From owner-freebsd-security Sun Sep 2 1:12:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 80FD337B407; Sun, 2 Sep 2001 01:12:33 -0700 (PDT) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f828C7443777; Sun, 2 Sep 2001 10:12:07 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.6/8.11.4) with ESMTP id f81J3jH04734; Sat, 1 Sep 2001 20:03:45 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200109011903.f81J3jH04734@grimreaper.grondar.za> To: Joerg Wunsch Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: -a in opiekey(1) doesn't work References: <20010829171034.A69622@nagual.pp.ru> In-Reply-To: <20010829171034.A69622@nagual.pp.ru> ; from "Andrey A. Chernov" "Wed, 29 Aug 2001 17:10:36 +0400." Date: Sat, 01 Sep 2001 20:03:45 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Said "Andrey A. Chernov" : > On Wed, Aug 29, 2001 at 12:58:44 +0200, Joerg Wunsch wrote: > > - if (!(flags & 2) && opiepasscheck(secret)) { > > + if (!(flags & 2) && !aflag && opiepasscheck(secret)) { > > Ok from me. And me. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 2 1:13:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 7DA2937B405 for ; Sun, 2 Sep 2001 01:13:19 -0700 (PDT) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f828CuT43781; Sun, 2 Sep 2001 10:12:56 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.6/8.11.4) with ESMTP id f81JkcH11332; Sat, 1 Sep 2001 20:46:38 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200109011946.f81JkcH11332@grimreaper.grondar.za> To: "Glen Hollings" Cc: security@FreeBSD.ORG Subject: Re: Broken SU References: In-Reply-To: ; from "Glen Hollings" "Fri, 31 Aug 2001 15:06:30 +1000." Date: Sat, 01 Sep 2001 20:46:37 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > anyone have any ideas?? please! Please turn PAM debugging on for all su(1)/PAM modules, and log all LOG_DEBUG messages to some file. Please send me the relevant extracts of this logging. Please also let me know what your OS version and PAM-relevant setups in (/etc/pam.conf) are. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 2 9: 2: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailer.progressive-comp.com (marc1.theaimsgroup.com [63.238.77.171]) by hub.freebsd.org (Postfix) with ESMTP id 8D60837B401 for ; Sun, 2 Sep 2001 09:01:58 -0700 (PDT) Received: (from docs@localhost) by mailer.progressive-comp.com with id MAA30005; Sun, 2 Sep 2001 12:01:53 -0400 Date: Sun, 2 Sep 2001 12:01:53 -0400 Message-Id: <200109021601.MAA30005@mailer.progressive-comp.com> From: Hank Leininger Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. X-Shameless-Plug: Check out http://marc.theaimsgroup.com/ X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-08-31, "Not Going to Tell You" wrote: > I could close all the ports on my box except those needed to provide a > service (i.e. port 80), however, how can I remote manage it? So then I > would have to open a sshd port also. But this leads to a potential > security problem when scanned by a hacker. So, what if I had a program > that sent a type of "Key" to the box and the box recognized that the > key sequence order was from me, then opened the sshd port. After I was > finished with the sshd session, I would run another program to close > the port behind me? If you were to do this, "listen for a few packets that look like in order" would be a bad way to do it--completely open to sniffing, replay attacks, race conditions, etc. Perhaps you could generate a gpg-signed "open" request, where the signed payload included the incoming IP to allow, and a timestamp (encrypting this all with the server's public key would be a good idea, but not essential). Then whack this data into IP and TCP options fields of some set of packets you throw at the box. The server would listen for the right sequence of packets, reconstruct the payload stuffed in the options, check the signature, and open a temporary hole which would allow a single 3WHS (not just a single inbound SYN, which could be spoofed to DoS you) to complete before closing the hole again. But really, it hardly seems worth the bother. A whole lot of complexity (==places for your implementation to be buggy and open new security holes) and resource-consumption (==DoS opportunity) for little gain other than security through obscurity. Now, if there were a CGI that was POSTed to with this signed/encrypted request... or the box also received mail, and one mailbox was watched for a properly signed/encrypted email... -- Hank Leininger We could build a large, wooden badger... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 2 17: 3: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 0D68237B433 for ; Sun, 2 Sep 2001 17:02:49 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id SAA20779; Sun, 2 Sep 2001 18:02:33 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Sun, 2 Sep 2001 18:02:33 -0600 (CST) From: Ryan Thompson To: edwin chan Cc: freebsd-security@FreeBSD.ORG Subject: Re: how can I find general security infomation ? In-Reply-To: <003101c1331a$dd96d320$9201a8c0@home.net> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org edwin chan wrote to freebsd-security@FreeBSD.ORG: > recently, I try to enhance security for my freebsd box, I feel lack general > security knowladge and concept of attack manner. where I can find deep > infomation about ? > > edwin chen A good place to start is the security(7) manpage. It contains a lot of general security information, which will increase your understanding, as well as give you ideas on how to improve system security. It will also point you in the direction of several system components and 3rd party tools that will have a positive effect on system security if configured properly. There are many sources in print that will go into more depth than security(7), but are not necessarily specific to FreeBSD or any other OS for that matter. One such good book is "Mastering Network Security" Benton/Sybex Network Press. ORA also has some good books in print. You'll also want to use on-line security web sites (too many to list. bugtraq, CERN, securityfocus, etc... try some web searches for UNIX security or FreeBSD security). Look for topics like firewalls, packet filters, intrusion detection systems (IDS), email security, VPN, etc. As a last resort (or in case of emergency!), you can hire a security expert. Most individuals that deserve the title "expert" charge heaps of money, usually by the hour. You will need to consider your own system security... What do you need? How important is your data? To what degree are you willing to sacrifice convenience for security? - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 2 23:18:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id 61EF737B405 for ; Sun, 2 Sep 2001 23:18:38 -0700 (PDT) Received: (from shelton@localhost) by sentry.granch.com (8.11.6/8.11.6) id f836IER26956; Mon, 3 Sep 2001 13:18:14 +0700 (NOVST) (envelope-from shelton) Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Organization: Granch Ltd. To: "Tom Beer" , Subject: Re: [OT] ssh client Date: Mon, 3 Sep 2001 13:18:14 +0700 X-Mailer: KMail [version 1.2] References: <003501c12e2e$1129a600$0901a8c0@system> In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> MIME-Version: 1.0 Message-Id: <01090313181401.18872@sentry.granch.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sunday 26 August 2001 19:52, Tom Beer wrote: > Hi, > > I've searched the net for a ssh client for the M$ > platform that provides ssh_2_ support and uses > the ssh-keygen generated keys. Neither putty nor > the ssh client of the ssh foundation won't work. > What I need is a ssh client which accepts my privat key > so that I can connect to my firewall without password > auth. Any pointers? > http://winssh.narod.ru. Russian language only, but links you can see :-) -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 1:15: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 89C2E37B405 for ; Mon, 3 Sep 2001 01:14:59 -0700 (PDT) Received: by ING-mailhub; id KAA14681; Mon, 3 Sep 2001 10:16:48 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 3 Sep 2001 10:17:20 +0200 Message-ID: <98829DC07ECECD47893074C4D525EFC3115698@citsnl007.europe.intranet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Possible New Security Tool For FreeBSD, Need Your Help. Thread-Index: AcEyZ/SDPKw2RMesR3uTJCDcETL+pAB6LftA From: "Carroll, D. (Danny)" To: "Alfred Perlstein" Cc: Importance: normal X-OriginalArrivalTime: 03 Sep 2001 08:17:13.0509 (UTC) FILETIME=[D5FAB550:01C13450] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah but Obfuscation PLUS good security does not hurt, in fact it helps. Just so long as you don't *rely* on it. :-----Original Message----- :From: Alfred Perlstein [mailto:bright@mu.org] :Sent: Friday, August 31, 2001 11:53 PM :To: Rob Simmons :Cc: Eric Anderson; Not Going to Tell You; security@freebsd.org :Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. : : :* Rob Simmons [010831 16:51] wrote: :> Why not require the incoming packets to be spoofed from a=20 :preordained set :> of IP addresses to obfuscate it even more. : :Obfuscation isn't security, it is the illusion of it. : :--=20 :-Alfred Perlstein [alfred@freebsd.org] :'Instead of asking why a piece of software is using "1970s technology," :start asking why software is ignoring 30 years of accumulated wisdom.' : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 2:35: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 2D46437B408 for ; Mon, 3 Sep 2001 02:34:53 -0700 (PDT) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id RAA89167 for ; Mon, 3 Sep 2001 17:34:42 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3B934EAC.83BAD23D@svzserv.kemerovo.su> Date: Mon, 03 Sep 2001 17:34:36 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@freebsd.org Subject: Missing patches for SA Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I have a router running FreeBSD 4.2-RELEASE serving leased line on the remote side. It was set up when 4.2-R was fresh. Once LL became down so I couldn't apply security patches when they were out. Today LL is up again and I'm trying to patch as many holes as I can. This minimal installation of FreeBSD uses hard drive of 170Mb and it can not be upgraded to recent STABLE or to RELENG_4_3. So, I must apply patches to kernel at least. There is enough space to rebuild the kernel. I go to http://www.freebsd.org/security/index.html and study what should I do. F.e., there is a link to ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:39.tcp-isn.asc This advisory refers to file fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-4.2.patch that is nonexistent now. Why there is a broken link and how should I resolve this? This is not only missing patch. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 3:31:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id B1B2537B407 for ; Mon, 3 Sep 2001 03:31:34 -0700 (PDT) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id OAA61995; Mon, 3 Sep 2001 14:30:22 +0400 (MSD) Date: Mon, 3 Sep 2001 14:29:10 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <110320834936.20010903142910@internethelp.ru> To: "Carroll, D. (Danny)" Cc: "Alfred Perlstein" , security@FreeBSD.ORG Subject: Re[2]: Possible New Security Tool For FreeBSD, Need Your Help. In-reply-To: <98829DC07ECECD47893074C4D525EFC3115698@citsnl007.europe.intranet> References: <98829DC07ECECD47893074C4D525EFC3115698@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello D., Monday, September 03, 2001, 12:17:20 PM, you wrote: CDD> Yeah but Obfuscation PLUS good security does not hurt, in fact it helps. CDD> Just so long as you don't *rely* on it. Don't you think it is really _too_ complicated. While you have firewalls, open key logins, IP based verification. Just Keep It Simple. IMHO the more complicated it gets, the more chances you have, that in one day all this "security improvements" will play against you. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 3:34:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 8F82237B405 for ; Mon, 3 Sep 2001 03:34:11 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 666C481D01; Mon, 3 Sep 2001 05:34:06 -0500 (CDT) Date: Mon, 3 Sep 2001 05:34:06 -0500 From: Alfred Perlstein To: "Nickolay A.Kritsky" Cc: "Carroll, D. (Danny)" , security@FreeBSD.ORG Subject: Re: Re[2]: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010903053406.N81307@elvis.mu.org> References: <98829DC07ECECD47893074C4D525EFC3115698@citsnl007.europe.intranet> <110320834936.20010903142910@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <110320834936.20010903142910@internethelp.ru>; from nkritsky@internethelp.ru on Mon, Sep 03, 2001 at 02:29:10PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nickolay A.Kritsky [010903 05:31] wrote: > Hello D., > > Monday, September 03, 2001, 12:17:20 PM, you wrote: > > CDD> Yeah but Obfuscation PLUS good security does not hurt, in fact it helps. > CDD> Just so long as you don't *rely* on it. > > Don't you think it is really _too_ complicated. While you have > firewalls, open key logins, IP based verification. Just Keep It > Simple. IMHO the more complicated it gets, the more chances you have, > that in one day all this "security improvements" will play against > you. There's also the chance that combining two security methods may weaken both or expose some sort of vulnerability in one or both methods. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' '"Java" developer, like "special" Olympics, right?' - Bill Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 4:21:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id B12A437B405 for ; Mon, 3 Sep 2001 04:21:20 -0700 (PDT) Received: from win ([61.144.141.22]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f83BKIB83964; Mon, 3 Sep 2001 19:20:19 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <002601c1346a$6c4abe60$9201a8c0@home.net> From: "edwin chan" To: "Ryan Thompson" Cc: References: Subject: Re: how can I find general security infomation ? Date: Mon, 3 Sep 2001 19:20:16 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org really good guide, thanks a lot. edwin chen ----- Original Message ----- From: "Ryan Thompson" To: "edwin chan" Cc: Sent: Monday, September 03, 2001 8:02 AM Subject: Re: how can I find general security infomation ? > edwin chan wrote to freebsd-security@FreeBSD.ORG: > > > recently, I try to enhance security for my freebsd box, I feel lack general > > security knowladge and concept of attack manner. where I can find deep > > infomation about ? > > > > edwin chen > > A good place to start is the security(7) manpage. It contains a lot of > general security information, which will increase your understanding, as > well as give you ideas on how to improve system security. It will also > point you in the direction of several system components and 3rd party > tools that will have a positive effect on system security if configured > properly. > > There are many sources in print that will go into more depth than > security(7), but are not necessarily specific to FreeBSD or any other OS > for that matter. One such good book is "Mastering Network Security" > Benton/Sybex Network Press. ORA also has some good books in print. > > You'll also want to use on-line security web sites (too many to list. > bugtraq, CERN, securityfocus, etc... try some web searches for UNIX > security or FreeBSD security). Look for topics like firewalls, packet > filters, intrusion detection systems (IDS), email security, VPN, etc. > > As a last resort (or in case of emergency!), you can hire a security > expert. Most individuals that deserve the title "expert" charge heaps of > money, usually by the hour. > > You will need to consider your own system security... What do you need? > How important is your data? To what degree are you willing to sacrifice > convenience for security? > > - Ryan > > -- > Ryan Thompson > Network Administrator, Accounts > > SaskNow Technologies - http://www.sasknow.com > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 4:34:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 23D8337B405 for ; Mon, 3 Sep 2001 04:34:52 -0700 (PDT) Received: by ING-mailhub; id NAA28547; Mon, 3 Sep 2001 13:36:48 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Re[2]: Possible New Security Tool For FreeBSD, Need Your Help. