gck7w95c2ShIQz7HxE3eu9mq5dUYRdy h0ydP9mH4cHl8Hn7hsCBZyI9OdU7SOB7WwGYpbc41doPNhYNRTbnEbF6Gn0MvE+z n4JGFisjyb4= =cYQn -----END PGP MESSAGE----- --==_Exmh_-361153620P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 14:26:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20188 for freebsd-security-outgoing; Tue, 5 Jan 1999 14:26:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fnhxvtjf.getmoretraffic.com (CBL-panamerican.hs.earthlink.net [208.233.115.216]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA20067 for ; Tue, 5 Jan 1999 14:26:16 -0800 (PST) (envelope-from getmoretraffic@getmoretraffic.com) Message-ID: Subject: Protecting Your Assets from Legal Attack From: ofbwodui@getmoretraffic.com Reply-To: getmoretraffic@getmoretraffic.com Date: Tue, 05 Jan 1999 17:25:14 -0500 Content-Type: text/plain; charset=ISO-8859-1 To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IMPORTANT INFORMATION ON HOW TO PRESERVE YOUR ASSETS YOU WORKED HARD TO ACQUIRE THEM--- NOW LEARN HOW TO PROTECT THEM USING ASSET PROTECTION TRUSTS In our litigious society where baseless lawsuits are commonplace, it is no longer enough to simply worry about wealth accumulation. Wealth Preservation and Asset Protection Planning are now real issues. With the possibility of a single lawsuit wiping away a lifetime of savings, individuals (especially those with families), have made concerted efforts to preserve assets and assure the family estate for future generations. Experts agree that the one of the best ways to do so is with the aid of Asset Protection Trusts. An Asset Protection Trust is not the ideal plan for everyone, but where it is a good solution, professionals (doctors, lawyers, stockbrokers, etc.), owners of closely held businesses, and others who have spent a lifetime accumulating wealth can now put up formidable barriers to thwart potential creditor suits and other civil litigation. If you want to learn more about this legal option and the possibility of providing a more comprehensive protection for you and your family, just click below to obtain FREE additional information. There is NO OBLIGATION and you will receive no follow-up calls or further correspondence unless you specifically request it. All inquiries are kept CONFIDENTIAL and if requested, you are assured a response by a member of our legal staff within forty-eight (48) hours. Click on the link below and find out whether or not an Asset Protection Trust is right for you: http://getmoretraffic.com/offshorelaw ************************************************************************************* If you wish to be removed from our mailing list, we will gladly do so. Please click the REPLY button and put the word “REMOVE” in the subject line to have your name promptly deleted. ************************************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 14:44:50 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA23216 for freebsd-security-outgoing; Tue, 5 Jan 1999 14:44:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA23178 for ; Tue, 5 Jan 1999 14:44:30 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id BAA11849 for ; Wed, 6 Jan 1999 01:38:05 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id BAA27826 for freebsd-security@FreeBSD.ORG; Wed, 6 Jan 1999 01:40:06 +0300 (MSK) Date: Wed, 6 Jan 1999 01:40:06 +0300 From: Vadim Kolontsov To: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106014005.A27811@tversu.ru> References: <19990106002135.A27566@tversu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <19990106002135.A27566@tversu.ru>; from Vadim Kolontsov on Wed, Jan 06, 1999 at 12:21:35AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Wed, Jan 06, 1999 at 12:21:35AM +0300, Vadim Kolontsov wrote: > struct unixprivs { > uid_t uid,euid; > gid_t gid,egid; > pid_t pid; > } 'length' field should be added (to show which amount of the following data is "signed" by this structure). Shouldn't it? Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 15:23:15 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29877 for freebsd-security-outgoing; Tue, 5 Jan 1999 15:23:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA29867 for ; Tue, 5 Jan 1999 15:23:13 -0800 (PST) (envelope-from ludwigp@bigfoot.com) Received: (qmail 12893 invoked from network); 5 Jan 1999 23:22:45 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 5 Jan 1999 23:22:45 -0000 Message-Id: <4.1.19990105151833.00bad6b0@mail-r> Message-Id: <4.1.19990105151833.00bad6b0@mail-r> X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 05 Jan 1999 15:22:31 -0800 To: Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Ludwig Pummer Subject: Re: Security In-Reply-To: <36925FC2.12EC490F@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:53 AM 1/5/99 , Gustavo Vieira G C Rios wrote: >Hi, folks, i am trying to increase my system security, but the main >problem i would like to solve is: >I DON'T wanna my user to send their passwords via a connect over >internet. for instance, when getting email they need to send it! Isn't >there any way to send this passwd encrypted? The same happens with ftp, >etc. For shell session i am using ssh, but how to do about other >services ? You could just use the SSH secure connection method. SSH lets you redirect a local port on your machine, encrypts that, sends it to the SSH server you're connected to, and that sends it to wherever. I use it to pick up my IMAP mail from work, where absolutely no outside connections using passwords are allowed. And my brother SSHs into here to get his POP mail and send it with SMTP. I'm using Cedomir Igaly's SSH client for Windows v2.101 (searching for "cedomir igaly ssh" on yahoo always finds it for me). There's a newer version available with more options, but it seems to have a problem using RSA keys, so I use my old v2.101. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 15:23:24 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29934 for freebsd-security-outgoing; Tue, 5 Jan 1999 15:23:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29924; Tue, 5 Jan 1999 15:23:22 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id PAA11168; Tue, 5 Jan 1999 15:22:03 -0800 (PST) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA01373; Tue, 5 Jan 1999 15:21:48 -0800 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id QAA13517; Tue, 5 Jan 1999 16:21:47 -0700 Message-ID: <36929E8A.1515AD1E@softweyr.com> Date: Tue, 05 Jan 1999 16:21:46 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gustavo Vieira G C Rios CC: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security References: <36925FC2.12EC490F@netshell.vicosa.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gustavo Vieira G C Rios wrote: > > Hi, folks, i am trying to increase my system security, but the main > problem i would like to solve is: > I DON'T wanna my user to send their passwords via a connect over > internet. for instance, when getting email they need to send it! Isn't > there any way to send this passwd encrypted? The same happens with ftp, > etc. For shell session i am using ssh, but how to do about other > services ? For email, require your users to use IMAP or POP3 with APOP. Both feature encrypted password access. For file transfer, disable your FTP server and make your users use scp. If they have ssh setup, scp should work just fine. -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 15:49:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03743 for freebsd-security-outgoing; Tue, 5 Jan 1999 15:49:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA03734 for ; Tue, 5 Jan 1999 15:49:55 -0800 (PST) (envelope-from brian@hyperreal.org) Received: (qmail 9917 invoked by uid 24); 5 Jan 1999 23:49:28 -0000 Message-Id: <4.1.19990105154103.00ba7100@hyperreal.org> X-Sender: brian@hyperreal.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 05 Jan 1999 15:51:21 -0800 To: bmah@CA.Sandia.GOV, The Hermit Hacker From: Brian Behlendorf Subject: Re: ssh "error" message .. Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199901052215.OAA19362@stennis.ca.sandia.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:15 PM 1/5/99 -0800, Bruce A. Mah wrote: >If memory serves me right, The Hermit Hacker wrote: > >> Has anyone seen the following before? I'm thinking a port-attack, since >> I've gotten two reports so far, each reporting the same host, but >> different IP... >> >> hub> logout >> Waiting for forwarded connections to terminate... >> The following connections are open: >> X11 connection from tntport0581.cwjamaica.com port 1488 >> X11 connection from tntport0581.cwjamaica.com port 1918 > >Yes, many many times. These are the error messages that you see when you ssh >to another machine, fire up some X clients on the remote host, then try to >logout. The X protocol messages from the X clients are tunneled over the >encrypted SSH connection, so the SSH connection can't go away without killing >the clients. The behavior you see gives you (the user) a chance to gracefully >shut down the X clients first. > >If I don't care about those X clients, I'll usually kill the window from which >I ran ssh. Um, I think he's saying that "tntport0581.cwjamaica.com" isn't one of his domains, but a third party, and he's suspicious that an attack may be underway. When you use SSH and tell it to forward X11 packets, it opens an X port on the remote machine for X clients to connect to, to get tunnelled to your local X server. E.g., from "lsof": sshd1 6362 root 9u inet 0xf4930900 0t0 TCP *:6011 (LISTEN) The port is open - local X clients AND remote X clients can connect to it. Now, your X server will probably mandate the use of some sort of auth, like what's in the .Xauthority file on your remote machine; remember back before xauth when it was "cute" to open an X app on someone else's screen, surprising them? :) This isn't a security hole, since the standard X security mechanisms *should* protect you, but there is the potential for exploiting buffers in either the sshd or your desktop X server. If you don't need X, you probably want to turn off "forward X11 packets", just to be safe. If F-Secure was thinking, they'd give an option to only allow local connections to the remote end of the tunnel, as you can do when setting up other tunnels manually. I'm going here by the GUI for the windows & mac SSH clients; the Unix ssh client has far more configurability of course. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- History is made at night; brian@hyperreal.org character is what you are in the dark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 16:41:11 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12706 for freebsd-security-outgoing; Tue, 5 Jan 1999 16:41:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12699 for ; Tue, 5 Jan 1999 16:41:09 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA10961; Tue, 5 Jan 1999 16:39:56 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA27890; Tue, 5 Jan 1999 16:39:55 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA13314; Tue, 5 Jan 1999 16:39:54 -0800 (PST) From: Don Lewis Message-Id: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> Date: Tue, 5 Jan 1999 16:39:53 -0800 In-Reply-To: Vadim Kolontsov "kernel/syslogd hack" (Jan 6, 12:21am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Vadim Kolontsov , freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 6, 12:21am, Vadim Kolontsov wrote: } Subject: kernel/syslogd hack } Hello, } } UNIX syslog mechanism (both concept & implementation) is very } insecure. I'll not try to describe here all syslog's problems (it } worth making separate web page for it), but I'll propose a hack } for solving at least one. } } I call it "fake local logs" problem. Syslog messages are too easy } to forge; for example, it can be sendmail error messages or some } other important information (imagine that you're really analyzing } your syslogd output with logsurfer :). Any user can do it. } } syslogd uses UNIX domain socket (/var/run/log, for example) and } trusts every information from it (usually sent by syslog(3)). I } think it would be nice if syslogd would have an ability to determine } euid/uid/egid/egid/pid of process which sends log information } (directly to socket or via syslog(3)). It's possible to do this in current by using SCM_CREDS with sendmsg(). } Advantages: it doesn't require to recompile client applications or } shared libraries, it's completely transparent for clients, can be If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild the shared library. I don't think this is too much of a disadvantage. } used in other applications (I'm also thinking about some getpeeruid() } call for stream-based UNIX domain sockets -- I think it will just } walk through kernel structures (proc, p_fd, f_data, so_proto, } pr_domain..)) What if there are multiple processes at the other end? If a process calls connect() and then fork(), the socket created by accept() in the server will have multiple peer processes. } Of course this patch doesn't solve problem with syslog/514 UDP. I } know it Someone has written a secure syslog protocol that uses encryption, etc. --- Truck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 17:22:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA18636 for freebsd-security-outgoing; Tue, 5 Jan 1999 17:22:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from top.worldcontrol.com (snblitz.sc.scruznet.com [165.227.132.84]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA18615 for ; Tue, 5 Jan 1999 17:22:27 -0800 (PST) (envelope-from brian@worldcontrol.com) From: brian@worldcontrol.com Received: (qmail 1904 invoked by uid 100); 6 Jan 1999 01:34:25 -0000 Date: Tue, 5 Jan 1999 17:34:25 -0800 To: Wes Peters Cc: Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Message-ID: <19990105173424.B1875@top.worldcontrol.com> Mail-Followup-To: Wes Peters , Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <36925FC2.12EC490F@netshell.vicosa.com.br> <36929E8A.1515AD1E@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <36929E8A.1515AD1E@softweyr.com>; from Wes Peters on Tue, Jan 05, 1999 at 04:21:46PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Gustavo Vieira G C Rios wrote: > > Hi, folks, i am trying to increase my system security, but the main > > problem i would like to solve is: On Tue, Jan 05, 1999 at 04:21:46PM -0700, Wes Peters wrote: > For email, require your users to use IMAP or POP3 with APOP. Both feature > encrypted password access. > > For file transfer, disable your FTP server and make your users use scp. > If they have ssh setup, scp should work just fine. If your users have access to ssh and are running unix-like OSes, I've written some scripts which use ssh and movemail to fetch email. I call the scripts fmail. I got tired, even with ssh redirected POP, of the time and slow handshaking of the POP protocol. Now I get full speed (bandwidth) delivery of my email via an encrypted and compressed channel. Myself and one other person have been using the scripts for months. fmail requires (well not exactly) passwordless ssh entry into the system with the mail. Basically requires that you copy localhost:~account/.ssh/identity.pub to mailhost:~account/.ssh/authorized_keys -- Brian Litzinger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 17:29:32 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA20197 for freebsd-security-outgoing; Tue, 5 Jan 1999 17:29:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA20165 for ; Tue, 5 Jan 1999 17:29:27 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id CAA13891 for freebsd-security@FreeBSD.ORG; Wed, 6 Jan 1999 02:27:38 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 43DA41728; Wed, 6 Jan 1999 01:51:15 +0100 (CET) Date: Wed, 6 Jan 1999 01:51:15 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106015115.A44707@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19990106002135.A27566@tversu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <19990106002135.A27566@tversu.ru>; from Vadim Kolontsov on Wed, Jan 06, 1999 at 12:21:35AM +0300 X-Operating-System: FreeBSD 3.0-CURRENT/ELF ctm#4931 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Vadim Kolontsov: > Of course this patch doesn't solve problem with syslog/514 UDP. I > know it Have you looked at ssyslog from the guys in Brazil ? It takes the opposite approach by making the trusted machine download in a secure way the logs from each machine. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #67: Tue Dec 29 20:24:02 CET 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 22:49:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25347 for freebsd-security-outgoing; Tue, 5 Jan 1999 22:49:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA25297 for ; Tue, 5 Jan 1999 22:48:35 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id JAA18431; Wed, 6 Jan 1999 09:45:02 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id JAA28745; Wed, 6 Jan 1999 09:47:01 +0300 (MSK) Date: Wed, 6 Jan 1999 09:47:01 +0300 From: Vadim Kolontsov To: Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106094701.A28727@tversu.ru> References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901060039.QAA13314@salsa.gv.tsc.tdk.com>; from Don Lewis on Tue, Jan 05, 1999 at 04:39:53PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Tue, Jan 05, 1999 at 04:39:53PM -0800, Don Lewis wrote: > } Advantages: it doesn't require to recompile client applications or > } shared libraries, it's completely transparent for clients, can be > > If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild > the shared library. I don't think this is too much of a disadvantage. Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? Not all of them use shared libraries. I would be happy, anyway, if FreeBSD will you use more secure syslog.. > } used in other applications (I'm also thinking about some getpeeruid() > } call for stream-based UNIX domain sockets -- I think it will just > } walk through kernel structures (proc, p_fd, f_data, so_proto, > } pr_domain..)) > > What if there are multiple processes at the other end? If a process > calls connect() and then fork(), the socket created by accept() in the > server will have multiple peer processes. Yes.. > } Of course this patch doesn't solve problem with syslog/514 UDP. I > } know it > > Someone has written a secure syslog protocol that uses encryption, etc. it signs local logs, it encrypts it during network transfer, but it does nothing for the problem I've described -- log socket (AF_UNIX) is available for everyone and all information is trusted (correct me if I'm wrong) Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 5 23:32:02 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA00311 for freebsd-security-outgoing; Tue, 5 Jan 1999 23:32:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00277 for ; Tue, 5 Jan 1999 23:31:47 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id JAA18524 for ; Wed, 6 Jan 1999 09:53:44 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id JAA28762 for freebsd-security@FreeBSD.ORG; Wed, 6 Jan 1999 09:55:43 +0300 (MSK) Date: Wed, 6 Jan 1999 09:55:43 +0300 From: Vadim Kolontsov To: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106095543.B28727@tversu.ru> References: <19990106002135.A27566@tversu.ru> <19990106015115.A44707@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <19990106015115.A44707@keltia.freenix.fr>; from Ollivier Robert on Wed, Jan 06, 1999 at 01:51:15AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Wed, Jan 06, 1999 at 01:51:15AM +0100, Ollivier Robert wrote: > > Of course this patch doesn't solve problem with syslog/514 UDP. I > > know it > > Have you looked at ssyslog from the guys in Brazil ? It takes the opposite > approach by making the trusted machine download in a secure way the logs > from each machine. Yes, I tried it. It tries to make network transfer secure, but does nothing for local logs (gathered via UNIX domain socket). And their solution isn't best for real-time analyzing: it doesn't send logs string by string (or at least nK-buffer by buffer). You can, of course, configure it to download logs to log server every 2 minutes, and analyze them then.. And it deletes local logs after uploading to log server :) (this behaviour can be changed, probably) But I think that ssyslog is good thing, anyway :) Regards, V. P.S. I'm amazed - it seems that nobody (except ssyslogd and nsyslog people) is working on more reliable/secure syslog replacement.. may be because the whole protocol should be changed.. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 01:47:07 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15180 for freebsd-security-outgoing; Wed, 6 Jan 1999 01:47:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15170 for ; Wed, 6 Jan 1999 01:47:03 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id UAA24071; Wed, 6 Jan 1999 20:35:24 +1100 (EDT) From: Darren Reed Message-Id: <199901060935.UAA24071@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: vadim@tversu.ru (Vadim Kolontsov) Date: Wed, 6 Jan 1999 20:35:23 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990106095543.B28727@tversu.ru> from "Vadim Kolontsov" at Jan 6, 99 09:55:43 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Vadim Kolontsov, sie said: [...] > And their solution isn't best for real-time analyzing: it doesn't send > logs string by string (or at least nK-buffer by buffer). You can, of course, > configure it to download logs to log server every 2 minutes, and analyze them > then.. nsyslogd (when it finally gets the hashing/encryption enabled) will provide a constant flow. To it, the hashed and encrypted stream of data is just another source, not a special thing which is handled differently. The hashing and encryption (for use over TCP) will be enabled "soon". Currently it just creates a hash log to go with the log file. To check out current progress, you can download it from http://coombs.anu.edu.au/~avalon/nsyslog.html but please don't redistribute it as it's really not yet ready for wide distribution. > Regards, > V. > > P.S. I'm amazed - it seems that nobody (except ssyslogd and nsyslog people) > is working on more reliable/secure syslog replacement.. may be because > the whole protocol should be changed.. For now, your immeadiate concern is availability of UDP/514 to spoofed syslog messages. In what I think is a "bug" (or missing feature), commenting out syslog/514 in /etc/services causes syslogd not to start rather than to just not open up the UDP port (2.2.5) but "syslogd -s" shuts down the UDP port for reception of syslog messages, so that's covered. As far as /var/run/log goes, chown/chgrp/chmod are your friends or you can make /var/run/log a symbolic link to a protected directory with which you use the -p argument to place the log socket. e.g.: # mkdir /var/run/log.d # chmod 700 /var/run/log.d # ln -s /var/run/log.d/log /var/run/log # syslogd -p /var/run/log/log Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 02:39:35 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21910 for freebsd-security-outgoing; Wed, 6 Jan 1999 02:39:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA21904 for ; Wed, 6 Jan 1999 02:39:33 -0800 (PST) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 7160 invoked by uid 1001); 6 Jan 1999 10:39:05 +0000 (GMT) To: avalon@coombs.anu.edu.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack In-Reply-To: Your message of "Wed, 6 Jan 1999 20:35:23 +1100 (EDT)" References: <199901060935.UAA24071@cheops.anu.edu.au> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 06 Jan 1999 11:39:04 +0100 Message-ID: <7158.915619144@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In what I think is a "bug" (or missing feature), commenting out syslog/514 > in /etc/services causes syslogd not to start rather than to just not open > up the UDP port (2.2.5) but "syslogd -s" shuts down the UDP port for > reception of syslog messages, so that's covered. No, "syslogd -s" does *not* shut down the UDP port - at least not in $Id: syslogd.c,v 1.46 1998/12/29 23:14:50 cwt Exp $ Instead the packets are received and then logged as "syslogd: discarded %d unwanted packets in secure mode, last from %s" I would much prefer that it actually not listened to the UDP port at all. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 02:44:05 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA22692 for freebsd-security-outgoing; Wed, 6 Jan 1999 02:44:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA22683 for ; Wed, 6 Jan 1999 02:44:03 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id VAA24675; Wed, 6 Jan 1999 21:43:22 +1100 (EDT) From: Darren Reed Message-Id: <199901061043.VAA24675@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: sthaug@nethelp.no Date: Wed, 6 Jan 1999 21:43:22 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <7158.915619144@verdi.nethelp.no> from "sthaug@nethelp.no" at Jan 6, 99 11:39:04 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from sthaug@nethelp.no, sie said: > > > In what I think is a "bug" (or missing feature), commenting out syslog/514 > > in /etc/services causes syslogd not to start rather than to just not open > > up the UDP port (2.2.5) but "syslogd -s" shuts down the UDP port for > > reception of syslog messages, so that's covered. > > No, "syslogd -s" does *not* shut down the UDP port - at least not in > > $Id: syslogd.c,v 1.46 1998/12/29 23:14:50 cwt Exp $ > > Instead the packets are received and then logged as > > "syslogd: discarded %d unwanted packets in secure mode, last from %s" > > I would much prefer that it actually not listened to the UDP port at all. Indeed. It needs to have one open so it can send to other hosts, but it should not listen at all. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 02:52:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA24666 for freebsd-security-outgoing; Wed, 6 Jan 1999 02:52:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24592 for ; Wed, 6 Jan 1999 02:52:21 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id NAA22309; Wed, 6 Jan 1999 13:26:51 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id NAA21406; Wed, 6 Jan 1999 13:28:48 +0300 (MSK) Date: Wed, 6 Jan 1999 13:28:48 +0300 From: Vadim Kolontsov To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106132848.A14928@tversu.ru> References: <19990106095543.B28727@tversu.ru> <199901060935.UAA24071@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901060935.UAA24071@cheops.anu.edu.au>; from Darren Reed on Wed, Jan 06, 1999 at 08:35:23PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, On Wed, Jan 06, 1999 at 08:35:23PM +1100, Darren Reed wrote: > nsyslogd (when it finally gets the hashing/encryption enabled) will provide > a constant flow. To it, the hashed and encrypted stream of data is just > another source, not a special thing which is handled differently. this is good news; I'd like to say "Thank you!" for all your work! > As far as /var/run/log goes, chown/chgrp/chmod are your friends or you > can make /var/run/log a symbolic link to a protected directory with which > you use the -p argument to place the log socket. e.g.: > # mkdir /var/run/log.d > # chmod 700 /var/run/log.d > # ln -s /var/run/log.d/log /var/run/log > # syslogd -p /var/run/log/log Sorry, I didn't understand you. In which cases would it help? Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 02:57:38 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA25145 for freebsd-security-outgoing; Wed, 6 Jan 1999 02:57:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA25139 for ; Wed, 6 Jan 1999 02:57:33 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id VAA24694; Wed, 6 Jan 1999 21:44:37 +1100 (EDT) From: Darren Reed Message-Id: <199901061044.VAA24694@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: vadim@tversu.ru (Vadim Kolontsov) Date: Wed, 6 Jan 1999 21:44:37 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990106132848.A14928@tversu.ru> from "Vadim Kolontsov" at Jan 6, 99 01:28:48 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Vadim Kolontsov, sie said: > > Hello, > > On Wed, Jan 06, 1999 at 08:35:23PM +1100, Darren Reed wrote: > > > As far as /var/run/log goes, chown/chgrp/chmod are your friends or you > > can make /var/run/log a symbolic link to a protected directory with which > > you use the -p argument to place the log socket. e.g.: > > # mkdir /var/run/log.d > > # chmod 700 /var/run/log.d > > # ln -s /var/run/log.d/log /var/run/log > > # syslogd -p /var/run/log/log > > Sorry, I didn't understand you. In which cases would it help? The above stops non-root from sending syslog messages, locally. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 03:22:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28456 for freebsd-security-outgoing; Wed, 6 Jan 1999 03:22:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA28442 for ; Wed, 6 Jan 1999 03:21:57 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id WAA25076; Wed, 6 Jan 1999 22:18:30 +1100 (EDT) From: Darren Reed Message-Id: <199901061118.WAA25076@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: vadim@tversu.ru (Vadim Kolontsov) Date: Wed, 6 Jan 1999 22:18:30 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990106140415.B14924@tversu.ru> from "Vadim Kolontsov" at Jan 6, 99 02:04:15 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Vadim Kolontsov, sie said: > > Hi, > > On Wed, Jan 06, 1999 at 09:44:37PM +1100, Darren Reed wrote: > > > > > # mkdir /var/run/log.d > > > > # chmod 700 /var/run/log.d > > > > # ln -s /var/run/log.d/log /var/run/log > > > > # syslogd -p /var/run/log/log > > > > > > Sorry, I didn't understand you. In which cases would it help? > > > > The above stops non-root from sending syslog messages, locally. > > I understand it, but I didn't understand in which *real* cases > it can be useful? > > I can create "log" group and put all syslog()ing programs into it.. but I > still don't sure it's useful. The idea is that unless your privilidge group is compromised, then you should not be exposed to fake syslog messages generated by normal users. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 03:35:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA00330 for freebsd-security-outgoing; Wed, 6 Jan 1999 03:35:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA29553 for ; Wed, 6 Jan 1999 03:31:52 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id OAA23013; Wed, 6 Jan 1999 14:02:17 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id OAA19249; Wed, 6 Jan 1999 14:04:15 +0300 (MSK) Date: Wed, 6 Jan 1999 14:04:15 +0300 From: Vadim Kolontsov To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990106140415.B14924@tversu.ru> References: <19990106132848.A14928@tversu.ru> <199901061044.VAA24694@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901061044.VAA24694@cheops.anu.edu.au>; from Darren Reed on Wed, Jan 06, 1999 at 09:44:37PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Wed, Jan 06, 1999 at 09:44:37PM +1100, Darren Reed wrote: > > > # mkdir /var/run/log.d > > > # chmod 700 /var/run/log.d > > > # ln -s /var/run/log.d/log /var/run/log > > > # syslogd -p /var/run/log/log > > > > Sorry, I didn't understand you. In which cases would it help? > > The above stops non-root from sending syslog messages, locally. I understand it, but I didn't understand in which *real* cases it can be useful? I can create "log" group and put all syslog()ing programs into it.. but I still don't sure it's useful. Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 03:39:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA01003 for freebsd-security-outgoing; Wed, 6 Jan 1999 03:39:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA00998 for ; Wed, 6 Jan 1999 03:39:58 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.1/8.9.0/best.sh) id DAA27662; Wed, 6 Jan 1999 03:38:59 -0800 (PST) Message-ID: <19990106033859.A26493@best.com> Date: Wed, 6 Jan 1999 03:38:59 -0800 From: "Jan B. Koum " To: sthaug@nethelp.no, avalon@coombs.anu.edu.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack References: <199901060935.UAA24071@cheops.anu.edu.au> <7158.915619144@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <7158.915619144@verdi.nethelp.no>; from sthaug@nethelp.no on Wed, Jan 06, 1999 at 11:39:04AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 06, 1999 at 11:39:04AM +0100, sthaug@nethelp.no wrote: > > In what I think is a "bug" (or missing feature), commenting out syslog/514 > > in /etc/services causes syslogd not to start rather than to just not open > > up the UDP port (2.2.5) but "syslogd -s" shuts down the UDP port for > > reception of syslog messages, so that's covered. > > No, "syslogd -s" does *not* shut down the UDP port - at least not in > > $Id: syslogd.c,v 1.46 1998/12/29 23:14:50 cwt Exp $ > > Instead the packets are received and then logged as > > "syslogd: discarded %d unwanted packets in secure mode, last from %s" > > I would much prefer that it actually not listened to the UDP port at all. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Exactly. And in this case ipfw/ipf is your friend (or ACL on a router) if '-s' alone does not make you feel warm and fuzzy: # ipfw add 9999 deny udp from any to ${my_ip} 514 -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 04:34:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA10657 for freebsd-security-outgoing; Wed, 6 Jan 1999 04:34:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA10646 for ; Wed, 6 Jan 1999 04:34:04 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id XAA25787; Wed, 6 Jan 1999 23:21:20 +1100 (EDT) From: Darren Reed Message-Id: <199901061221.XAA25787@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: vadim@tversu.ru (Vadim Kolontsov) Date: Wed, 6 Jan 1999 23:21:20 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990106140415.B14924@tversu.ru> from "Vadim Kolontsov" at Jan 6, 99 02:04:15 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Vadim Kolontsov, sie said: > > Hi, > > On Wed, Jan 06, 1999 at 09:44:37PM +1100, Darren Reed wrote: > > > > > # mkdir /var/run/log.d > > > > # chmod 700 /var/run/log.d > > > > # ln -s /var/run/log.d/log /var/run/log > > > > # syslogd -p /var/run/log/log > > > > > > Sorry, I didn't understand you. In which cases would it help? > > > > The above stops non-root from sending syslog messages, locally. > > I understand it, but I didn't understand in which *real* cases > it can be useful? > > I can create "log" group and put all syslog()ing programs into it.. but I > still don't sure it's useful. Your initial concern was that using programs like logger(1), people could supply fake log messages. The above prevents that (if UDP is shut off also) from hapenning locally. Isn't that part of what you wanted to do ? Afterall, how many programs is Joe Bloggs likely to run that will generate syslog messages ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 08:39:42 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA03693 for freebsd-security-outgoing; Wed, 6 Jan 1999 08:39:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA03687; Wed, 6 Jan 1999 08:39:30 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id SAA22681; Wed, 6 Jan 1999 18:37:24 +0200 (EET) Date: Wed, 6 Jan 1999 18:37:24 +0200 (EET) From: Narvi To: "A. L." cc: Gustavo Vieira G C Rios , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security In-Reply-To: <19990105132728.A20222@diamond.csuchico.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Jan 1999, A. L. wrote: > Well there is always the ol'standby...Kerberos. Eudora supports this protocol. > It will also take care of ftp and telnet. Of course version 5 only supports > 56bit encryption for data. But it's hard to beat for keeping passwords off > the wire, specially for large networks. Actually, that is version 4 that supports only ordinary DES. No such limit for version 5. > > Aaron > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 11:41:56 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26589 for freebsd-security-outgoing; Wed, 6 Jan 1999 11:41:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kstreet.interlog.com (kstreet.interlog.com [198.53.146.171]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26584 for ; Wed, 6 Jan 1999 11:41:54 -0800 (PST) (envelope-from kws@kstreet.interlog.com) Received: (from kws@localhost) by kstreet.interlog.com (8.9.1/8.9.1) id OAA01229; Wed, 6 Jan 1999 14:40:57 -0500 (EST) (envelope-from kws) From: Kevin Street MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <13971.48201.157443.285341@kstreet.interlog.com> Date: Wed, 6 Jan 1999 14:40:57 -0500 (EST) To: freebsd-security@FreeBSD.ORG Subject: locking /dev/ttyp* X-Mailer: VM 6.63 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I got a note from a Linux developer who is looking for a FreeBSD equivalent for a Linux feature. The feature allows a program to prevent others from opening a /dev/ttypx without having to change the permissions on it. This means the program does not have to be suid root. In Linux this can apparently be done with: int flag = 1; if (ioctl(fd,TIOCSPTLCK,&flag)) // prohibit opening tty from now on perror("cannot set secure"); Is there any equivalent in FreeBSD? I know TIOCSPTLCK does not exist in any header I could find in 3.0. -- Kevin Street street@iName.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 11:42:06 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26653 for freebsd-security-outgoing; Wed, 6 Jan 1999 11:42:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA26628 for ; Wed, 6 Jan 1999 11:42:01 -0800 (PST) (envelope-from brian@hyperreal.org) Received: (qmail 23083 invoked by uid 24); 6 Jan 1999 19:41:32 -0000 Message-Id: <4.1.19990106113411.00bdc780@hyperreal.org> X-Sender: brian@hyperreal.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 06 Jan 1999 11:34:27 -0800 To: freebsd-security@FreeBSD.ORG From: Brian Behlendorf Subject: Fwd: Wiping out setuid programs Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This seemed like a relevant post to this forum. Brian >Delivered-To: brian@HYPERREAL.ORG >Approved-By: aleph1@UNDERGROUND.ORG >Date: Wed, 6 Jan 1999 04:07:54 -0000 >Reply-To: "D. J. Bernstein" >Sender: Bugtraq List >From: "D. J. Bernstein" >Subject: Wiping out setuid programs >To: BUGTRAQ@NETSPACE.ORG > >This is a continuation of the ``Why you should avoid world-writable >directories'' thread. > >Why do we create setuid programs? Because we need to let users access >particular files in restricted ways. Some traditional examples: > > program files > ------------------------- > at the at queue > atq the at queue > atrm the at queue > chfn /etc/passwd > chpass /etc/passwd > chsh /etc/passwd > crontab the cron queue > cu serial lines > eject floppy disks > fdformat floppy disks > lock /etc/shadow > lpr the print queue > lprm the print queue > netstat kernel memory > passwd /etc/shadow > ps kernel memory > rlogin low TCP ports > rsh low TCP ports > sendmail the mail queue > talk terminals > tip serial lines > wall terminals > write terminals > >In every case the file access could be moved to a non-setuid daemon that >accepts UNIX-domain connections from unprivileged user programs. This >would wipe out a huge number of local security holes. > >However, in most cases, the daemon needs to know who it's talking to, >for access control or for accounting. That's why I want a getpeeruid() >routine returning the uid that called connect(). > >It turns out that Linux 2.1 already supports this feature. You can >implement getpeereuid() and getpeeregid() with a few lines on top of >getsockopt() with SO_PEERCRED. Other systems could easily add support. > >A few people have commented that getpeeruid() doesn't give per-packet >uids: if a user connects to the socket, and runs a setuid program, then >the program's input and output will be attributed to the user. So what? >The user could just as easily have run "cat | thesetuidprogram | cat", >and he really does own the cat processes. > >Anyway, I've set up a web page discussing various IPC mechanisms from >the writing-daemons-that-manage-restricted-files point of view: > > http://pobox.com/~djb/docs/secureipc.html > >Please let me know if you have any updates. > >---Dan --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- History is made at night; brian@hyperreal.org character is what you are in the dark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 12:19:05 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA02761 for freebsd-security-outgoing; Wed, 6 Jan 1999 12:19:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02754 for ; Wed, 6 Jan 1999 12:19:02 -0800 (PST) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id PAA16578; Wed, 6 Jan 1999 15:22:07 -0500 (EST) Date: Wed, 6 Jan 1999 15:22:07 -0500 (EST) From: andrewr To: Kevin Street cc: freebsd-security@FreeBSD.ORG Subject: Re: locking /dev/ttyp* In-Reply-To: <13971.48201.157443.285341@kstreet.interlog.