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 3 Sep 2001 13:39:06 +0200 Message-ID: <98829DC07ECECD47893074C4D525EFC31176C2@citsnl007.europe.intranet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Re[2]: Possible New Security Tool For FreeBSD, Need Your Help. Thread-Index: AcE0ZB6rVy5td3bnQ96ZygomLtWJ4wAAKkxg From: "Carroll, D. (Danny)" To: "Nickolay A.Kritsky" Cc: Importance: normal X-OriginalArrivalTime: 03 Sep 2001 11:38:59.0651 (UTC) FILETIME=[05CD6130:01C1346D] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :CDD> Yeah but Obfuscation PLUS good security does not hurt, in=20 :fact it helps. :CDD> Just so long as you don't *rely* on it. : :Don't you think it is really _too_ complicated. While you have :firewalls, open key logins, IP based verification. Just Keep It :Simple. IMHO the more complicated it gets, the more chances you have, :that in one day all this "security improvements" will play against :you. I was really objecting to the statement that obsfucation is bad, rather than the point in case. I agree simple security is good, but you can help yourself out by *hiding* things to make the potential attackers job a little harder. As for security improvements becomming unmanageable, I would suggest that good network documentation would solve that problem. If you are going to go to the trouble of writing a time-based port-scanning key-sending authentication system, then you'd better be prepared to document it. -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 4:35:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D371237B40B for ; Mon, 3 Sep 2001 04:35:28 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f83BZAN90330 for security@FreeBSD.org; Mon, 3 Sep 2001 14:35:10 +0300 (EEST) (envelope-from ru) Date: Mon, 3 Sep 2001 14:35:10 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Subject: at(1) sugid fixes Message-ID: <20010903143510.D49997@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! The attached patch fixes at(1) macros that manipulate user and group IDs of the proccess so that they don't change the real user and group IDs of the process, and instead use the saved user and group IDs feature. The setre[ug]id() calls are still used with the REDUCE_PERM macro (with the r[ug]id arguments of -1) so that the call changes the saved user/group ID of the process to that specified. That is to say, if the process was initially run ``setuid root'', the call to ``REDUCE_PERM(1, ...)'' changes the process's saved-user-ID to that of the user "daemon", and the process then becomes ``setuid daemon'' (with effective privileges temporarily relinquished to the real privileges). Also, the panic() and perr() functions had insufficient privileges to delete the problematic file under /var/at. Comments/reviews are welcome. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: panic.c =================================================================== RCS file: /home/ncvs/src/usr.bin/at/panic.c,v retrieving revision 1.10 diff -u -p -r1.10 panic.c --- panic.c 1999/12/05 19:57:14 1.10 +++ panic.c 2001/09/03 11:21:00 @@ -39,6 +39,7 @@ static const char rcsid[] = /* Local headers */ #include "panic.h" +#include "privs.h" #include "at.h" /* External variables */ @@ -50,8 +51,11 @@ panic(char *a) { /* Something fatal has happened, print error message and exit. */ - if (fcreated) + if (fcreated) { + PRIV_START unlink(atfile); + PRIV_END + } errx(EXIT_FAILURE, "%s", a); } @@ -63,8 +67,11 @@ perr(char *a) */ int serrno = errno; - if (fcreated) + if (fcreated) { + PRIV_START unlink(atfile); + PRIV_END + } errno = serrno; err(EXIT_FAILURE, "%s", a); Index: privs.h =================================================================== RCS file: /home/ncvs/src/usr.bin/at/privs.h,v retrieving revision 1.7 diff -u -p -r1.7 privs.h --- privs.h 1999/12/05 19:57:14 1.7 +++ privs.h 2001/09/03 11:21:00 @@ -28,17 +28,11 @@ #ifndef _PRIVS_H #define _PRIVS_H -#ifndef _USE_BSD -#define _USE_BSD 1 #include -#undef _USE_BSD -#else -#include -#endif /* Relinquish privileges temporarily for a setuid or setgid program - * with the option of getting them back later. This is done by swapping - * the real and effective userid BSD style. Call RELINQUISH_PRIVS once + * with the option of getting them back later. This is done by + * utilizing POSIX saved user and group IDs. Call RELINQUISH_PRIVS once * at the beginning of the main program. This will cause all operations * to be executed with the real userid. When you need the privileges * of the setuid/setgid invocation, call PRIV_START; when you no longer @@ -76,38 +70,39 @@ extern gid_t real_gid, effective_gid; #define RELINQUISH_PRIVS { \ - real_uid = getuid(); \ - effective_uid = geteuid(); \ - real_gid = getgid(); \ - effective_gid = getegid(); \ - setreuid(effective_uid, real_uid); \ - setregid(effective_gid, real_gid); \ - } - -#define RELINQUISH_PRIVS_ROOT(a,b) { \ - real_uid = (a); \ - effective_uid = geteuid(); \ - real_gid = (b); \ - effective_gid = getegid(); \ - setregid(effective_gid, real_gid); \ - setreuid(effective_uid, real_uid); \ - } - -#define PRIV_START {\ - setreuid(real_uid, effective_uid); \ - setregid(real_gid, effective_gid); - -#define PRIV_END \ - setregid(effective_gid, real_gid); \ - setreuid(effective_uid, real_uid); \ - } - -#define REDUCE_PRIV(a,b) {\ - setreuid(real_uid, effective_uid); \ - setregid(real_gid, effective_gid); \ - effective_uid = (a); \ - effective_gid = (b); \ - setregid(effective_gid, real_gid); \ - setreuid(effective_uid, real_uid); \ - } + real_uid = getuid(); \ + effective_uid = geteuid(); \ + real_gid = getgid(); \ + effective_gid = getegid(); \ + seteuid(real_uid); \ + setegid(real_gid); \ +} + +#define RELINQUISH_PRIVS_ROOT(a, b) { \ + real_uid = (a); \ + effective_uid = geteuid(); \ + real_gid = (b); \ + effective_gid = getegid(); \ + setegid(real_gid); \ + seteuid(real_uid); \ +} + +#define PRIV_START { \ + seteuid(effective_uid); \ + setegid(effective_gid); \ +} + +#define PRIV_END { \ + setegid(real_gid); \ + seteuid(real_uid); \ +} + +#define REDUCE_PRIV(a, b) { \ + PRIV_START \ + effective_uid = (a); \ + effective_gid = (b); \ + setreuid((uid_t)-1, effective_uid); \ + setregid((gid_t)-1, effective_gid); \ + PRIV_END \ +} #endif --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 5:18:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 0D0C437B403 for ; Mon, 3 Sep 2001 05:18:08 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 827511D14; Mon, 3 Sep 2001 14:17:18 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 41E35552A; Mon, 3 Sep 2001 14:17:17 +0200 (CEST) Date: Mon, 3 Sep 2001 14:17:16 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Hank Leininger Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: <200109021601.MAA30005@mailer.progressive-comp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 2 Sep 2001, Hank Leininger wrote: > Then whack this data into IP > and TCP options fields of some set of packets you throw at the box. The > server would listen for the right sequence of packets, And you're toasted in case of a packet loss, since IP is an unreliable protocol. Not to mention that some paranoid router/firewall on the way may drop the "weird" datagrams. > But really, it hardly seems worth the bother. A whole lot of complexity > (==places for your implementation to be buggy and open new security holes) > and resource-consumption (==DoS opportunity) for little gain other than > security through obscurity. Exactly. IMHO this tool would be no much gain in normal administration but would make a hard to detect backdoor. > Now, if there were a CGI that was POSTed to with this signed/encrypted > request... But the script would reside by default in the same location so throwing together a kiddie scanner is trivial. Not to mention the possibility of exploitation of the script. And also SSL'd connections should be used... Too much configuration overhead, I think. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 5:56: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 49BBC37B401 for ; Mon, 3 Sep 2001 05:56:03 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id E71131D14; Mon, 3 Sep 2001 14:55:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 66F47552A; Mon, 3 Sep 2001 14:55:24 +0200 (CEST) Date: Mon, 3 Sep 2001 14:55:22 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Ryan Thompson Cc: edwin chan , freebsd-security@FreeBSD.ORG Subject: Re: how can I find general security infomation ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > You'll also want to use on-line security web sites (too many to list. > bugtraq, CERN, securityfocus, etc... try some web searches for UNIX Guess you meant CERT not CERN... Although CERN has a lot to do with computers their primary interest is particle physics and not computer security. I'd also add packetstormsecurity.org to the list since they have a big collection of whitepapers regarding all areas of security. My PLN 0.02 Regards, Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 6: 8:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 6669E37B408 for ; Mon, 3 Sep 2001 06:08:12 -0700 (PDT) Received: from win ([61.144.141.22]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f83D4iB88763; Mon, 3 Sep 2001 21:04:44 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <004f01c13479$02fe6c40$9201a8c0@home.net> From: "edwin chan" To: "Krzysztof Zaraska" , "Ryan Thompson" Cc: References: Subject: Re: how can I find general security infomation ? Date: Mon, 3 Sep 2001 21:04:48 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oh, thanks very much. the information useful. edwin chen ----- Original Message ----- From: "Krzysztof Zaraska" To: "Ryan Thompson" Cc: "edwin chan" ; Sent: Monday, September 03, 2001 8:55 PM Subject: Re: how can I find general security infomation ? > > You'll also want to use on-line security web sites (too many to list. > > bugtraq, CERN, securityfocus, etc... try some web searches for UNIX > Guess you meant CERT not CERN... Although CERN has a lot to do with > computers their primary interest is particle physics and not computer > security. > > I'd also add packetstormsecurity.org to the list since they have a big > collection of whitepapers regarding all areas of security. > > My PLN 0.02 > > Regards, > Kris > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 6:11:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 3A23E37B401 for ; Mon, 3 Sep 2001 06:11:08 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id CCE2A1D14; Mon, 3 Sep 2001 15:10:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 39157552A for ; Mon, 3 Sep 2001 15:10:36 +0200 (CEST) Date: Mon, 3 Sep 2001 15:10:35 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: freebsd-security@freebsd.org Subject: BUGTRAQ: S/Key + sudo Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A letter describing a security hazard involving sudo and S/KEY has been posted to BUGTRAQ today. The author states he brought up this matter on this list before and alerted Security Officer but no improvement was made. You may read it at: http://www.securityfocus.com/templates/archive.pike?threads=0&list=1&fromthread=0&end=2001-09-08&mid=211551&start=2001-09-02& To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 6:13:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13301.mail.yahoo.com (web13301.mail.yahoo.com [216.136.175.37]) by hub.freebsd.org (Postfix) with SMTP id 08D9A37B407 for ; Mon, 3 Sep 2001 06:13:30 -0700 (PDT) Message-ID: <20010903131329.99051.qmail@web13301.mail.yahoo.com> Received: from [193.174.9.99] by web13301.mail.yahoo.com via HTTP; Mon, 03 Sep 2001 15:13:29 CEST Date: Mon, 3 Sep 2001 15:13:29 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= Subject: Re: how can I find general security infomation ? To: kzaraska@student.uci.agh.edu.pl, ryan@sasknow.com, slack@suntop-cn.com Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > You'll also want to use on-line security web sites (too many to list. > > bugtraq, CERN, securityfocus, etc... try some web searches for UNIX > Guess you meant CERT not CERN... Although CERN has a lot to do with > computers their primary interest is particle physics and not computer > security. Wrong. I'm sure he meant CERN. The CERN has a very good CERT. :) So the CERN is mentioned as resource like bugtraq. (And because of the many people having access to their computers they have huge, really huge knowlegde about computers and securing them. And a physican at the CERN invented HTML ... for use as a physican. (When I remember correctly.)) Please take a look at: http://wwwinfo.cern.ch/dis/security/index.html#TOC1 http://wwwinfo.cern.ch/dis/security/general/tools/docs.html http://wwwinfo.cern.ch/dis/security/general/web.html > > I'd also add packetstormsecurity.org to the list since they have a big > collection of whitepapers regarding all areas of security. > That's for sure. > My PLN 0.02 My DEM 0.02 :) Marc __________________________________________________________________ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:14:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f199.law8.hotmail.com [216.33.241.199]) by hub.freebsd.org (Postfix) with ESMTP id D92B937B405 for ; Mon, 3 Sep 2001 07:14:28 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 3 Sep 2001 07:14:28 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Mon, 03 Sep 2001 14:14:28 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: behanna@zbzoom.net, security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Date: Mon, 03 Sep 2001 14:14:28 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Sep 2001 14:14:28.0835 (UTC) FILETIME=[BE6DE330:01C13482] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have 240 boxes running sshd and restricted to our IP address on the Internet. We just want to hide the sshd port until we need it. Is this such a hard concept to understand. So what if someone can sniff the key. It is just an extra layer of security. Since we are also running sshd and IP filters, this is not a false sense of security. If someone wants to sniff out all 100 packets, spoof our IP address, and re-send the key..Good for them, they still have to get past the sshd. But by hidding the sshd port, maybe, just maybe, we can reduce the number of script kiddies from trying sshd scripts. There is no such thing as real security. Only the perception of it. Lucky >From: Chris BeHanna >Reply-To: Chris BeHanna >To: >Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. >Date: Sat, 1 Sep 2001 00:08:09 -0400 (EDT) > >On Fri, 31 Aug 2001, Not Going to Tell You wrote: > > > First, I stated that the only port that would be open would be the port >80 > > http. And it is assumed that I would have already had a tight box with > > strict rules. But even tight boxes still show which ports are opened. > > > > As for guessing the key sequence..I doubt it, if the program was able to > > tell if port scanning was taking place. And do not for get the timer. > > > > As for sniffing, well 99.9% of all the hackers that I have seen come >from > > the Internet where would they put the sniffer? > > If your machine is attached to a cable modem, then there are 253 >other hosts in your neighborhood who can very easily sniff your traffic. > > If you're trying to open ports remotely, then your key traffic is >going over the internet. Do a traceroute between the host you're >using and the host you're trying to manage, and ponder someone >sniffing along any of those hops. > > Although this is unlikely for the casual user, it becomes more >likely if the remote host is a corporate-owned machine in a highly >competitive area of industry. > >-- >Chris BeHanna >Software Engineer (Remove "bogus" before responding.) >behanna@bogus.zbzoom.net >I was raised by a pack of wild corn dogs. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:17:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f248.law8.hotmail.com [216.33.241.248]) by hub.freebsd.org (Postfix) with ESMTP id 52B4137B401 for ; Mon, 3 Sep 2001 07:17:33 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 3 Sep 2001 07:17:33 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Mon, 03 Sep 2001 14:17:32 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: nephrose@gmx.net Cc: security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Date: Mon, 03 Sep 2001 14:17:32 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Sep 2001 14:17:33.0101 (UTC) FILETIME=[2C42A5D0:01C13483] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Great Idea ! Lucky >From: Marco Wertejuk >To: Not Going to Tell You >CC: security@FreeBSD.ORG >Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. >Date: Sat, 1 Sep 2001 07:15:48 +0000 > >Hello, > >have you ever thought about a VPN for your server? >You can easily bind sshd to the webservers vpn ip >and therefore the webserver has no unneccessarily >open ports. > >-- >Mit freundlichen Gruessen, >Marco Wertejuk - mwcis.com >Computer/Internet/Security-Services _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:21:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.217.222.20]) by hub.freebsd.org (Postfix) with ESMTP id EA0D437B401 for ; Mon, 3 Sep 2001 07:21:50 -0700 (PDT) Received: from wolf.isltd.insignia.com (wolf.isltd.insignia.com [172.16.1.3]) by highland.isltd.insignia.com (8.11.3/8.11.3/check_local4.2) with ESMTP id f83ELk464716 for ; Mon, 3 Sep 2001 15:21:46 +0100 (BST) Received: (from daemon@localhost) by wolf.isltd.insignia.com (8.9.3/8.9.3) id PAA24923 for freebsd-security@freebsd.org; Mon, 3 Sep 2001 15:21:46 +0100 (BST) From: "Not Going to Tell You" To: nephrose@gmx.net Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Date: 3 Sep 2001 15:21:45 +0100 Message-ID: <9n03lp$oan$1@wolf.isltd.insignia.com> Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Great Idea ! Lucky >From: Marco Wertejuk >To: Not Going to Tell You >CC: security@FreeBSD.ORG >Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. >Date: Sat, 1 Sep 2001 07:15:48 +0000 > >Hello, > >have you ever thought about a VPN for your server? >You can easily bind sshd to the webservers vpn ip >and therefore the webserver has no unneccessarily >open ports. > >-- >Mit freundlichen Gruessen, >Marco Wertejuk - mwcis.com >Computer/Internet/Security-Services _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:30:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f220.law8.hotmail.com [216.33.241.220]) by hub.freebsd.org (Postfix) with ESMTP id 7EC0237B405 for ; Mon, 3 Sep 2001 07:30:47 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 3 Sep 2001 07:30:47 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Mon, 03 Sep 2001 14:30:47 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: security@freebsd.org Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. Date: Mon, 03 Sep 2001 14:30:47 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Sep 2001 14:30:47.0556 (UTC) FILETIME=[05CADC40:01C13485] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is not obfuscation! This is activation and de=activation. Obfuscation implies that the port is open but you are hidden this fact. Lucky >From: "Carroll, D. (Danny)" >To: "Alfred Perlstein" >CC: >Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. >Date: Mon, 3 Sep 2001 10:17:20 +0200 > >Yeah but Obfuscation PLUS good security does not hurt, in fact it helps. >Just so long as you don't *rely* on it. > > >:-----Original Message----- >:From: Alfred Perlstein [mailto:bright@mu.org] >:Sent: Friday, August 31, 2001 11:53 PM >:To: Rob Simmons >:Cc: Eric Anderson; Not Going to Tell You; security@freebsd.org >:Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. >: >: >:* Rob Simmons [010831 16:51] wrote: >:> Why not require the incoming packets to be spoofed from a >:preordained set >:> of IP addresses to obfuscate it even more. >: >:Obfuscation isn't security, it is the illusion of it. >: >:-- >:-Alfred Perlstein [alfred@freebsd.org] >:'Instead of asking why a piece of software is using "1970s technology," >:start asking why software is ignoring 30 years of accumulated wisdom.' >: >:To Unsubscribe: send mail to majordomo@FreeBSD.org >:with "unsubscribe freebsd-security" in the body of the message >: >----------------------------------------------------------------- >ATTENTION: >The information in this electronic mail message is private and >confidential, and only intended for the addressee. Should you >receive this message by mistake, you are hereby notified that >any disclosure, reproduction, distribution or use of this >message is strictly prohibited. Please inform the sender by >reply transmission and delete the message without copying or >opening it. > >Messages and attachments are scanned for all viruses known. >If this message contains password-protected attachments, the >files have NOT been scanned for viruses by the ING mail domain. >Always scan attachments before opening them. >----------------------------------------------------------------- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:44:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f75.law8.hotmail.com [216.33.241.75]) by hub.freebsd.org (Postfix) with ESMTP id 4CE1737B407 for ; Mon, 3 Sep 2001 07:44:39 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 3 Sep 2001 07:44:39 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Mon, 03 Sep 2001 14:44:38 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: security@FreeBSD.org Subject: RE: Possible New Security Tool For FreeBSD Date: Mon, 03 Sep 2001 14:44:38 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Sep 2001 14:44:39.0209 (UTC) FILETIME=[F57F0990:01C13486] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quotation from the FreeBSD Handbook, Security pages: "Security is best implemented through a layered ``onion'' approach. In a nutshell, what you want to do is to create as many layers of security as are convenient and then carefully monitor the system for intrusions." http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-intro.html Lucky _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 7:53:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta2-svc.virgin.net (mta2-svc.virgin.net [62.253.164.42]) by hub.freebsd.org (Postfix) with ESMTP id 8AD0837B409 for ; Mon, 3 Sep 2001 07:53:54 -0700 (PDT) Received: from z402235w ([194.168.3.4]) by mta2-svc.virgin.net (InterMail vM.4.01.02.27 201-229-119-110) with SMTP id <20010903145353.YDQZ287.mta2-svc.virgin.net@z402235w>; Mon, 3 Sep 2001 15:53:53 +0100 Message-ID: <044501c13488$3edcf830$6100900a@private.ntl.com> From: "Nonya" To: "Not Going to Tell You" , References: Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Date: Mon, 3 Sep 2001 15:53:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I have 240 boxes running sshd and restricted to our IP address on the > Internet. We just want to hide the sshd port until we need it. >But by hidding the sshd port, > maybe, just maybe, we can reduce the number of script kiddies from trying > sshd scripts. Running sshd on a non-standard port would probably have a similar effect, especialy if you choose a port not included in nmaps default scans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 8: 9:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id D6CF337B401 for ; Mon, 3 Sep 2001 08:09:05 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 24B451D14; Mon, 3 Sep 2001 17:04:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 722C3552A; Mon, 3 Sep 2001 17:04:39 +0200 (CEST) Date: Mon, 3 Sep 2001 17:04:38 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: =?iso-8859-1?q?m=20p?= Cc: ryan@sasknow.com, slack@suntop-cn.com, freebsd-security@FreeBSD.ORG Subject: Re: how can I find general security infomation ? In-Reply-To: <20010903131329.99051.qmail@web13301.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Wrong. I'm sure he meant CERN. The CERN has a very good CERT. :) So the CERN is > mentioned as resource like bugtraq. Yup. Thanks. Good site, lots of stuff. Apparently it's needed to learn all the time in this business ;). So I guess we end with CERT and CERN both listed as security resources. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 8:27:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.cern.ch (smtp3.cern.ch [137.138.131.164]) by hub.freebsd.org (Postfix) with ESMTP id A139737B405 for ; Mon, 3 Sep 2001 08:27:11 -0700 (PDT) Received: from PCPDP18 (pcpdp18.cern.ch [137.138.38.54]) by smtp3.cern.ch (8.11.6/8.11.6) with SMTP id f83FQb424671; Mon, 3 Sep 2001 17:26:37 +0200 (MET DST) X-Authentication-Warning: smtp3.cern.ch: Host pcpdp18.cern.ch [137.138.38.54] claimed to be PCPDP18 From: "Tiago Dias" To: "Krzysztof Zaraska" Cc: Subject: RE: how can I find general security infomation ? Date: Mon, 3 Sep 2001 17:25:09 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry but CERN cannot be counted as a security resource site ... there are some topics but nothing that could be taken as being a security site. All the other meet the requirements asked ... I'm sure it was a mistake Thank You Regards -- Tiago Dias -+- UNIX Sysadmin -+- Computing Centre, CERN -+- This message may not represent the views of CERN. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Krzysztof Zaraska Sent: Monday, September 03, 2001 5:05 PM To: m p Cc: ryan@sasknow.com; slack@suntop-cn.com; freebsd-security@FreeBSD.ORG Subject: Re: how can I find general security infomation ? > Wrong. I'm sure he meant CERN. The CERN has a very good CERT. :) So the CERN is > mentioned as resource like bugtraq. Yup. Thanks. Good site, lots of stuff. Apparently it's needed to learn all the time in this business ;). So I guess we end with CERT and CERN both listed as security resources. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 10:19:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 842C637B40C; Mon, 3 Sep 2001 10:19:15 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f83HJ9143379; Mon, 3 Sep 2001 20:19:09 +0300 (EEST) (envelope-from ru) Date: Mon, 3 Sep 2001 20:19:09 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Cc: audit@FreeBSD.org Subject: dropping ``setgid tty'' in dump(8) Message-ID: <20010903201909.C29616@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="U+BazGySraz5kW0T" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! The attached patch replaces the ``wall -g'' functionality built into dump(8) directly with the call to wall(1), thus making it possible to drop the ``setgid tty'' privilege. The DIALUP check was weak, and was also removed. The patch is based on the OpenBSD's work. I've posted another message to the -audit that makes ``wall -g'' really work. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: Makefile =================================================================== RCS file: /home/ncvs/src/sbin/dump/Makefile,v retrieving revision 1.14 diff -u -p -r1.14 Makefile --- Makefile 2001/03/26 14:33:00 1.14 +++ Makefile 2001/09/03 16:57:01 @@ -18,8 +18,6 @@ LINKS= ${BINDIR}/dump ${BINDIR}/rdump CFLAGS+=-DRDUMP CFLAGS+=-I${.CURDIR}/../../libexec/rlogind SRCS= itime.c main.c optr.c dumprmt.c tape.c traverse.c unctime.c -BINGRP= tty -BINMODE=2555 MAN= dump.8 MLINKS+=dump.8 rdump.8 Index: dump.h =================================================================== RCS file: /home/ncvs/src/sbin/dump/dump.h,v retrieving revision 1.9 diff -u -p -r1.9 dump.h --- dump.h 2001/08/10 23:12:10 1.9 +++ dump.h 2001/09/03 16:57:01 @@ -100,7 +100,6 @@ void msg __P((const char *fmt, ...)) __p void msgtail __P((const char *fmt, ...)) __printflike(1, 2); int query __P((char *question)); void quit __P((const char *fmt, ...)) __printflike(1, 2); -void set_operators __P((void)); void timeest __P((void)); time_t unctime __P((char *str)); @@ -151,7 +150,6 @@ void interrupt __P((int signo)); /* in c #define X_ABORT 3 /* abort dump; don't attempt checkpointing */ #define OPGRENT "operator" /* group entry to notify */ -#define DIALUP "ttyd" /* prefix for dialups */ struct fstab *fstabsearch __P((char *key)); /* search fs_file and fs_spec */ Index: main.c =================================================================== RCS file: /home/ncvs/src/sbin/dump/main.c,v retrieving revision 1.26 diff -u -p -r1.26 main.c --- main.c 2001/07/09 03:06:56 1.26 +++ main.c 2001/09/03 16:57:03 @@ -287,7 +287,6 @@ main(argc, argv) if (signal(SIGINT, interrupt) == SIG_IGN) signal(SIGINT, SIG_IGN); - set_operators(); /* /etc/group snarfed */ getfstab(); /* /etc/fstab snarfed */ /* * disk can be either the full special file name, Index: optr.c =================================================================== RCS file: /home/ncvs/src/sbin/dump/optr.c,v retrieving revision 1.12 diff -u -p -r1.12 optr.c --- optr.c 2001/01/29 09:45:51 1.12 +++ optr.c 2001/09/03 16:57:03 @@ -59,7 +59,6 @@ static const char rcsid[] = void alarmcatch __P((/* int, int */)); int datesort __P((const void *, const void *)); -static void sendmes __P((char *, char *)); /* * Query the operator; This previously-fascist piece of code @@ -117,7 +116,7 @@ query(question) return(back); } -char lastmsg[100]; +char lastmsg[BUFSIZ]; /* * Alert the console operator, and enable the alarm clock to @@ -159,130 +158,33 @@ interrupt(signo) } /* - * The following variables and routines manage alerting - * operators to the status of dump. - * This works much like wall(1) does. + * We now use wall(1) to do the actual broadcasting. */ -struct group *gp; - -/* - * Get the names from the group entry "operator" to notify. - */ -void -set_operators() -{ - if (!notify) /*not going to notify*/ - return; - gp = getgrnam(OPGRENT); - (void) endgrent(); - if (gp == NULL) { - msg("No group entry for %s.