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I asked a question like this awhile back.. because there was an easy way to lock ttys. I belive in linux it is vt_lock, and vt_unlock (it's been awhile). but from everything people helped me try to do, even Soren, i was unable to duplicate the effect. The effect was a locked terminal.. Kind of like what xlock does for xwindows,.. Andrew On Wed, 6 Jan 1999, Kevin Street wrote: > I got a note from a Linux developer who is looking for a FreeBSD > equivalent for a Linux feature. The feature allows a program to prevent > others from opening a /dev/ttypx without having to change the permissions > on it. This means the program does not have to be suid root. > > In Linux this can apparently be done with: > int flag = 1; > if (ioctl(fd,TIOCSPTLCK,&flag)) // prohibit opening tty from now on > perror("cannot set secure"); > > Is there any equivalent in FreeBSD? I know TIOCSPTLCK does not exist > in any header I could find in 3.0. > > -- > Kevin Street > street@iName.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 15:12:32 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20049 for freebsd-security-outgoing; Wed, 6 Jan 1999 15:12:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20044 for ; Wed, 6 Jan 1999 15:12:30 -0800 (PST) (envelope-from andrewr@slack.net) Received: from wnm.net (nobody@bbq-grill.rackmount.ORG [208.246.241.42]) by earth.wnm.net (8.8.8/8.8.8) with SMTP id RAA01010; Wed, 6 Jan 1999 17:18:14 -0600 (CST) From: andrewr Reply-to: andrewr To: jrz@wnm.net Cc: freebsd-security@FreeBSD.ORG Date: Wed, 6 Jan 1999 17:23:49 GMT Subject: Fwd: Re: locking /dev/ttyp* X-Mailer: DMailWeb Web to Mail Gateway 1.8s, http://netwinsite.com/top_mail.htm Message-id: <36939c25.488b.0@wnm.net> X-User-Info: 208.246.241.46 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ****** Forwarded Message Follows ******* >To: Kevin Street >From: andrewr >Date: Wed, 6 Jan 1999 15:22:07 -0500 (EST) > >I asked a question like this awhile back.. because there was an easy way >to lock ttys. I belive in linux it is vt_lock, and vt_unlock (it's been >awhile). but from everything people helped me try to do, even Soren, i was >unable to duplicate the effect. The effect was a locked terminal.. Kind >of like what xlock does for xwindows,.. > >Andrew > >On Wed, 6 Jan 1999, Kevin Street wrote: > >> I got a note from a Linux developer who is looking for a FreeBSD >> equivalent for a Linux feature. The feature allows a program to prevent >> others from opening a /dev/ttypx without having to change the permissions >> on it. This means the program does not have to be suid root. >> >> In Linux this can apparently be done with: >> int flag = 1; >> if (ioctl(fd,TIOCSPTLCK,&flag)) // prohibit opening tty from now on >> perror("cannot set secure"); >> >> Is there any equivalent in FreeBSD? I know TIOCSPTLCK does not exist >> in any header I could find in 3.0. >> >> -- >> Kevin Street >> street@iName.com >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 16:25:01 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA29693 for freebsd-security-outgoing; Wed, 6 Jan 1999 16:25:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA29669 for ; Wed, 6 Jan 1999 16:25:00 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA25992; Wed, 6 Jan 1999 16:24:05 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA20904; Wed, 6 Jan 1999 16:24:04 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA02193; Wed, 6 Jan 1999 16:23:53 -0800 (PST) From: Don Lewis Message-Id: <199901070023.QAA02193@salsa.gv.tsc.tdk.com> Date: Wed, 6 Jan 1999 16:23:52 -0800 In-Reply-To: Vadim Kolontsov "Re: kernel/syslogd hack" (Jan 6, 9:47am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Vadim Kolontsov , Don Lewis Subject: Re: kernel/syslogd hack Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 6, 9:47am, Vadim Kolontsov wrote: } Subject: Re: kernel/syslogd hack } Hi, } } On Tue, Jan 05, 1999 at 04:39:53PM -0800, Don Lewis wrote: } } > } Advantages: it doesn't require to recompile client applications or } > } shared libraries, it's completely transparent for clients, can be } > } > If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild } > the shared library. I don't think this is too much of a disadvantage. } } Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? } Not all of them use shared libraries. I suspect that not many of those that are statically linked call syslog(). If syslogd received a message without the credentials, it could log the information that it was handed with an indication that the information may not be trustworthy. } > } Of course this patch doesn't solve problem with syslog/514 UDP. I } > } know it } > } > Someone has written a secure syslog protocol that uses encryption, etc. } } it signs local logs, it encrypts it during network transfer, but it } does nothing for the problem I've described -- log socket (AF_UNIX) is available } for everyone and all information is trusted (correct me if I'm wrong) This is correct, but at least it prevents someone from sending totally fabricated (IP source address and all) messages to UDP port 514. Even if the message is signed and encrypted, you still might not be able to trust the sender as much as you can with SCM_CREDS or equivalent. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 16:36:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00880 for freebsd-security-outgoing; Wed, 6 Jan 1999 16:36:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA00862 for ; Wed, 6 Jan 1999 16:36:24 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id DAA06478; Thu, 7 Jan 1999 03:33:27 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id DAA26869; Thu, 7 Jan 1999 03:35:22 +0300 (MSK) Date: Thu, 7 Jan 1999 03:35:22 +0300 From: Vadim Kolontsov To: Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990107033522.B26805@tversu.ru> References: <199901070023.QAA02193@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901070023.QAA02193@salsa.gv.tsc.tdk.com>; from Don Lewis on Wed, Jan 06, 1999 at 04:23:52PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, On Wed, Jan 06, 1999 at 04:23:52PM -0800, Don Lewis wrote: > } > If you wanted to use SCM_CREDS, you'd need to tweak syslog() and rebuild > } > the shared library. I don't think this is too much of a disadvantage. > } > } Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? > } Not all of them use shared libraries. > > I suspect that not many of those that are statically linked call syslog(). > > If syslogd received a message without the credentials, it could log the > information that it was handed with an indication that the information > may not be trustworthy. Yes, it's clear. And I like this approach much better than my attempts. So if everybody think that using SCM_CREDS is a good idea, may be it should be included in -current? It will not break anything (the only thing which will be changed is log format, but using new feature can be optional -- just another option for syslogd). And it's not hard to implement. Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 17:24:22 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA07441 for freebsd-security-outgoing; Wed, 6 Jan 1999 17:24:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA07436 for ; Wed, 6 Jan 1999 17:24:19 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40326>; Thu, 7 Jan 1999 12:22:59 +1100 Date: Thu, 7 Jan 1999 12:23:40 +1100 From: Peter Jeremy Subject: Re: kernel/syslogd hack To: Don.Lewis@tsc.tdk.com Cc: freebsd-security@FreeBSD.ORG Message-Id: <99Jan7.122259est.40326@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don Lewis wrote: >If syslogd received a message without the credentials, it could log the >information that it was handed with an indication that the information >may not be trustworthy. Which immediately returns us to the original problem - which is that the current syslog protocol makes DOS attacks trivial. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 18:55:43 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA16737 for freebsd-security-outgoing; Wed, 6 Jan 1999 18:55:43 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA16728 for ; Wed, 6 Jan 1999 18:55:39 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id SAA27542; Wed, 6 Jan 1999 18:55:05 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id SAA23462; Wed, 6 Jan 1999 18:55:03 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id SAA02558; Wed, 6 Jan 1999 18:55:02 -0800 (PST) From: Don Lewis Message-Id: <199901070255.SAA02558@salsa.gv.tsc.tdk.com> Date: Wed, 6 Jan 1999 18:55:02 -0800 In-Reply-To: Peter Jeremy "Re: kernel/syslogd hack" (Jan 7, 12:23pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Peter Jeremy , Don.Lewis@tsc.tdk.com Subject: Re: kernel/syslogd hack Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 7, 12:23pm, Peter Jeremy wrote: } Subject: Re: kernel/syslogd hack } Don Lewis wrote: } >If syslogd received a message without the credentials, it could log the } >information that it was handed with an indication that the information } >may not be trustworthy. } } Which immediately returns us to the original problem - which is that } the current syslog protocol makes DOS attacks trivial. Add an option to tell syslogd to ignore messages that don't have credentials? The only reason I'd make this an option is to allow for statically linked apps that can't be recompiled. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 6 18:58:56 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA17248 for freebsd-security-outgoing; Wed, 6 Jan 1999 18:58:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA17243 for ; Wed, 6 Jan 1999 18:58:55 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id SAA27548; Wed, 6 Jan 1999 18:57:25 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id SAA23470; Wed, 6 Jan 1999 18:57:23 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id SAA02565; Wed, 6 Jan 1999 18:57:22 -0800 (PST) From: Don Lewis Message-Id: <199901070257.SAA02565@salsa.gv.tsc.tdk.com> Date: Wed, 6 Jan 1999 18:57:22 -0800 In-Reply-To: Vadim Kolontsov "Re: kernel/syslogd hack" (Jan 7, 3:35am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Vadim Kolontsov , Don Lewis Subject: Re: kernel/syslogd hack Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 7, 3:35am, Vadim Kolontsov wrote: } Subject: Re: kernel/syslogd hack } } Yes, it's clear. And I like this approach much better than my } attempts. So if everybody think that using SCM_CREDS is a good idea, } may be it should be included in -current? I think so. } It will not break anything } (the only thing which will be changed is log format, but using new } feature can be optional -- just another option for syslogd). And it's } not hard to implement. Changing the log format could be bad because it could mess up various log parsing scripts. An option would be nice. It would even be better if the format could be selected for each logfile. I don't know how that could be worked into the syslog.conf format, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 02:04:52 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA02221 for freebsd-security-outgoing; Thu, 7 Jan 1999 02:04:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA02216 for ; Thu, 7 Jan 1999 02:04:44 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id CAA00394; Thu, 7 Jan 1999 02:01:51 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id CAA00254; Thu, 7 Jan 1999 02:01:50 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA03365; Thu, 7 Jan 1999 02:01:42 -0800 (PST) From: Don Lewis Message-Id: <199901071001.CAA03365@salsa.gv.tsc.tdk.com> Date: Thu, 7 Jan 1999 02:01:41 -0800 In-Reply-To: Mark Newton "Re: About chroot" (Dec 25, 10:00am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Mark Newton , robert+freebsd@cyrus.watson.org Subject: Re: About chroot Cc: newton@camtech.com.au, eivind@yes.no, casper@acc.am, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 25, 10:00am, Mark Newton wrote: } Subject: Re: About chroot } Robert Watson wrote: } } > On Thu, 24 Dec 1998, Mark Newton wrote: } } > > I've submitted the patch; It's kern/9183. } > > } > > Does anyone want to review it? I'll commit it if there's a positive } > > response (but won't if there's no response). } > } > Mark, } > It seems like a neat idea. However, enabling vfs.hard_chroot may break } > security in certain environments--in particular, environments where a } > chroot is used as part of the system bootup, and where existing services } > will try to use chroot to create sandboxes. } } Agreed. I figured those cases would make up a minority. There's at least one place where I need two levels of chroot(). The hack that I'm currently using added another rdir-like entry to struct filedesc. I'm currently in the process of reimplementing this as a stack. The main main problem I'm having is a lack of time to work on the code. One tricky thing is that once you allow more than one level of chroot(), you create the possibility of breaking out of the jail. I've got some ideas on how to protect against this. } Of course -- But that's relatively easy: The same check for } p_rdir that's used to work out whether chroot() should fail can also } be placed into mknod(2) and mount(2). I wouldn't even need to } unstaticize hard_chroot to make those changes happen. I did something like this a couple years ago (don't forget about umount()). My current preference would be to set a flag in struct proc that disables access to these. The process that puts the suspect process in jail would do the chroot() and set the flag. Even better would be finer grained access control. It's too bad that POSIX wasn't able to standardize something. } If it gets more widely used, though, the p_rdir check probably should } be wrapped in a function that can be called from elsewhere in the kernel } to do a permission check -- if hard_chrooted() returns TRUE, fail the } operation... } } We'd probably also want to restrict a user's ability to access LKM/KLD } interfaces, assuming they're in the kernel in the first place. reboot(2) } should also be restricted. Are there any others? (deny bind()ing to } privileged ports? nah, that'd break ftpd, which is part of the } intended audience of the patch, with very few security benefits). I disabled access to lkms, blocked access to processes outside the jail by kill() and ptrace(). } If we commit something like this it might be worth creating a new } hard_chroot(7) manpage and referring to that out of chroot(2), } mount(2), mknod(2) and any other manpages that are affected by the } change. hard_chroot(7) could contain a detailed description of what } the patch does and the effects it is likely to have on the types of } services you mentioned above as things this patch is likely to } break, as well as descriptions of what it can help with. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 04:37:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA13976 for freebsd-security-outgoing; Thu, 7 Jan 1999 04:37:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA13969 for ; Thu, 7 Jan 1999 04:37:17 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id PAA15125; Thu, 7 Jan 1999 15:34:23 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id PAA27878; Thu, 7 Jan 1999 15:36:15 +0300 (MSK) Date: Thu, 7 Jan 1999 15:36:15 +0300 From: Vadim Kolontsov To: Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990107153615.A27741@tversu.ru> References: <199901070257.SAA02565@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901070257.SAA02565@salsa.gv.tsc.tdk.com>; from Don Lewis on Wed, Jan 06, 1999 at 06:57:22PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Wed, Jan 06, 1999 at 06:57:22PM -0800, Don Lewis wrote: > } Yes, it's clear. And I like this approach much better than my > } attempts. So if everybody think that using SCM_CREDS is a good idea, > } may be it should be included in -current? > > I think so. I would like to try to do it, and post results here (if nobody already did it) > } It will not break anything > } (the only thing which will be changed is log format, but using new > } feature can be optional -- just another option for syslogd). And it's > } not hard to implement. > > Changing the log format could be bad because it could mess up various > log parsing scripts. An option would be nice. It would even be > better if the format could be selected for each logfile. I don't > know how that could be worked into the syslog.conf format, though. what's about 3rd (optional) 'options' field in syslog.conf? By the way, I'm also thinking that it would be useful to add an ability to filter logs by source machine. My patch for syslogd understand the following syntax in syslog.conf: [machine:]selector;selector;selector action So only new (and optional) field is "machine:". It's hostname + domain. It's too simple; may be IP ranges, netmasks etc can be useful. "machine" can be "*" (or simply skipped) - it means that this line works for all source addresses.. I don't sure that it's ideal syntax if you have a lot of machines (but it works ok with m4 or copy'n'paste :) Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 05:57:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19197 for freebsd-security-outgoing; Thu, 7 Jan 1999 05:57:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19192 for ; Thu, 7 Jan 1999 05:57:56 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id AAA12004; Fri, 8 Jan 1999 00:55:56 +1100 (EDT) From: Darren Reed Message-Id: <199901071355.AAA12004@cheops.anu.edu.au> Subject: Re: kernel/syslogd hack To: vadim@tversu.ru (Vadim Kolontsov) Date: Fri, 8 Jan 1999 00:55:55 +1100 (EDT) Cc: Don.Lewis@tsc.tdk.com, freebsd-security@FreeBSD.ORG In-Reply-To: <19990107153615.A27741@tversu.ru> from "Vadim Kolontsov" at Jan 7, 99 03:36:15 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just so I understand what you're doing, you're recording who sent the syslog message (and making the message longer) because you're concerned about users generating fake messages. Now as it stands, you don't want to stop them sending fake messages, you just want to know when they are being sent so you can distinguish real ones from fakes. Did I get that all right ? Btw, if you just wanted an enhanced configuration file, nsyslogd does filtering on IP#'s now. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 06:44:30 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24260 for freebsd-security-outgoing; Thu, 7 Jan 1999 06:44:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24249 for ; Thu, 7 Jan 1999 06:44:21 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id RAA16760; Thu, 7 Jan 1999 17:41:16 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id RAA28088; Thu, 7 Jan 1999 17:43:08 +0300 (MSK) Date: Thu, 7 Jan 1999 17:43:08 +0300 From: Vadim Kolontsov To: Darren Reed Cc: Don.Lewis@tsc.tdk.com, freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990107174308.A28043@tversu.ru> References: <19990107153615.A27741@tversu.ru> <199901071355.AAA12004@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <199901071355.AAA12004@cheops.anu.edu.au>; from Darren Reed on Fri, Jan 08, 1999 at 12:55:55AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren, > Just so I understand what you're doing, you're recording who sent the > syslog message (and making the message longer) because you're concerned > about users generating fake messages. Yes, if kernel see that destination UNIX domain socket has special option set, it adds pid/uid/gid/etc to all datagrams sent to this socket, so syslogd can record this information to logs. So I can determine later who is sending fake messages, who is flooding and so on.. This patch doesn't stop users to send fake message. But it allows me to know *who* is sending it (it can be analyzed by human or by log analyzing program). To activate this behaviour in kernel, syslogd makes setsockopt("/var/run/log", SOL_SOCKET, SO_MY_NEW_OPTION, &1). You only need to recompile kernel and syslogd. I've been suggested to modify syslog(3) to use sendmsg(2) with SCM_CREDS instead of send()/sendto(). In this case kernel does the same work (adding pid/uid/euid/gid/groups to the datagram). It requires to recompile shared libraries and statically linked programs which uses syslog(3), but I think it's anyway more "clear" way than patching kernel. > Now as it stands, you don't want to stop them sending fake messages, > you just want to know when they are being sent so you can distinguish > real ones from fakes. See above.. probably I didn't described the original idea well enough, sorry. patching kernel and using SCM_CREDS with sendmsg(2) are just two different ways to one target -- to allow syslog to record information about process who sends logs. > Btw, if you just wanted an enhanced configuration file, nsyslogd does > filtering on IP#'s now. I've tried nsyslogd, and I saw examples of it's configuration files.. it's good, and I like it. But now I'm thinking about FreeBSD's syslogd :) Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 12:45:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA03514 for freebsd-security-outgoing; Thu, 7 Jan 1999 12:45:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA03502 for ; Thu, 7 Jan 1999 12:45:06 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id VAA01748; Thu, 7 Jan 1999 21:42:42 +0100 (MET) Message-ID: <19990107214242.A1721@gvr.org> Date: Thu, 7 Jan 1999 21:42:42 +0100 From: Guido van Rooij To: Vadim Kolontsov , Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990106094701.A28727@tversu.ru>; from Vadim Kolontsov on Wed, Jan 06, 1999 at 09:47:01AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 06, 1999 at 09:47:01AM +0300, Vadim Kolontsov wrote: > > Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? > Not all of them use shared libraries. So..If you rewrite syslog(3) to sendmsg an SS_CRED message, you can rewrite syslog to only log the (e)uid of the syslog(3)-caller when thi messages is received. This way you would not break the older syslog-users. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 12:48:28 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04230 for freebsd-security-outgoing; Thu, 7 Jan 1999 12:48:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04200 for ; Thu, 7 Jan 1999 12:48:21 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id VAA01765; Thu, 7 Jan 1999 21:47:43 +0100 (MET) Message-ID: <19990107214742.B1721@gvr.org> Date: Thu, 7 Jan 1999 21:47:42 +0100 From: Guido van Rooij To: Brian Behlendorf , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: Wiping out setuid programs References: <4.1.19990106113411.00bdc780@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.1.19990106113411.00bdc780@hyperreal.org>; from Brian Behlendorf on Wed, Jan 06, 1999 at 11:34:27AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 06, 1999 at 11:34:27AM -0800, Brian Behlendorf wrote: > > > >It turns out that Linux 2.1 already supports this feature. You can > >implement getpeereuid() and getpeeregid() with a few lines on top of > >getsockopt() with SO_PEERCRED. Other systems could easily add support. > > FreeBSD also has something like this. From recvmsg(2) Process credentials can also be passed as ancillary data for AF_UNIX do- main sockets using a cmsg_type of SCM_CREDS. In this case, cmsg_data should be a structure of type cmsgcred, which is defined in as follows: This was developped for secure RPC. It has the advantage over getpeere[ug]id() that there might be more peers. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 14:11:41 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16352 for freebsd-security-outgoing; Thu, 7 Jan 1999 14:11:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16342 for ; Thu, 7 Jan 1999 14:11:37 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id OAA12067; Thu, 7 Jan 1999 14:09:06 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id OAA11836; Thu, 7 Jan 1999 14:09:05 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id OAA04747; Thu, 7 Jan 1999 14:09:04 -0800 (PST) From: Don Lewis Message-Id: <199901072209.OAA04747@salsa.gv.tsc.tdk.com> Date: Thu, 7 Jan 1999 14:09:04 -0800 In-Reply-To: Vadim Kolontsov "Re: kernel/syslogd hack" (Jan 7, 3:36pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Vadim Kolontsov , Don Lewis Subject: Re: kernel/syslogd hack Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 7, 3:36pm, Vadim Kolontsov wrote: } Subject: Re: kernel/syslogd hack } > Changing the log format could be bad because it could mess up various } > log parsing scripts. An option would be nice. It would even be } > better if the format could be selected for each logfile. I don't } > know how that could be worked into the syslog.conf format, though. } } what's about 3rd (optional) 'options' field in syslog.conf? It would be best if this option could be specified on a per action basis, since not all actions for the syslog entry might want the same format. I don't know that this is really all that important, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 7 21:31:55 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA05339 for freebsd-security-outgoing; Thu, 7 Jan 1999 21:31:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA05324 for ; Thu, 7 Jan 1999 21:31:53 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.2/8.7.3) id AAA13409 for freebsd-security@Freebsd.org; Fri, 8 Jan 1999 00:31:40 -0500 (EST) (envelope-from jared) Date: Fri, 8 Jan 1999 00:31:40 -0500 From: Jared Mauch To: freebsd-security@FreeBSD.ORG Subject: 3.0 rel pwd_mkdb problem(patch) Message-ID: <19990108003140.A13277@puck.nether.net> Mail-Followup-To: freebsd-security@Freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've had a problem recently with people breaking root and installing accounts with *no* uid in their pw file entry, that way everything comes up with zero for the uid, giving the user root privs. I'm not sure how they're obtaining root yet, but i've patched pwd_mkdb so they can't rebuild the pw file with this being the case (which it should check for anyways). here's the patch: diff -ur pw_scan.c.orig pw_scan.c --- pw_scan.c.orig Fri Jan 8 00:24:14 1999 +++ pw_scan.c Fri Jan 8 00:16:59 1999 @@ -80,6 +80,11 @@ goto fmt; if(p[0]) pw->pw_fields |= _PWF_UID; id = atol(p); + if (strlen(p) == 0) + { + warnx("no uid for user %s", pw->pw_name); + return (0); + } if (root && id) { warnx("root uid should be 0"); return (0); -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 05:05:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA20414 for freebsd-security-outgoing; Fri, 8 Jan 1999 05:05:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA20399; Fri, 8 Jan 1999 05:05:03 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA26932; Fri, 8 Jan 1999 14:04:21 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA03702; Fri, 8 Jan 1999 14:04:21 +0100 (MET) Message-ID: <19990108140417.E348@follo.net> Date: Fri, 8 Jan 1999 14:04:17 +0100 From: Eivind Eklund To: freebsd-security@FreeBSD.ORG Cc: wollman@FreeBSD.ORG Subject: Re: 3.0 rel pwd_mkdb problem(patch) References: <19990108003140.A13277@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990108003140.A13277@puck.nether.net>; from Jared Mauch on Fri, Jan 08, 1999 at 12:31:40AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 08, 1999 at 12:31:40AM -0500, Jared Mauch wrote: > I've had a problem recently with people breaking root > and installing accounts with *no* uid in their pw file entry, > that way everything comes up with zero for the uid, giving > the user root privs. I'm not sure how they're obtaining root yet, > but i've patched pwd_mkdb so they can't rebuild the pw file with > this being the case (which it should check for anyways). > > here's the patch: Note that this can simpler be written as Index: pw_scan.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v retrieving revision 1.6 diff -u -r1.6 pw_scan.c --- pw_scan.c 1997/10/10 06:27:06 1.6 +++ pw_scan.c 1999/01/08 12:55:05 @@ -78,7 +78,12 @@ if (!(p = strsep(&bp, ":"))) /* uid */ goto fmt; - if(p[0]) pw->pw_fields |= _PWF_UID; + if (p[0]) + pw->pw_fields |= _PWF_UID; + else { + warnx("no uid for user %s", pw->pw_name); + return (0); + } id = atol(p); if (root && id) { warnx("root uid should be 0"); by hanging off the old field check that wollman added when we added 'pw_fields'. This seems to indicate that he considered an empty UID as a valid case. I don't see why, so I would appreciate Garrett would followup and tell me :-) passwd(5) does not indicate that an empty UID field is valid. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 05:10:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA21062 for freebsd-security-outgoing; Fri, 8 Jan 1999 05:10:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA21037 for ; Fri, 8 Jan 1999 05:10:37 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA27286; Fri, 8 Jan 1999 14:10:06 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA03732; Fri, 8 Jan 1999 14:10:06 +0100 (MET) Message-ID: <19990108141005.F348@follo.net> Date: Fri, 8 Jan 1999 14:10:05 +0100 From: Eivind Eklund To: Guido van Rooij , Vadim Kolontsov , Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990107214242.A1721@gvr.org>; from Guido van Rooij on Thu, Jan 07, 1999 at 09:42:42PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 07, 1999 at 09:42:42PM +0100, Guido van Rooij wrote: > On Wed, Jan 06, 1999 at 09:47:01AM +0300, Vadim Kolontsov wrote: > > > > Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? > > Not all of them use shared libraries. > > So..If you rewrite syslog(3) to sendmsg an SS_CRED message, you can rewrite > syslog to only log the (e)uid of the syslog(3)-caller when thi messages > is received. This way you would not break the older syslog-users. ... but you give anybody the ability to spoof messages by pretending to be an older caller. I think we need to fix the interface here; forcing the client to 'give ID' is IMO bad for security (it is somewhat good for privacy, though...) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 05:46:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA25322 for freebsd-security-outgoing; Fri, 8 Jan 1999 05:46:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA25245; Fri, 8 Jan 1999 05:45:52 -0800 (PST) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id QAA04817; Fri, 8 Jan 1999 16:41:02 +0300 (MSK) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id QAA10788; Fri, 8 Jan 1999 16:42:48 +0300 (MSK) Date: Fri, 8 Jan 1999 16:42:48 +0300 From: Vadim Kolontsov To: Eivind Eklund Cc: Guido van Rooij , Don Lewis , freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack Message-ID: <19990108164248.A10764@tversu.ru> References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org> <19990108141005.F348@follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.15i In-Reply-To: <19990108141005.F348@follo.net>; from Eivind Eklund on Fri, Jan 08, 1999 at 02:10:05PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Fri, Jan 08, 1999 at 02:10:05PM +0100, Eivind Eklund wrote: > I think we need to fix the interface here; forcing the client to 'give > ID' is IMO bad for security (it is somewhat good for privacy, > though...) Currently only client can initiate credentials transfer (using sendmsg() and SCM_CRED). May be we can add a socket option (like SO_LOCALCREDS); so server would be able to set it on the socket and use recvmsg() instead of recvfrom(). In uipc_send(kern/uipc_usrreq.c) we can check not only for SCM_CRED in sender's msg_flags, but for SO_LOCALCREDS on target socket too. So SCM_CREDS scheme will become symmetrical. And usable for syslogd :) Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 07:53:15 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09623 for freebsd-security-outgoing; Fri, 8 Jan 1999 07:53:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09609; Fri, 8 Jan 1999 07:52:57 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id QAA01613; Fri, 8 Jan 1999 16:52:25 +0100 (MET) Message-ID: <19990108165225.A1603@gvr.org> Date: Fri, 8 Jan 1999 16:52:25 +0100 From: Guido van Rooij To: Eivind Eklund , Vadim Kolontsov , Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org> <19990108141005.F348@follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990108141005.F348@follo.net>; from Eivind Eklund on Fri, Jan 08, 1999 at 02:10:05PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 08, 1999 at 02:10:05PM +0100, Eivind Eklund wrote: > On Thu, Jan 07, 1999 at 09:42:42PM +0100, Guido van Rooij wrote: > > On Wed, Jan 06, 1999 at 09:47:01AM +0300, Vadim Kolontsov wrote: > > > > > > Who will rebuild all binary-only FreeBSD/Linux apps, available on the market? > > > Not all of them use shared libraries. > > > > So..If you rewrite syslog(3) to sendmsg an SS_CRED message, you can rewrite > > syslog to only log the (e)uid of the syslog(3)-caller when thi messages > > is received. This way you would not break the older syslog-users. > > ... but you give anybody the ability to spoof messages by pretending > to be an older caller. > > I think we need to fix the interface here; forcing the client to 'give > ID' is IMO bad for security (it is somewhat good for privacy, So make an option to syslogd: accept old style (unauthenticated) messages. If you remove that option, only authenticated mesages will come through. That way, you dont need to change the name of syslog(2) and you still get all the desired functionality. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 08:10:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12145 for freebsd-security-outgoing; Fri, 8 Jan 1999 08:10:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12110 for ; Fri, 8 Jan 1999 08:10:23 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA04544; Fri, 8 Jan 1999 17:09:51 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA09051; Fri, 8 Jan 1999 17:09:51 +0100 (MET) Message-ID: <19990108170950.L348@follo.net> Date: Fri, 8 Jan 1999 17:09:50 +0100 From: Eivind Eklund To: Guido van Rooij , Vadim Kolontsov , Don Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel/syslogd hack References: <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org> <19990108141005.F348@follo.net> <19990108165225.A1603@gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990108165225.A1603@gvr.org>; from Guido van Rooij on Fri, Jan 08, 1999 at 04:52:25PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 08, 1999 at 04:52:25PM +0100, Guido van Rooij wrote: > On Fri, Jan 08, 1999 at 02:10:05PM +0100, Eivind Eklund wrote: > > I think we need to fix the interface here; forcing the client to 'give > > ID' is IMO bad for security (it is somewhat good for privacy, > > So make an option to syslogd: accept old style (unauthenticated) messages. > If you remove that option, only authenticated mesages will come through. > That way, you dont need to change the name of syslog(2) and you > still get all the desired functionality. I was thinking of re-writing the API for SS_CRED, not for syslog. This is somewhat bad for privacy, but it is extremely good for being able to track attacks. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 09:56:25 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27377 for freebsd-security-outgoing; Fri, 8 Jan 1999 09:56:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27353; Fri, 8 Jan 1999 09:56:11 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id MAA05636; Fri, 8 Jan 1999 12:56:55 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <19990108165225.A1603@gvr.org> References: <19990108141005.F348@follo.net>; from Eivind Eklund on Fri, Jan 08, 1999 at 02:10:05PM +0100 <199901060039.QAA13314@salsa.gv.tsc.tdk.com> <19990106094701.A28727@tversu.ru> <19990107214242.A1721@gvr.org> <19990108141005.F348@follo.net> Date: Fri, 8 Jan 1999 12:55:28 -0500 To: Guido van Rooij , Eivind Eklund , Vadim Kolontsov , Don Lewis From: Garance A Drosihn Subject: Re: kernel/syslogd hack Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 4:52 PM +0100 1/8/99, Guido van Rooij wrote: >On Fri, Jan 08, 1999 at 02:10:05PM +0100, Eivind Eklund wrote: >> I think we need to fix the interface here; forcing the client to >> 'give ID' is IMO bad for security (it is somewhat good for privacy, > > So make an option to syslogd: accept old style (unauthenticated) > messages. If you remove that option, only authenticated mesages > will come through. That way, you dont need to change the name of > syslog(2) and you still get all the desired functionality. It is probably bad to completely drop unauthenticated messages, because you might be getting those from some program that you DO care about, but that you forgot to compile for this option (as far as I understand the option, at least). I would think you'd just want a way to log authenticated messages to a separate file (and probably a different format) than the unauthenticated ones. This also allows you to select the behavior you want on a per-facility or per-level basis. I might want: lpr.info /dev/null,auth=/var/log/lpd-errs for instance. Perhaps even allow the config file to set a default for all unauthenticated records via: unauth=/dev/null as the first line, but still specify alternate locations for unauthenticated records on a per-line basis. I haven't thought enough about this to say exactly what I'd like to see, but I'd like to see something in this general direction instead of an option to syslog which fixes the behavior for all facilities and all priorities. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 8 14:20:32 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA03696 for freebsd-security-outgoing; Fri, 8 Jan 1999 14:20:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA03689 for ; Fri, 8 Jan 1999 14:20:29 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 15375 invoked by uid 7506); 8 Jan 1999 22:17:18 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jan 1999 22:17:18 -0000 Date: Fri, 8 Jan 1999 17:17:18 -0500 (EST) From: Barrett Richardson To: Jared Mauch cc: freebsd-security@FreeBSD.ORG Subject: Re: 3.0 rel pwd_mkdb problem(patch) In-Reply-To: <19990108003140.A13277@puck.nether.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Jan 1999, Jared Mauch wrote: > > I've had a problem recently with people breaking root > and installing accounts with *no* uid in their pw file entry, > that way everything comes up with zero for the uid, giving > the user root privs. I'm not sure how they're obtaining root yet, Maybe in addition to your patch you could log who is trying to run pwd_mkdb with the null id. You could also turn on process accounting and find out what else he was doing around the same time frame. Just a thought. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 9 16:32:37 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05463 for freebsd-security-outgoing; Sat, 9 Jan 1999 16:32:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA05455 for ; Sat, 9 Jan 1999 16:32:33 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.2/8.7.3) id TAA30435; Sat, 9 Jan 1999 19:32:28 -0500 (EST) (envelope-from jared) Date: Sat, 9 Jan 1999 19:32:28 -0500 From: Jared Mauch To: Barrett Richardson Cc: Jared Mauch , freebsd-security@FreeBSD.ORG Subject: Re: 3.0 rel pwd_mkdb problem(patch) Message-ID: <19990109193228.C30252@puck.nether.net> Mail-Followup-To: Barrett Richardson , freebsd-security@FreeBSD.ORG References: <19990108003140.A13277@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Barrett Richardson on Fri, Jan 08, 1999 at 05:17:18PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 08, 1999 at 05:17:18PM -0500, Barrett Richardson wrote: > > > On Fri, 8 Jan 1999, Jared Mauch wrote: > > > > > I've had a problem recently with people breaking root > > and installing accounts with *no* uid in their pw file entry, > > that way everything comes up with zero for the uid, giving > > the user root privs. I'm not sure how they're obtaining root yet, > > Maybe in addition to your patch you could log who is trying to > run pwd_mkdb with the null id. You could also turn on process accounting > and find out what else he was doing around the same time frame. Yeah, I wasn't too ambitious at the time. I got this from a user also, haven't taken time to look at src yet as i'm on a *slow* conn this weekend, but check this out: --- cut here -- I went through the newuser stuff, set a provisional password, then logged out. I logged back in with ssh and tried to change my passwd. This is what happened... freenet:~$ passwd Changing local password for garph. Old password: New password: Please don't use an all-lower case password. Unusual capitalization, control characters or digits are suggested. New password: Retype new password: passwd: updating the database... pwd_mkdb: no uid for user garph pwd_mkdb: at line #561 pwd_mkdb: /etc/pw.K18778: Inappropriate file type or format passwd: /etc/master.passwd: unchanged freenet:~$ id uid=630(garph) gid=10(user) groups=10(user) --- cut here --- perhaps this is also a passwd bug. - jared > > Just a thought. > > - > > Barrett -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message