\n", OPGRENT); - notify = 0; - return; - } -} - -struct tm *localclock; - -/* - * We fork a child to do the actual broadcasting, so - * that the process control groups are not messed up - */ void broadcast(message) char *message; { - time_t clock; - FILE *f_utmp; - struct utmp utmp; - char **np; - int pid, s; + FILE *fp; + char buf[sizeof(_PATH_WALL) + sizeof(OPGRENT) + 3]; - if (!notify || gp == NULL) + if (!notify) return; - switch (pid = fork()) { - case -1: + snprintf(buf, sizeof(buf), "%s -g %s", _PATH_WALL, OPGRENT); + if ((fp = popen(buf, "w")) == NULL) return; - case 0: - break; - default: - while (wait(&s) != pid) - continue; - return; - } - - clock = time((time_t *)0); - localclock = localtime(&clock); - - if ((f_utmp = fopen(_PATH_UTMP, "r")) == NULL) { - msg("Cannot open %s: %s\n", _PATH_UTMP, strerror(errno)); - return; - } - while (!feof(f_utmp)) { - if (fread((char *) &utmp, sizeof (struct utmp), 1, f_utmp) != 1) - break; - if (utmp.ut_name[0] == 0) - continue; - for (np = gp->gr_mem; *np; np++) { - if (strncmp(*np, utmp.ut_name, sizeof(utmp.ut_name)) != 0) - continue; - /* - * Do not send messages to operators on dialups - */ - if (strncmp(utmp.ut_line, DIALUP, strlen(DIALUP)) == 0) - continue; -#ifdef DEBUG - msg("Message to %s at %s\n", *np, utmp.ut_line); -#endif - sendmes(utmp.ut_line, message); - } - } - (void) fclose(f_utmp); - Exit(0); /* the wait in this same routine will catch this */ - /* NOTREACHED */ -} + (void) fputs("\a\a\aMessage from the dump program to all operators\n\nDUMP: NEEDS ATTENTION: ", fp); + if (lastmsg[0]) + (void) fputs(lastmsg, fp); + if (message[0]) + (void) fputs(message, fp); -static void -sendmes(tty, message) - char *tty, *message; -{ - char t[MAXPATHLEN], buf[BUFSIZ]; - register char *cp; - int lmsg = 1; - FILE *f_tty; - - (void) strcpy(t, _PATH_DEV); - (void) strncat(t, tty, sizeof t - strlen(_PATH_DEV) - 1); - - if ((f_tty = fopen(t, "w")) != NULL) { - setbuf(f_tty, buf); - (void) fprintf(f_tty, - "\n\ -\a\a\aMessage from the dump program to all operators at %d:%02d ...\r\n\n\ -DUMP: NEEDS ATTENTION: ", - localclock->tm_hour, localclock->tm_min); - for (cp = lastmsg; ; cp++) { - if (*cp == '\0') { - if (lmsg) { - cp = message; - if (*cp == '\0') - break; - lmsg = 0; - } else - break; - } - if (*cp == '\n') - (void) putc('\r', f_tty); - (void) putc(*cp, f_tty); - } - (void) fclose(f_tty); - } + (void) pclose(fp); } /* - * print out an estimate of the amount of time left to do the dump + * Print out an estimate of the amount of time left to do the dump */ time_t tschedule = 0; Index: pathnames.h =================================================================== RCS file: /home/ncvs/src/sbin/dump/pathnames.h,v retrieving revision 1.6 diff -u -p -r1.6 pathnames.h --- pathnames.h 2001/03/08 09:04:39 1.6 +++ pathnames.h 2001/09/03 16:57:03 @@ -41,3 +41,4 @@ #define _PATH_DUMPDATES "/etc/dumpdates" #define _PATH_LOCK "/tmp/dumplockXXXXXX" #define _PATH_RMT "/etc/rmt" /* path on remote host */ +#define _PATH_WALL "/usr/bin/wall" --U+BazGySraz5kW0T-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 11:12:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 1D5C637B407 for ; Mon, 3 Sep 2001 11:12:32 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f83ICX910930 for ; Mon, 3 Sep 2001 14:12:33 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 3 Sep 2001 14:12:28 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: Message-ID: <20010903140918.K10812-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 3 Sep 2001, Not Going to Tell You wrote: > > I have 240 boxes running sshd and restricted to our IP address on the > Internet. We just want to hide the sshd port until we need it. Is this such > a hard concept to understand. So what if someone can sniff the key. It is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > just an extra layer of security. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ These two sentences contradict each other. > Since we are also running sshd and IP > filters, this is not a false sense of security. If someone wants to sniff > out all 100 packets, spoof our IP address, and re-send the key..Good for > them, they still have to get past the sshd. But by hidding the sshd port, > maybe, just maybe, we can reduce the number of script kiddies from trying > sshd scripts. IMHO, you're better off with TCP Wrappers, unless you need to allow access to clients whose addresses are dynamically allocated. Even then, if you set up a VPN, you can control access by domain or by IP address: a VPN client gets an address from your local address pool. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 11:14:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 23FFF37B40E for ; Mon, 3 Sep 2001 11:14:38 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f83IEd910935 for ; Mon, 3 Sep 2001 14:14:39 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 3 Sep 2001 14:14:34 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: Message-ID: <20010903141244.U10812-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 3 Sep 2001, Not Going to Tell You wrote: > This is not obfuscation! This is activation and de=activation. Obfuscation > implies that the port is open but you are hidden this fact. It *is* obfuscation: unless your "sequence of packets" is cryptographically strong, it can be easily sniffed and replayed, effectively nulling your "extra layer of security". Note that to make it cryptographically strong, you'd effectively end up doing what sshd does anyway: public key encryption. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 15: 1: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id EC97837B401 for ; Mon, 3 Sep 2001 15:00:56 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id QAA94085; Mon, 3 Sep 2001 16:00:23 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Mon, 3 Sep 2001 16:00:23 -0600 (CST) From: Ryan Thompson To: =?iso-8859-1?q?m=20p?= Cc: kzaraska@student.uci.agh.edu.pl, slack@suntop-cn.com, freebsd-security@FreeBSD.ORG Subject: Re: how can I find general security infomation ? In-Reply-To: <20010903131329.99051.qmail@web13301.mail.yahoo.com> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org m p wrote to kzaraska@student.uci.agh.edu.pl, ryan@sasknow.com, and...: > > > You'll also want to use on-line security web sites (too many to list. > > > bugtraq, CERN, securityfocus, etc... try some web searches for UNIX > > Guess you meant CERT not CERN... Although CERN has a lot to do with > > computers their primary interest is particle physics and not computer > > security. > > Wrong. I'm sure he meant CERN. The CERN has a very good CERT. :) So > the CERN is mentioned as resource like bugtraq. Well, don't be too hard on him. :-) As the first poster suggested, I _was_ actually typing CERT... But, on a Dvorak keyboard such as mine, the "n" and the "t" are adjacent. Once in awhile something like that will slip, and hopefully not start a flamewar ;-) But, yes, good info regarding CERN. > > My PLN 0.02 > > My DEM 0.02 :) My CAD 0.02 - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 20:40: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail43.sdc1.sfba.home.com (femail43.sdc1.sfba.home.com [24.254.60.37]) by hub.freebsd.org (Postfix) with ESMTP id B32EF37B403 for ; Mon, 3 Sep 2001 20:40:03 -0700 (PDT) Received: from bean.overtone.org ([24.249.254.100]) by femail43.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010904034003.WDWW23054.femail43.sdc1.sfba.home.com@bean.overtone.org>; Mon, 3 Sep 2001 20:40:03 -0700 Received: by bean.overtone.org (Postfix, from userid 1001) id 53A455B712; Tue, 4 Sep 2001 03:39:56 +0000 (GMT) Date: Tue, 4 Sep 2001 03:39:55 +0000 From: Kevin Way To: Not Going to Tell You Cc: freebsd-security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010904033955.A52291@bean.overtone.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from luckywolf19@hotmail.com on Mon, Sep 03, 2001 at 02:14:28PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > But by hidding the sshd port, maybe, just maybe, we can reduce the > number of script kiddies from trying sshd scripts. just a note that nobody has directly mentioned. You're also exposing yourself to additional risks. -Administrators could potentially be located behind unusual firewalls which could hinder the magic port sequence delivery. -Administrators could potentially be working over a network connection with high loss rates, making the magic port sequence delivery infeasible -Administrators could potentially be working over network connections with unpredictable latency, making the sequence arrive in the incorrect order -there could be an unforeseen failure mode of the software which causes the port to fail to open, despite proper network transmission of the correct code. I really don't care if you want to implement this idea or not, but I'd urge you to consider these risks before you move forward. Kevin Way --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lE0LKxA01iDoLN4RAj1oAJ96nCorQ4zLx03o5xb5yLfAlhKP1gCdF9Um T72KGthsufykFGjwjq5cZRI= =wSpV -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 3 20:54: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 67DF737B409 for ; Mon, 3 Sep 2001 20:54:06 -0700 (PDT) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.11.2/8.10.0) with ESMTP id f844g6Z44314; Mon, 3 Sep 2001 23:42:06 -0500 (CDT) Date: Mon, 3 Sep 2001 23:42:05 -0500 (CDT) From: Marc Rassbach To: Kevin Way Cc: Not Going to Tell You , freebsd-security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: <20010904033955.A52291@bean.overtone.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Sep 2001, Kevin Way wrote: > > But by hidding the sshd port, maybe, just maybe, we can reduce the > > number of script kiddies from trying sshd scripts. > just a note that nobody has directly mentioned. You're also exposing > yourself to additional risks. No one seems to have mentioned creating a SKIP gateway. SKIP lost out to IPSEC, but would add another layer of encryption, and most of the script kiddies wouldn't know SKIP VPN if it bit 'em on the linux box. Security via obsecurity (that is what the poke the port IDS is) isn't a good solution. SKIP has white papers about its drawbacks and andvantages. And it will go thru firewalls. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 0: 7:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 6201237B405 for ; Tue, 4 Sep 2001 00:07:51 -0700 (PDT) Received: by ING-mailhub; id JAA03482; Tue, 4 Sep 2001 09:09:16 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 4 Sep 2001 09:10:28 +0200 Message-ID: <98829DC07ECECD47893074C4D525EFC311569F@citsnl007.europe.intranet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Possible New Security Tool For FreeBSD, Need Your Help. Thread-Index: AcE08/VcezagpWneTf6klCPr43KT0QAHC8Xw From: "Carroll, D. (Danny)" To: "Kevin Way" Cc: Importance: normal X-OriginalArrivalTime: 04 Sep 2001 07:10:29.0402 (UTC) FILETIME=[ADC237A0:01C13510] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Right, I was wondering when someone might say that... It seems to me that there are obvious drawbacks to this idea. Like someone else mentioned. It's a good idea but you can't count on the security. So if the security *is* too week, and that doesn't bother Lucky, then perhaps other *less secure* methods might also be appealing (and easier to implement.) How about a CGI which adds the rule dynamically. You could put it on an ssl website behind a decent password. Still would not be rock solid but it wouldn't be any worse than the original idea. -D :-----Original Message----- :From: Kevin Way [mailto:kevin.way@overtone.org] :Sent: Tuesday, September 04, 2001 5:40 AM :To: Not Going to Tell You :Cc: freebsd-security@freebsd.org :Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. : : :> But by hidding the sshd port, maybe, just maybe, we can reduce the :> number of script kiddies from trying sshd scripts. : :just a note that nobody has directly mentioned. You're also exposing :yourself to additional risks. : :-Administrators could potentially be located behind unusual firewalls :which could hinder the magic port sequence delivery. : :-Administrators could potentially be working over a network connection :with high loss rates, making the magic port sequence delivery=20 :infeasible : :-Administrators could potentially be working over network connections :with unpredictable latency, making the sequence arrive in the incorrect :order : :-there could be an unforeseen failure mode of the software which causes :the port to fail to open, despite proper network transmission of the :correct code. : :I really don't care if you want to implement this idea or not, but I'd :urge you to consider these risks before you move forward. : :Kevin Way : -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 0:16:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f217.pav1.hotmail.com [64.4.31.217]) by hub.freebsd.org (Postfix) with ESMTP id 79A5F37B406 for ; Tue, 4 Sep 2001 00:16:17 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 4 Sep 2001 00:16:17 -0700 Received: from 212.30.183.3 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 04 Sep 2001 07:16:17 GMT X-Originating-IP: [212.30.183.3] From: "Magdalinin Kirill" To: freebsd-security@FreeBSD.ORG Subject: good practice for /tmp Date: Tue, 04 Sep 2001 11:16:17 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 04 Sep 2001 07:16:17.0340 (UTC) FILETIME=[7D2557C0:01C13511] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, is it a good practice to mount /tmp/ on it's own partition, symlink /var/tmp to it and turn on quotas on that partition in order to keep httpd uploads (by php scripts) and other staff from consuming all partition space? Can it break some programs? Thanks in advance, Kirill Magdalinin bsdforumen@hotmail.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 0:44:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 5983D37B407 for ; Tue, 4 Sep 2001 00:44:51 -0700 (PDT) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id LAA73395 for ; Tue, 4 Sep 2001 11:44:49 +0400 (MSD) Date: Tue, 4 Sep 2001 11:44:49 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <48396009431.20010904114449@internethelp.ru> To: freebsd-security@FreeBSD.ORG Subject: Need help with limits(1) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, all. I have a webserver running on FreeBSD 3.3. One of the perl scripts located there has some bug, that puts him in the infinite loop. This causes my webserver to stall, so that the only way to reboot is hardware reset. I want to restrict user httpd to use no more than 75% of CPU time. I read man limits(1) and man getrlimit(2) but they only talk about limiting cputime in seconds, but not percents. It means that I can restrict httpd process to run no more than 10 seconds, but in this 10 seconds it will have access to all CPU power of the computer, making administrative work quite impossible. How can I add percent-based cputime restrictions for various users and login classes? Any help is very good. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 3: 3:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ib.com.ua (ib.com.ua [217.144.67.33]) by hub.freebsd.org (Postfix) with ESMTP id 182DB37B401 for ; Tue, 4 Sep 2001 03:03:06 -0700 (PDT) Received: (from toha@localhost) by ib.com.ua (8.11.5/8.11.1) id f849jdL30793 for freebsd-security@freebsd.org; Tue, 4 Sep 2001 12:45:39 +0300 (EEST) (envelope-from toha) Date: Tue, 4 Sep 2001 12:45:39 +0300 (EEST) From: Anton Yudin Message-Id: <200109040945.f849jdL30793@ib.com.ua> To: freebsd-security@freebsd.org Subject: pop server Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Which pop3 server is the best for security reason ? OS - FreeBSD 4.4RC ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 3:11:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from tensor.ru (hq.yarnet.ru [213.24.206.3]) by hub.freebsd.org (Postfix) with SMTP id 519B137B405 for ; Tue, 4 Sep 2001 03:11:43 -0700 (PDT) Received: (qmail 25193 invoked by uid 1005); 4 Sep 2001 14:11:43 +0400 Received: from den@tensor.ru by hq.yarnet.ru with qmail-scanner-0.96 (. Clean. Processed in 2.429744 secs); 04 ÓÅÎ 2001 10:11:43 -0000 Received: from vicci.yarnet.ru (HELO tensor.ru) (@213.24.206.2) by hq.yarnet.ru with SMTP; 4 Sep 2001 14:11:39 +0400 Message-ID: <3B94A8DE.7ED4C45E@tensor.ru> Date: Tue, 04 Sep 2001 14:11:42 +0400 From: Denis Tokarev Reply-To: den@tensor.ru Organization: Tensor X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Anton Yudin Cc: freebsd-security@freebsd.org Subject: Re: pop server References: <200109040945.f849jdL30793@ib.com.ua> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anton Yudin wrote: > > Hi > > Which pop3 server is the best for security reason ? > OS - FreeBSD 4.4RC ... popa3d. /dvt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 3:41:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 9BECD37B406 for ; Tue, 4 Sep 2001 03:41:14 -0700 (PDT) Received: (qmail 62104 invoked by uid 1007); 4 Sep 2001 10:41:34 -0000 Date: Tue, 4 Sep 2001 12:41:34 +0200 From: Alex Holst To: freebsd-security@FreeBSD.ORG Subject: Re: good practice for /tmp Message-ID: <20010904124134.C58690@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsdforumen@hotmail.com on Tue, Sep 04, 2001 at 11:16:17AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Magdalinin Kirill (bsdforumen@hotmail.com): > is it a good practice to mount /tmp/ on it's own partition, symlink /var/tmp > to it and turn on quotas on that partition It is, and it lets you supply mount options for /tmp (e.g. NOSUID, NOEXEC, etc) and whatever else you want to do. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 4: 5:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsd.ist-ffo.de (bsd.ist-ffo.de [192.124.253.37]) by hub.freebsd.org (Postfix) with ESMTP id 7256E37B41B for ; Tue, 4 Sep 2001 04:05:41 -0700 (PDT) Received: (from griesche@localhost) by bsd.ist-ffo.de (8.11.1/8.11.1) id f84B5dq06623; Tue, 4 Sep 2001 13:05:39 +0200 (CEST) Date: Tue, 4 Sep 2001 13:05:39 +0200 (CEST) From: Joachim Griesche Message-Id: <200109041105.f84B5dq06623@bsd.ist-ffo.de> To: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Cc: griesche@bsd.ist-ffo.de Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Although putting /tmp on its own partition is helpful, I prefer not to symlink /var/tmp to /tmp because /tmp and /var/tmp are handled in a different manner by most systems: While /tmp is cleared at boot time, /var/tmp is not (see the file /etc/rc and the comments where), preserving recovery files. If /tmp is not on its own partition, I create /usr/tmp and symlink /tmp to /usr/tmp in order to avoid filling of /. With best regards Joachim Griesche System administrator Institut fuer Solartechnologien GmbH Frankfurt (Oder), Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 4:27:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 33D1837B401 for ; Tue, 4 Sep 2001 04:27:36 -0700 (PDT) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id IAA45401; Tue, 4 Sep 2001 08:25:47 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Tue, 4 Sep 2001 08:25:47 -0300 From: Fernando Schapachnik To: Alex Holst Cc: freebsd-security@FreeBSD.ORG Subject: Re: good practice for /tmp Message-ID: <20010904082547.A42334@ns1.via-net-works.net.ar> References: <20010904124134.C58690@area51.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010904124134.C58690@area51.dk>; from a@area51.dk on Tue, Sep 04, 2001 at 12:41:34PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Alex Holst escribió: > Quoting Magdalinin Kirill (bsdforumen@hotmail.com): > > is it a good practice to mount /tmp/ on it's own partition, symlink /var/tmp > > to it and turn on quotas on that partition > > It is, and it lets you supply mount options for /tmp (e.g. NOSUID, NOEXEC, > etc) and whatever else you want to do. Just a note: /var/tmp is supossed to be kept between reboots (see hier man page), and /tmp is not. So keep this in mind. You might want to turn off /tmp cleans at reboot. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 5:25:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from dns.inegi.up.pt (dns.inegi.up.pt [193.137.36.3]) by hub.freebsd.org (Postfix) with ESMTP id 95F5937B403 for ; Tue, 4 Sep 2001 05:25:21 -0700 (PDT) Received: from jardel (firewall.inegi.up.pt [193.137.36.2]) by dns.inegi.up.pt (8.10.2/8.10.2) with SMTP id f84CScm31552 for ; Tue, 4 Sep 2001 13:28:38 +0100 Message-ID: <00cc01c13545$01d13d30$dcc8a8c0@inegi.up.pt> Reply-To: =?iso-8859-1?Q?Jos=E9_Azevedo?= From: =?iso-8859-1?Q?Jos=E9_Azevedo?= To: References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> Subject: Port 4662 Date: Tue, 4 Sep 2001 13:25:04 -0000 Organization: Mercatura - INEGI MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everyone, Wish you all had a pleasent vacation, at least the ones who had them. Can anyone please confirm that a program called eDonkey uses port 4662? Their docs say it uses 4661, pleople told me it uses 4662, so i don't know. If anyone can refer to this, i would thank it alot. Good work! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 5:28:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from dns.inegi.up.pt (dns.inegi.up.pt [193.137.36.3]) by hub.freebsd.org (Postfix) with ESMTP id EC77337B409 for ; Tue, 4 Sep 2001 05:28:23 -0700 (PDT) Received: from jardel (firewall.inegi.up.pt [193.137.36.2]) by dns.inegi.up.pt (8.10.2/8.10.2) with SMTP id f84CVhm31597 for ; Tue, 4 Sep 2001 13:31:43 +0100 Message-ID: <00d901c13545$6da8f750$dcc8a8c0@inegi.up.pt> Reply-To: =?iso-8859-1?Q?Jos=E9_Azevedo?= From: =?iso-8859-1?Q?Jos=E9_Azevedo?= To: References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <00cc01c13545$01d13d30$dcc8a8c0@inegi.up.pt> Subject: Re: Port 4662 Date: Tue, 4 Sep 2001 13:28:05 -0000 Organization: Mercatura - INEGI MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think this info answers my previous question: TCP port 4661 to connect to the server. TCP port 4662 to connect to other clients. UDP port 4665 to send messages to servers other then the one you are connected to. Sorry for the bogle... ----- Original Message ----- From: "José Azevedo" To: Sent: Tuesday, September 04, 2001 1:25 PM Subject: Port 4662 Hello everyone, Wish you all had a pleasent vacation, at least the ones who had them. Can anyone please confirm that a program called eDonkey uses port 4662? Their docs say it uses 4661, pleople told me it uses 4662, so i don't know. If anyone can refer to this, i would thank it alot. Good work! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 6:28:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from liberty.bulinfo.net (liberty.bulinfo.net [212.72.195.7]) by hub.freebsd.org (Postfix) with SMTP id B24ED37B405 for ; Tue, 4 Sep 2001 06:28:17 -0700 (PDT) Received: (qmail 24837 invoked from network); 4 Sep 2001 13:28:12 -0000 Received: from pythia.bulinfo.net (HELO bulinfo.net) (212.72.195.5) by liberty.bulinfo.net with SMTP; 4 Sep 2001 13:28:12 -0000 Message-ID: <3B94D6E9.A2457D9A@bulinfo.net> Date: Tue, 04 Sep 2001 16:28:09 +0300 From: Krassimir Slavchev Organization: Bulinfo Ltd. X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.13 i686) X-Accept-Language: en MIME-Version: 1.0 To: "Nickolay A.Kritsky" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Need help with limits(1) References: <48396009431.20010904114449@internethelp.ru> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms868CE27F2F93F01459A34496" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms868CE27F2F93F01459A34496 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Add in apachectl line: eval `limits -e -C daemon` >/dev/null 2>&1 man login.conf and try to limit memmoryuse! "Nickolay A.Kritsky" wrote: > Hi, all. > I have a webserver running on FreeBSD 3.3. One of the perl scripts > located there has some bug, that puts him in the infinite loop. This > causes my webserver to stall, so that the only way to reboot is > hardware reset. I want to restrict user httpd to use no more than > 75% of CPU time. I read man limits(1) and man getrlimit(2) but they > only talk about limiting cputime in seconds, but not percents. It > means that I can restrict httpd process to run no more than 10 > seconds, but in this 10 seconds it will have access to all CPU power > of the computer, making administrative work quite impossible. How > can I add percent-based cputime restrictions for various users and > login classes? > > Any help is very good. > > ;------------------------------------------- > ; NKritsky > ; SysAdmin InternetHelp.Ru > ; http://www.internethelp.ru > ; mailto:nkritsky@internethelp.ru > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Krassimir Slavchev Bulinfo Ltd. krassi@bulinfo.net (+359-2)963-3652 http://www.bulinfo.net (+359-2)963-3764 --------------ms868CE27F2F93F01459A34496 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH3AYJKoZIhvcNAQcCoIIHzTCCB8kCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Ba8wggJ+MIIB56ADAgECAgMFVWUwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA3MzAxMTEyNDNaFw0wMjA3MzAxMTEyNDNa MEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxITAfBgkqhkiG9w0BCQEWEmty YXNzaUBidWxpbmZvLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtdhQY8oolEi2 F3/A5sVb0ZIxsamVNcPDZ4cYsbJBHEwGraEsFMpFVT6mi7HB0+Y5qmMfgjPf4DJpkoBO2TCd fqjHs+3w+aQ+S0llUoqOP4MOHbOB/2+iCExLkmERFAuKWUb9gRa97zddAXDRnwIWdwTWsTk5 qEch7hr3KzRNTIsCAwEAAaMvMC0wHQYDVR0RBBYwFIESa3Jhc3NpQGJ1bGluZm8ubmV0MAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEARNO24J8M7dFyAqqu1947mRgunVlP4nhI +Cr+vQoVEzEIy9/S4QA/7lOM6e8dxmffhtDtGI4oI/GDU1STPJGLB8BNDKmujgAG8GdctxNV jphuHei21gEvUTwf/NsgHJKifgTFPZinSPRag8gjpo/oZ2XbMJ6MUWC9ARSKc3pRzeUwggMp MIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5 WjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2Fw ZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K73 7nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzp q+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREE IjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIB ADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27 j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONntUPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBv Lli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0ncXDkS+plrgFPFL83eliA0gx ggH1MIIB8QIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmlj YXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMw AgMFVWUwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0wMTA5MDQxMzI4MTFaMCMGCSqGSIb3DQEJBDEWBBTWEAHHNOk86mQ+5KXwLEDd 2QR3hzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUr DgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgCCG 8fuIZlzwZuz6V1u9auQeGFO8YWNoHls+QPy87rxlwtaksApjyGHsUU6CtumwxzvXmjpCHd25 NKlepkRMYPPVhLs4jqJxbrpGZxeMwnFBAb0mq2IJRbbkaSPj59tMLvII97q2vj8afFGPryXo esNzzZaRCzkxvdvzrAgU/1pY --------------ms868CE27F2F93F01459A34496-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 8:37:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9AE1637B401 for ; Tue, 4 Sep 2001 08:37:19 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA02423; Tue, 4 Sep 2001 09:37:06 -0600 (MDT) Message-Id: <4.3.2.7.2.20010904093613.052ceb20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 04 Sep 2001 09:36:45 -0600 To: Joachim Griesche , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Good practice for /tmp Cc: griesche@bsd.ist-ffo.de In-Reply-To: <200109041105.f84B5dq06623@bsd.ist-ffo.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Who's maintaining /stand/sysinstall these days? This should be part of the default install. --Brett At 05:05 AM 9/4/2001, Joachim Griesche wrote: >Hello! > >Although putting /tmp on its own partition is helpful, I >prefer not to symlink /var/tmp to /tmp because /tmp and >/var/tmp are handled in a different manner by most systems: >While /tmp is cleared at boot time, /var/tmp is not (see >the file /etc/rc and the comments where), preserving >recovery files. If /tmp is not on its own partition, I >create /usr/tmp and symlink /tmp to /usr/tmp in order to >avoid filling of /. > >With best regards >Joachim Griesche > >System administrator >Institut fuer Solartechnologien GmbH >Frankfurt (Oder), Germany > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 9:12:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id DC09C37B403 for ; Tue, 4 Sep 2001 09:12:38 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f84GCk947129 for ; Tue, 4 Sep 2001 12:12:46 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 4 Sep 2001 12:12:41 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Need help with limits(1) In-Reply-To: <48396009431.20010904114449@internethelp.ru> Message-ID: <20010904121057.C47041-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Sep 2001, Nickolay A.Kritsky wrote: > Hi, all. > I have a webserver running on FreeBSD 3.3. One of the perl scripts > located there has some bug, that puts him in the infinite loop. This > causes my webserver to stall, so that the only way to reboot is > hardware reset. I want to restrict user httpd to use no more than > 75% of CPU time. I read man limits(1) and man getrlimit(2) but they > only talk about limiting cputime in seconds, but not percents. It > means that I can restrict httpd process to run no more than 10 > seconds, but in this 10 seconds it will have access to all CPU power > of the computer, making administrative work quite impossible. How > can I add percent-based cputime restrictions for various users and > login classes? I don't know of a way to limit a user to a given percent of CPU, but you might be able to limit the user's process priority, so that even though the user would get 100% of the CPU when his process runs, that process would be easily preempted by another process that has a higher priority. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 9:18:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 792B337B401 for ; Tue, 4 Sep 2001 09:18:07 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f84GI1j12709 for security@FreeBSD.org; Tue, 4 Sep 2001 19:18:01 +0300 (EEST) (envelope-from ru) Date: Tue, 4 Sep 2001 19:18:01 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Subject: Re: at(1) sugid fixes Message-ID: <20010904191801.F1669@sunbay.com> References: <20010903143510.D49997@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010903143510.D49997@sunbay.com>; from ru@FreeBSD.org on Mon, Sep 03, 2001 at 02:35:10PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This patch has just been committed. On Mon, Sep 03, 2001 at 02:35:10PM +0300, Ruslan Ermilov wrote: > Hi! > > The attached patch fixes at(1) macros that manipulate user > and group IDs of the proccess so that they don't change the > real user and group IDs of the process, and instead use the > saved user and group IDs feature. > > The setre[ug]id() calls are still used with the REDUCE_PERM > macro (with the r[ug]id arguments of -1) so that the call > changes the saved user/group ID of the process to that > specified. > > That is to say, if the process was initially run ``setuid > root'', the call to ``REDUCE_PERM(1, ...)'' changes the > process's saved-user-ID to that of the user "daemon", and > the process then becomes ``setuid daemon'' (with effective > privileges temporarily relinquished to the real privileges). > > Also, the panic() and perr() functions had insufficient > privileges to delete the problematic file under /var/at. > > Comments/reviews are welcome. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 9:24:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from westhost32.westhost.net (westhost32.westhost.net [216.71.84.181]) by hub.freebsd.org (Postfix) with ESMTP id EA7BB37B406 for ; Tue, 4 Sep 2001 09:24:45 -0700 (PDT) Received: from HFTB (cable-5-82-237-24.anchorageak.net [24.237.82.5]) by westhost32.westhost.net (8.8.5/8.8.5) with ESMTP id LAA19480; Tue, 4 Sep 2001 11:24:05 -0500 Date: Tue, 4 Sep 2001 08:23:49 -0800 From: Greg Wirth X-Mailer: The Bat! (v1.54 Beta/7) Personal Reply-To: Greg Organization: RapidFX.com X-Priority: 3 (Normal) Message-ID: <191683157308.20010904082349@rapidfx.com> To: toha@ib.com.ua Subject: Re: pop server In-Reply-To: <200109040945.f849jdL30793@ib.com.ua> References: <200109040945.f849jdL30793@ib.com.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello... Seems thinking about security of a mail server would be lower than using an RC for your OS..... Tuesday, September 04, 2001, 1:45:39 AM, you wrote: AY> Hi AY> Which pop3 server is the best for security reason ? AY> OS - FreeBSD 4.4RC ... - -- Greg S. Wirth System Administrator www.rapidfx.com www.dejapc.com ------------------------------- Is your system secure? FreeBSD: www.freebsd.org Apache: www.apache.org IPFilter www.ipfilter.org irc.undernet.org #apache To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 9:31:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 958F837B40B for ; Tue, 4 Sep 2001 09:31:43 -0700 (PDT) Received: from win ([61.144.144.96]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f84GVWB07605; Wed, 5 Sep 2001 00:31:32 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <003801c1355f$115912e0$9201a8c0@home.net> From: "edwin chan" To: "Nickolay A.Kritsky" , References: <48396009431.20010904114449@internethelp.ru> Subject: Re: Need help with limits(1) Date: Wed, 5 Sep 2001 00:31:36 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org maybe lower you apache or perl processes by "renice" ----- Original Message ----- From: "Nickolay A.Kritsky" To: Sent: Tuesday, September 04, 2001 3:44 PM Subject: Need help with limits(1) > Hi, all. > I have a webserver running on FreeBSD 3.3. One of the perl scripts > located there has some bug, that puts him in the infinite loop. This > causes my webserver to stall, so that the only way to reboot is > hardware reset. I want to restrict user httpd to use no more than > 75% of CPU time. I read man limits(1) and man getrlimit(2) but they > only talk about limiting cputime in seconds, but not percents. It > means that I can restrict httpd process to run no more than 10 > seconds, but in this 10 seconds it will have access to all CPU power > of the computer, making administrative work quite impossible. How > can I add percent-based cputime restrictions for various users and > login classes? > > Any help is very good. > > ;------------------------------------------- > ; NKritsky > ; SysAdmin InternetHelp.Ru > ; http://www.internethelp.ru > ; mailto:nkritsky@internethelp.ru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 11: 1: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from jochem.dyndns.org (cc40670-a.groni1.gr.nl.home.com [217.120.131.23]) by hub.freebsd.org (Postfix) with ESMTP id 3A4DF37B406 for ; Tue, 4 Sep 2001 11:00:57 -0700 (PDT) Received: (from jochem@localhost) by jochem.dyndns.org (8.11.6/8.11.5) id f84I0sc37865 for freebsd-security@freebsd.org; Tue, 4 Sep 2001 20:00:54 +0200 (CEST) (envelope-from jochem) Date: Tue, 4 Sep 2001 20:00:54 +0200 From: Jochem Kossen To: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010904200054.A37836@jochem.dyndns.org> Mail-Followup-To: freebsd-security@freebsd.org References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109041105.f84B5dq06623@bsd.ist-ffo.de>; from griesche@bsd.ist-ffo.de on Tue, Sep 04, 2001 at 01:05:39PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 04, 2001 at 01:05:39PM +0200, Joachim Griesche wrote: > Hello! > > Although putting /tmp on its own partition is helpful, I > prefer not to symlink /var/tmp to /tmp because /tmp and > /var/tmp are handled in a different manner by most systems: > While /tmp is cleared at boot time, /var/tmp is not (see > the file /etc/rc and the comments where), preserving > recovery files. If /tmp is not on its own partition, I > create /usr/tmp and symlink /tmp to /usr/tmp in order to > avoid filling of /. Yeah, but if you make /tmp too small, it will give problems with adding certain big packages like TeTeX. In that case, pkg_add needs a lot of space in the /var/tmp directory, although i don't understand the reason why they should use /var/tmp. Thus, I do link /var/tmp to /tmp. -- +-------------> FreeBSD 4.3-STABLE <-------------+ | Jochem Kossen jochem@jochem.dyndns.org | | 7:00PM up 3 days | +-------------> The Power To Serve <-------------+ Fortune cookie says: Non-Reciprocal Laws of Expectations: Negative expectations yield negative results. Positive expectations yield negative results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 11:16: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id F3DC537B401 for ; Tue, 4 Sep 2001 11:16:01 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f84IJk809382; Tue, 4 Sep 2001 14:19:46 -0400 (EDT) Date: Tue, 4 Sep 2001 14:19:46 -0400 (EDT) From: Ralph Huntington To: Jochem Kossen Cc: Subject: Re: Good practice for /tmp In-Reply-To: <20010904200054.A37836@jochem.dyndns.org> Message-ID: <20010904141758.C98903-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Another county heard from... /tmp -> /var/temp partial /var/ listing: drwxrwxrwt 2 root wheel 2048 Sep 4 14:18 temp drwxrwxrwt 3 root wheel 512 Sep 4 12:54 tmp Just make sure it's on a large filesystem with plenty of free gigs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 11:42:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 09E3237B405 for ; Tue, 4 Sep 2001 11:42:49 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f84Igj693873; Tue, 4 Sep 2001 11:42:45 -0700 (PDT) (envelope-from dillon) Date: Tue, 4 Sep 2001 11:42:45 -0700 (PDT) From: Matt Dillon Message-Id: <200109041842.f84Igj693873@earth.backplane.com> To: Jochem Kossen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <20010904200054.A37836@jochem.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 'man tuning' (with a recent -stable). In it I talk about /tmp vs /var/tmp and why it doesn't make sense to keep them separate any more. And these days people generally do not rm -rf /tmp at boot either. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 11:54:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bsd.st [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id ACBA137B406 for ; Tue, 4 Sep 2001 11:54:36 -0700 (PDT) Received: by bluenugget.net (Postfix, from userid 1000) id 9DA1113615; Tue, 4 Sep 2001 11:56:28 -0700 (PDT) Date: Tue, 4 Sep 2001 11:56:28 -0700 From: Jason DiCioccio To: Chris BeHanna Cc: security@freebsd.org Subject: Re: Need help with limits(1) Message-ID: <20010904115628.A63273@bluenugget.net> References: <48396009431.20010904114449@internethelp.ru> <20010904121057.C47041-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline In-Reply-To: <20010904121057.C47041-100000@topperwein.dyndns.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > On Tue, 4 Sep 2001, Nickolay A.Kritsky wrote: >=20 > > Hi, all. > > I have a webserver running on FreeBSD 3.3. One of the perl scripts > > located there has some bug, that puts him in the infinite loop. This > > causes my webserver to stall, so that the only way to reboot is > > hardware reset. I want to restrict user httpd to use no more than > > 75% of CPU time. I read man limits(1) and man getrlimit(2) but they > > only talk about limiting cputime in seconds, but not percents. It > > means that I can restrict httpd process to run no more than 10 > > seconds, but in this 10 seconds it will have access to all CPU power > > of the computer, making administrative work quite impossible. How > > can I add percent-based cputime restrictions for various users and > > login classes? >=20 This is tough to do reliably. The obvious reason being that any process should be able to spike up to 100% once and a while (such as when there is activity).. You could however, write a script of some sort to check the CPU usage of a process every once and a while and if it exceeds a certain threshold, then take appropriate action (such as if it's over 90% during 3 probes spaced 1 minute apart). I think the best way to do it would be to check the CPU Time every X seconds/minutes and if (NEWCPUTIME - OLDCPUTIME) > LIMIT then take appropriate action. This seems to be the safest way to monitor a= nd destroy 'runaway' processes and such. Cheers, -JD- --=20 Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.= asc --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBO5Uj1tNQlZYENnwIEQINBwCgvUOFn31U9EueBShuIsmyw09iVcQAnjbR oZ0CLZR78S1pHSuC3Cr4k5Xg =zcAu -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 12:34: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.af-inet.net (cx793560-b.dt1.sdca.home.com [24.13.5.229]) by hub.freebsd.org (Postfix) with ESMTP id 8C71337B43A for ; Tue, 4 Sep 2001 12:33:52 -0700 (PDT) Received: from localhost (jaron@localhost) by mail.af-inet.net (8.11.4/8.11.4) with ESMTP id f84JSLk98927; Tue, 4 Sep 2001 12:28:21 -0700 (PDT) Date: Tue, 4 Sep 2001 12:28:20 -0700 (PDT) From: Agemo Noraj To: , "Nickolay A.Kritsky" Cc: , Subject: Re: favorite love story movies. (gag) In-Reply-To: <132.11b87b8.28c5f24a@aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Sep 2001 CASSIDY842@aol.com wrote: > Hi, all. > I have a webserver running on FreeBSD 3.3. One of the perl scripts >located there has some bug, that puts him in the infinite loop. This >causes my webserver to stall, so that the only way to reboot is >hardware reset. I want to restrict user httpd to use no more than >75% of CPU time. I read man limits(1) and man getrlimit(2) but they >only talk about limiting cputime in seconds, but not percents. It >means that I can restrict httpd process to run no more than 10 >seconds, but in this 10 seconds it will have access to all CPU power >of the computer, making administrative work quite impossible. How >can I add percent-based cputime restrictions for various users and >login classes? > > Any help is very good. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/users-limiting.html Jaron Omega -_-_-_-_-_ id fuckdmca = [[dvdDecode alloc] init]; _-_-_-_-_- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 12:49:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0B60D37B409; Tue, 4 Sep 2001 12:49:20 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f84JnJs36681; Tue, 4 Sep 2001 12:49:19 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 4 Sep 2001 12:49:19 -0700 (PDT) Message-Id: <200109041949.f84JnJs36681@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:59 Security Advisory FreeBSD, Inc. Topic: rmuser contains a race condition exposing /etc/master.passwd Category: core Module: rmuser Announced: 2001-09-04 Credits: dynamo@harvard.net Affects: FreeBSD 4.2-RELEASE, 4.3-RELEASE FreeBSD 4.3-STABLE prior to the correction date. Corrected: 2001-07-28 12:10:15 UTC (4.3-STABLE) 2001-09-04 07:46:57 UTC (RELENG_4_3) FreeBSD only: Yes I. Background rmuser is a perl script used to completely remove users from a system. II. Problem Description When removing a user from the system with the rmuser utility, the /etc/master.passwd file and it's corresponding database /etc/spwd.db must be updated. The rmuser script was incorrectly doing this by creating a new master.passwd file with an unsafe umask and then using chmod to set its permissions to 0600. Between the time that the file was created and the time that its permissions were changed the file is world-readable. This is only a minor security vulnerability since the rmuser command is only used infrequently on most systems, and the attack is highly timing-dependent. All versions of FreeBSD prior to the correction date including FreeBSD 4.3 contain this problem. The base system that will ship with FreeBSD 4.4 does not contain this problem since it was corrected prior to the release. III. Impact For a brief amount of time while running rmuser, a world-readable copy of /etc/master.passwd is available. A local attacker who reads this file can extract password hashes from the copy of /etc/master.passwd. This information could be used by attackers to escalate their privileges, possibly yielding root privileges on the local system, by mounting an offline dictionary attack in order to guess the plaintext passwords of the accounts on the local system. IV. Workaround Use the pw(8) utility to remove users instead of rmuser. - "pw userdel " will only remove the user from /etc/passwd, /etc/master.passwd and /etc/group - "pw -r userdel " will also remove the user's home dirrectory V. Solution 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 security branch, dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to FreeBSD 4.2-RELEASE and 4.3-RELEASE. It may or may not apply to older, unsupported releases of FreeBSD. # cd /usr/src/usr.sbin/adduser # patch -p < /path/to/patch # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-rmuser-01.59.tgz VI. CVS Revisions The following $FreeBSD$ CVS revision contain the fixes for this vulnerability. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. These revision IDs are not updated by applying the patch referenced above. [FreeBSD 4.3-STABLE] Revision Path 1.8.2.5 src/usr.sbin/rmuser.perl [RELENG_4_3] Revision Path 1.8.2.2.2.1 src/usr.sbin/rmuser.perl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO5SH1lUuHi5z0oilAQEWLAQAniPWZpgjNvhoT6ECltW4G9lKlsswDur9 WMKkX2KEvZ9pswx3rqkn1IC+kBTfgdwwhU/54dyx1HKb2XJH5QdGpW/H/niTox4z ImJjctZNvnEuB52si1+Ivx3avwgw57YjAsJgLcv+CYYW+iizX1zVFBjdce6PDQgI pb50qM0sJYA= =hxQ5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 12:51:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from fangg.lbl.gov (fangg.lbl.gov [128.3.1.103]) by hub.freebsd.org (Postfix) with ESMTP id 91D4037B620 for ; Tue, 4 Sep 2001 12:50:38 -0700 (PDT) Received: from usul.nersc.gov (usul [192.168.1.115]) by fangg.lbl.gov (Postfix) with ESMTP id 762F91F53 for ; Tue, 4 Sep 2001 12:50:38 -0700 (PDT) Received: from usul.nersc.gov (localhost [127.0.0.1]) by usul.nersc.gov (Postfix) with ESMTP id C7CF02B for ; Tue, 4 Sep 2001 12:50:37 -0700 (PDT) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp In-Reply-To: Your message of Tue, 04 Sep 2001 11:42:45 PDT. <200109041842.f84Igj693873@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1329065693P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 04 Sep 2001 12:50:37 -0700 From: Eli Dart Message-Id: <20010904195037.C7CF02B@usul.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-1329065693P Content-Type: text/plain; charset=us-ascii In reply to Matt Dillon : > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > /var/tmp and why it doesn't make sense to keep them separate any more. > And these days people generally do not rm -rf /tmp at boot either. Using an mfs /tmp has the side effect of clearing /tmp at boot. --eli > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --==_Exmh_-1329065693P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE7lTCNLTFEeF+CsrMRAq7WAKCalrKUGh8lOZnqOJGPvw67xQacDQCdGfD6 VVdA9CnMvICxXrdnTXYmkiE= =ws1b -----END PGP SIGNATURE----- --==_Exmh_-1329065693P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 13:48: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CDB8E37B407; Tue, 4 Sep 2001 13:47:51 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f84KlgP57981; Tue, 4 Sep 2001 16:47:42 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 4 Sep 2001 16:47:42 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Garrett Wollman Cc: Ruslan Ermilov , net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser In-Reply-To: <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 30 Aug 2001, Garrett Wollman wrote: > < said: > > > + if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0) > > + senderr(EACCES); > > I'm certain rwatson would object to this. suser_xxx() allows checking > on the basis of credentials rather than a process, so that's what should > be used. In any case, the correct error is EPERM, not EACCES. There are a number of situations where it's desirable to authorize based on the current process, and others based on the current socket credential. So far, the only interesting case I know of for using process rather than socket credentials is wrt bind() and connect(), where you want to use the process credential when changing the port/address binding--this permits a privileged process to share a socket bound to a low port with an unprivileged process, and know that the unprivileged process can't rebind it to another low port number, but must use the one provided by the privileged process. Likewise, a concerning scenerio is one where a socket is provided by a privileged process to an unprivileged process as its stdio on execve() -- you don't want the child process to be able to manipulate that socket in undesirable ways. Generally, routing sockets aren't passed from process to process, and any process doing so should beware the consequences of poorly defined access control policies. My suspicion is that this class of socket operations should be authorized using the credential of the current process, but I'd be interested to know what (if anything) other operating systems do to address this problem. Cached credentials in open files/sockets/etc introduces a lot of complication to the UNIX-like security model. I suppose the more conservative view would be that, with the exception of "traditional" file operations (read/write/close), all operations on devices, sockets, et al, should use current process credentials rather than cached credentials. I'm not sure I'm comfortable with that, since I haven't thought through all the cases, but it seems "safe". Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 14:50:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from jochem.dyndns.org (cc40670-a.groni1.gr.nl.home.com [217.120.131.23]) by hub.freebsd.org (Postfix) with ESMTP id F359E37B40D for ; Tue, 4 Sep 2001 14:50:10 -0700 (PDT) Received: (from jochem@localhost) by jochem.dyndns.org (8.11.6/8.11.5) id f84Lnw500516; Tue, 4 Sep 2001 23:49:58 +0200 (CEST) (envelope-from jochem) Date: Tue, 4 Sep 2001 23:49:58 +0200 From: Jochem Kossen To: Matt Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp Message-ID: <20010904234958.A487@jochem.dyndns.org> Mail-Followup-To: Matt Dillon , freebsd-security@FreeBSD.ORG References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <20010904200054.A37836@jochem.dyndns.org> <200109041842.f84Igj693873@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109041842.f84Igj693873@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Sep 04, 2001 at 11:42:45AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 04, 2001 at 11:42:45AM -0700, Matt Dillon wrote: > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > /var/tmp and why it doesn't make sense to keep them separate any more. > And these days people generally do not rm -rf /tmp at boot either. Maybe in future releases, the /var/tmp directory/partition or the /tmp directory/partition could be removed? Unfortunately, according to the FHS they both need to exist... One more thing, I haven't tried sysinstall for the 4.4-RC builds, but for 4.3-RELEASE, when you let sysinstall create the partitions automatically, it uses way too less space for the /var partition including the /var/tmp directory. (When using a 5 GB slice, it uses only 20 or 60 MB for /var). That should be changed is my opinion... Hmm...Now i'm beginning to wonder what this has to do with security ;) Jochem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 14:52:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 2491B37B409 for ; Tue, 4 Sep 2001 14:52:08 -0700 (PDT) Received: from allmaui.com (pwnat-3-o.placeware.com [209.1.15.35]) by allmaui.com (8.8.8/8.8.5) with ESMTP id RAA14416; Tue, 4 Sep 2001 17:52:04 -0400 Message-ID: <3B954E5C.7558CDE6@allmaui.com> Date: Tue, 04 Sep 2001 14:57:48 -0700 From: Craig Cowen X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Eli Dart Cc: freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp References: <20010904195037.C7CF02B@usul.nersc.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Solaris mounts it's swap on /tmp while FBSD does not make this available. Why not use the Solaris way of doing things? Eli Dart wrote: > In reply to Matt Dillon : > > > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > > /var/tmp and why it doesn't make sense to keep them separate any more. > > And these days people generally do not rm -rf /tmp at boot either. > > Using an mfs /tmp has the side effect of clearing /tmp at boot. > > --eli > > > > > -Matt > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 15: 7: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E131F37B401 for ; Tue, 4 Sep 2001 15:07:04 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f84M72T95653; Tue, 4 Sep 2001 15:07:02 -0700 (PDT) (envelope-from dillon) Date: Tue, 4 Sep 2001 15:07:02 -0700 (PDT) From: Matt Dillon Message-Id: <200109042207.f84M72T95653@earth.backplane.com> To: Jochem Kossen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <20010904200054.A37836@jochem.dyndns.org> <200109041842.f84Igj693873@earth.backplane.com> <20010904234958.A487@jochem.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :On Tue, Sep 04, 2001 at 11:42:45AM -0700, Matt Dillon wrote: :> 'man tuning' (with a recent -stable). In it I talk about /tmp vs :> /var/tmp and why it doesn't make sense to keep them separate any more. :> And these days people generally do not rm -rf /tmp at boot either. : :Maybe in future releases, the /var/tmp directory/partition or the /tmp :directory/partition could be removed? Unfortunately, according to the :FHS they both need to exist... : :One more thing, I haven't tried sysinstall for the 4.4-RC builds, but :for 4.3-RELEASE, when you let sysinstall create the partitions :automatically, it uses way too less space for the /var partition :including the /var/tmp directory. (When using a 5 GB slice, it uses only :20 or 60 MB for /var). That should be changed is my opinion... : :Hmm...Now i'm beginning to wonder what this has to do with security ;) : :Jochem This was brought up a few months ago. It can be fixed, but it's too close to release to make it into this release. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 15:18:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from fangg.lbl.gov (fangg.lbl.gov [128.3.1.103]) by hub.freebsd.org (Postfix) with ESMTP id 4A07937B410 for ; Tue, 4 Sep 2001 15:18:10 -0700 (PDT) Received: from usul.nersc.gov (usul [192.168.1.115]) by fangg.lbl.gov (Postfix) with ESMTP id EFFC41F53; Tue, 4 Sep 2001 15:18:09 -0700 (PDT) Received: from usul.nersc.gov (localhost [127.0.0.1]) by usul.nersc.gov (Postfix) with ESMTP id B57312B; Tue, 4 Sep 2001 15:18:09 -0700 (PDT) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Craig Cowen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp In-Reply-To: Message from Craig Cowen of "Tue, 04 Sep 2001 14:57:48 PDT." <3B954E5C.7558CDE6@allmaui.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1536011101P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 04 Sep 2001 15:18:09 -0700 From: Eli Dart Message-Id: <20010904221809.B57312B@usul.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-1536011101P Content-Type: text/plain; charset=us-ascii I don't know why FreeBSD doesn't do this (in other words, if this was a deliberate decision, I don't know what points were debated in coming to a decision), but I could see a problem where filling /tmp could run you out of swap. This is why I like /tmp on its own filesystem where it can't interfere with anything else....I find that the features of an mfs /tmp (high performance, self-cleaning, isolated from other filesystems) match how I like to run my world. --eli In reply to Craig Cowen : > Solaris mounts it's swap on /tmp while FBSD does not make this available. > Why not use the Solaris way of doing things? > > Eli Dart wrote: > > > In reply to Matt Dillon : > > > > > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > > > /var/tmp and why it doesn't make sense to keep them separate any more . > > > And these days people generally do not rm -rf /tmp at boot either. > > > > Using an mfs /tmp has the side effect of clearing /tmp at boot. > > > > --eli > > > > > > > > -Matt > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > ------------------------------------------------------------------------ > > Part 1.2Type: application/pgp-signature > > --==_Exmh_-1536011101P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE7lVMhLTFEeF+CsrMRAutzAKC4BzUjej//EP8E9uijpojlUzfergCgxgij ds7qvcwUlv3pEcLSEp7Cb3A= =orEc -----END PGP SIGNATURE----- --==_Exmh_-1536011101P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 17:29:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from red.whoowl.com (dsl-65-184-21-205.telocity.com [65.184.21.205]) by hub.freebsd.org (Postfix) with SMTP id 2B37A37B43E for ; Tue, 4 Sep 2001 17:29:30 -0700 (PDT) Received: (qmail 96199 invoked by uid 85); 5 Sep 2001 00:29:34 -0000 Received: from jvb@whoowl.com by red.whoowl.com with qmail-scanner-0.96 (hbedv: 6.8.0.0. . Clean. Processed in 1.933614 secs); 05 Sep 2001 00:29:34 -0000 X-Qmail-Scanner-Mail-From: jvb@whoowl.com via red.whoowl.com X-Qmail-Scanner-Rcpt-To: freebsd-security@FreeBSD.ORG X-Qmail-Scanner: 0.96 (No viruses found. Processed in 1.933614 secs) Received: from black.whoowl.com (HELO BLACK) (192.168.0.107) by localhost.whoowl.com with SMTP; 5 Sep 2001 00:29:30 -0000 Message-ID: <002501c135a1$c65db000$6b00a8c0@BLACK> From: "John Van Boxtel" Cc: References: <20010904195037.C7CF02B@usul.nersc.gov> <3B954E5C.7558CDE6@allmaui.com> Subject: Re: Good practice for /tmp Date: Tue, 4 Sep 2001 17:29:07 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I believe the Freebsd traditionally mounts the swap as a completely different partition, usually B, like in da1b or da1s1b. This has the problem of resizing the swap amount easily but it does keep you from have to worry about cleaning, or much of anything. I usually do 1.5x the amount of physical ram and never have had to worry about it. John > Solaris mounts it's swap on /tmp while FBSD does not make this available. > Why not use the Solaris way of doing things? > > Eli Dart wrote: > > > In reply to Matt Dillon : > > > > > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > > > /var/tmp and why it doesn't make sense to keep them separate any more. > > > And these days people generally do not rm -rf /tmp at boot either. > > > > Using an mfs /tmp has the side effect of clearing /tmp at boot. > > > > --eli > > > > > > > > -Matt > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > ------------------------------------------------------------------------ > > Part 1.2Type: application/pgp-signature > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 17:57:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 9C19237B408 for ; Tue, 4 Sep 2001 17:57:07 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.1/8.10.1) with ESMTP id f850v4j11605; Wed, 5 Sep 2001 09:57:04 +0900 (JST) Received: from pointer-software.com (char.near.this [10.0.172.11]) by long.near.this (8.11.1/8.9.3) with ESMTP id f850v3441094; Wed, 5 Sep 2001 09:57:03 +0900 (JST) Message-ID: <3B95785E.9516FEB1@pointer-software.com> Date: Wed, 05 Sep 2001 09:57:02 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.76 [ja] (X11; U; Linux 2.2.18pre21 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: Anton Yudin Cc: freebsd-security@FreeBSD.ORG Subject: Re: pop server References: <200109040945.f849jdL30793@ib.com.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anton Yudin wrote: > > Hi > > Which pop3 server is the best for security reason ? > OS - FreeBSD 4.4RC ... Maybe kpop. Really clue-free. horio shoichi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 18:11:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id 2681637B40C for ; Tue, 4 Sep 2001 18:11:32 -0700 (PDT) Received: (qmail 14703 invoked by uid 1000); 5 Sep 2001 01:11:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Sep 2001 01:11:31 -0000 Date: Tue, 4 Sep 2001 21:11:29 -0400 (EDT) From: Matt Heckaman To: horio shoichi Cc: Anton Yudin , Subject: Re: pop server In-Reply-To: <3B95785E.9516FEB1@pointer-software.com> Message-ID: <20010904211010.H14671-100000@epsilon.lucida.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to throw in my two cents here. I LOVE using cucipop over here. It's a small lightweight pop3 server that's very secure. There have not been any problems with it for quite a long time. Its binary also weighs in at 26KB. It does lack some features, but it does everything I need it to do, so it is great for me. :) Check it out, it's in the ports tree. Matt On Tue, 4 Sep 2001, horio shoichi wrote: : Anton Yudin wrote: : > : > Hi : > : > Which pop3 server is the best for security reason ? : > OS - FreeBSD 4.4RC ... : : Maybe kpop. : : Really clue-free. * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * The Universe is run by the complex interweaving of three elements: energy, matter, and enlightened self-interest. -- G'Kar, "Survivors" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: http://www.lucida.ca/gpg iD8DBQE7lXvDMXHAk0rTE2QRAukHAJ0Y92wviR9ktfGLykhVHO2ime8GjwCgixTh w1qijr2vshCZ+muNz1Jv3Go= =u7cZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 20: 4:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151]) by hub.freebsd.org (Postfix) with ESMTP id 4421F37B40B for ; Tue, 4 Sep 2001 20:04:16 -0700 (PDT) Received: from mediaone.net (h002078d665ae.ne.mediaone.net [66.30.93.217]) by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id f8533xT10783; Tue, 4 Sep 2001 23:04:00 -0400 (EDT) Message-ID: <3B955DB9.C0B04845@mediaone.net> Date: Tue, 04 Sep 2001 23:03:21 +0000 From: "The Marino's" Reply-To: postroad@mediaone.net X-Mailer: Mozilla 4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: Matt Heckaman Cc: horio shoichi , Anton Yudin , freebsd-security@FreeBSD.ORG Subject: Re: pop server References: <20010904211010.H14671-100000@epsilon.lucida.ca> Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What's wrong with qpopper? Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Just to throw in my two cents here. I LOVE using cucipop over here. It's a > small lightweight pop3 server that's very secure. There have not been any > problems with it for quite a long time. Its binary also weighs in at 26KB. > It does lack some features, but it does everything I need it to do, so it > is great for me. :) Check it out, it's in the ports tree. > > Matt > > On Tue, 4 Sep 2001, horio shoichi wrote: > > : Anton Yudin wrote: > : > > : > Hi > : > > : > Which pop3 server is the best for security reason ? > : > OS - FreeBSD 4.4RC ... > : > : Maybe kpop. > : > : Really clue-free. > > * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * > * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * > > The Universe is run by the complex interweaving of three elements: > energy, matter, and enlightened self-interest. > -- G'Kar, "Survivors" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: http://www.lucida.ca/gpg > > iD8DBQE7lXvDMXHAk0rTE2QRAukHAJ0Y92wviR9ktfGLykhVHO2ime8GjwCgixTh > w1qijr2vshCZ+muNz1Jv3Go= > =u7cZ > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 21: 9:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id B193F37B409 for ; Tue, 4 Sep 2001 21:09:34 -0700 (PDT) Received: (qmail 8086 invoked by uid 1000); 5 Sep 2001 04:09:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Sep 2001 04:09:33 -0000 Date: Tue, 4 Sep 2001 23:09:33 -0500 (CDT) From: Mike Silbersack To: "Nickolay A.Kritsky" Cc: Subject: Re: Need help with limits(1) In-Reply-To: <48396009431.20010904114449@internethelp.ru> Message-ID: <20010904230634.T7815-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 4 Sep 2001, Nickolay A.Kritsky wrote: > Hi, all. > I have a webserver running on FreeBSD 3.3. One of the perl scripts > located there has some bug, that puts him in the infinite loop. This > causes my webserver to stall, so that the only way to reboot is > hardware reset. I want to restrict user httpd to use no more than > 75% of CPU time. I read man limits(1) and man getrlimit(2) but they As someone else suggested in this thread, you're probably looking at the wrong problem. Using 100% of CPU should not stall the box. Instead, the problem is probably that your script is eating up all ram and swap. Set memory limits to deal with it, or upgrade. AFAIK low memory deadlock prevention wasn't really perfected until recently. So, upgrading to 4.4 should also help the problem, and you should consider doing it (for many other reasons besides this, of course.) Check into limiting memory consumption first, though. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 21: 9:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 449C437B407 for ; Tue, 4 Sep 2001 21:09:44 -0700 (PDT) Received: (qmail 96755 invoked by uid 1000); 5 Sep 2001 04:09:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Sep 2001 04:09:45 -0000 Date: Wed, 5 Sep 2001 00:09:45 -0400 (EDT) From: project10 To: The Marino's Cc: Matt Heckaman , horio shoichi , Anton Yudin , Subject: Re: pop server In-Reply-To: <3B955DB9.C0B04845@mediaone.net> Message-ID: <20010905000821.U96748-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Qpopper has proven to be relatively unsecure -- many vulnerabilities found over a large period of time. I was a customer of Matt's when he decided to switch to cucipop after (yet another) qpopper hole was discovered, and I use cucipop and teapop now. Both are good. -Shawn On Tue, 4 Sep 2001, The Marino's wrote: > What's wrong with qpopper? > > Matt Heckaman wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Just to throw in my two cents here. I LOVE using cucipop over here. It's a > > small lightweight pop3 server that's very secure. There have not been any > > problems with it for quite a long time. Its binary also weighs in at 26KB. > > It does lack some features, but it does everything I need it to do, so it > > is great for me. :) Check it out, it's in the ports tree. > > > > Matt > > > > On Tue, 4 Sep 2001, horio shoichi wrote: > > > > : Anton Yudin wrote: > > : > > > : > Hi > > : > > > : > Which pop3 server is the best for security reason ? > > : > OS - FreeBSD 4.4RC ... > > : > > : Maybe kpop. > > : > > : Really clue-free. > > > > * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * > > * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * > > > > The Universe is run by the complex interweaving of three elements: > > energy, matter, and enlightened self-interest. > > -- G'Kar, "Survivors" > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (FreeBSD) > > Comment: http://www.lucida.ca/gpg > > > > iD8DBQE7lXvDMXHAk0rTE2QRAukHAJ0Y92wviR9ktfGLykhVHO2ime8GjwCgixTh > > w1qijr2vshCZ+muNz1Jv3Go= > > =u7cZ > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 4 23:37:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists.eahd.or.ug (wawa.eahd.or.ug [216.129.132.164]) by hub.freebsd.org (Postfix) with ESMTP id 94EEE37B403 for ; Tue, 4 Sep 2001 23:37:21 -0700 (PDT) Received: from spice.eahd.or.ug (unknown [216.129.132.178]) by lists.eahd.or.ug (Postfix) with ESMTP id 4CE89D142C; Wed, 5 Sep 2001 09:49:04 +0000 (GMT) Date: Wed, 5 Sep 2001 10:40:03 +0300 (EAT) From: semat To: horio shoichi Cc: Anton Yudin , Subject: Re: pop server In-Reply-To: <3B95785E.9516FEB1@pointer-software.com> Message-ID: <20010905103705.I1154-100000@nemesis.eahd.or.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Hi > > > > Which pop3 server is the best for security reason ? > > OS - FreeBSD 4.4RC ... > > Maybe kpop. > > Really clue-free. I thought he was talking about a pop3 SERVER? not client!!! I use qmail-pop3d which also incidentally supports Maildir type deliveries. Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 1: 1:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id A733B37B408; Wed, 5 Sep 2001 01:01:12 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f8580sn07926; Wed, 5 Sep 2001 11:00:54 +0300 (EEST) (envelope-from ru) Date: Wed, 5 Sep 2001 11:00:53 +0300 From: Ruslan Ermilov To: Robert Watson Cc: Garrett Wollman , net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <20010905110053.G96906@sunbay.com> References: <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Tue, Sep 04, 2001 at 04:47:42PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 04, 2001 at 04:47:42PM -0400, Robert Watson wrote: > > On Thu, 30 Aug 2001, Garrett Wollman wrote: > > > < said: > > > > > + if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0) > > > + senderr(EACCES); > > > > I'm certain rwatson would object to this. suser_xxx() allows checking > > on the basis of credentials rather than a process, so that's what should > > be used. In any case, the correct error is EPERM, not EACCES. > > There are a number of situations where it's desirable to authorize based > on the current process, and others based on the current socket credential. > So far, the only interesting case I know of for using process rather than > socket credentials is wrt bind() and connect(), where you want to use the > process credential when changing the port/address binding--this permits a > privileged process to share a socket bound to a low port with an > unprivileged process, and know that the unprivileged process can't rebind > it to another low port number, but must use the one provided by the > privileged process. Likewise, a concerning scenerio is one where a socket > is provided by a privileged process to an unprivileged process as its > stdio on execve() -- you don't want the child process to be able to > manipulate that socket in undesirable ways. > Definitely, we don't want it this way! > Generally, routing sockets aren't passed from process to process, and any > process doing so should beware the consequences of poorly defined access > control policies. My suspicion is that this class of socket operations > should be authorized using the credential of the current process, but I'd > be interested to know what (if anything) other operating systems do to > address this problem. > OpenBSD and NetBSD both authorize based on the curproc's privileges. Should I commit this? Index: rtsock.c =================================================================== RCS file: /home/ncvs/src/sys/net/rtsock.c,v retrieving revision 1.56 diff -u -p -r1.56 rtsock.c --- rtsock.c 2001/08/31 12:31:09 1.56 +++ rtsock.c 2001/09/05 07:58:47 @@ -331,8 +331,8 @@ route_output(m, so) * Verify that the caller has the appropriate privilege; RTM_GET * is the only operation the non-superuser is allowed. */ - if (rtm->rtm_type != RTM_GET && suser_xxx(so->so_cred, NULL, 0) != 0) - senderr(EPERM); + if (rtm->rtm_type != RTM_GET && (error = suser(curproc)) != 0) + senderr(error); switch (rtm->rtm_type) { Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 1:59:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 0A5EF37B403 for ; Wed, 5 Sep 2001 01:59:37 -0700 (PDT) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id MAA83450; Wed, 5 Sep 2001 12:59:27 +0400 (MSD) Date: Wed, 5 Sep 2001 12:59:28 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <178486777959.20010905125928@internethelp.ru> To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Need help with limits(1) In-reply-To: <20010904230634.T7815-100000@achilles.silby.com> References: <20010904230634.T7815-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Mike, Wednesday, September 05, 2001, 8:09:33 AM, you wrote: MS> On Tue, 4 Sep 2001, Nickolay A.Kritsky wrote: >> Hi, all. MS> As someone else suggested in this thread, you're probably looking at the MS> wrong problem. Using 100% of CPU should not stall the box. Instead, the MS> problem is probably that your script is eating up all ram and swap. Set MS> memory limits to deal with it, or upgrade. AFAIK low memory deadlock MS> prevention wasn't really perfected until recently. So, upgrading to 4.4 MS> should also help the problem, and you should consider doing it (for many MS> other reasons besides this, of course.) MS> Check into limiting memory consumption first, though. MS> Mike "Silby" Silbersack It is an interesting theory and I will test it in next few days. 2All: Thank you for your helpful replies and suggestions. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 3:51:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 46F0837B407 for ; Wed, 5 Sep 2001 03:51:45 -0700 (PDT) Received: (qmail 91372 invoked by uid 1000); 5 Sep 2001 10:52:02 -0000 Date: Wed, 5 Sep 2001 12:52:02 +0200 From: "Karsten W. Rohrbach" To: Anton Yudin , freebsd-security@FreeBSD.ORG Subject: Re: pop server Message-ID: <20010905125202.B91205@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Anton Yudin , freebsd-security@FreeBSD.ORG References: <200109040945.f849jdL30793@ib.com.ua> <3B95785E.9516FEB1@pointer-software.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B95785E.9516FEB1@pointer-software.com>; from horio@pointer-software.com on Wed, Sep 05, 2001 at 09:57:02AM +0900 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable horio shoichi(horio@pointer-software.com)@2001.09.05 09:57:02 +0000: > Anton Yudin wrote: > >=20 > > Hi > >=20 > > Which pop3 server is the best for security reason ? > > OS - FreeBSD 4.4RC ... >=20 > Maybe kpop. >=20 > Really clue-free. qmail-pop3d / qmail-popup / checkpassword have proven to be a very performant and secure choice at the sites i maintain the mail servers. it is Maildir/ only, but this should not be much of a problem if you use qmail or postfix. /k --=20 > Blessed are the meek for they shall inhibit the earth. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lgPSM0BPTilkv0YRAq1dAJ0VbzOZnM/fQrkOOnHqqKhnMRpuCwCfaiVw GGvLY1YBXInsY5/pTMOzXgw= =gz5U -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 3:53:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 508A237B40B for ; Wed, 5 Sep 2001 03:53:25 -0700 (PDT) Received: from jus (helo=localhost) by athena.za.net with local-esmtp (Exim 3.13 #1) id 15eaJ1-0000t7-00 for freebsd-security@freebsd.org; Wed, 05 Sep 2001 12:53:15 +0200 Date: Wed, 5 Sep 2001 12:53:15 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: freebsd-security@freebsd.org Subject: Re: pop server In-Reply-To: <20010905125202.B91205@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone taken a look at solid-pop3d amidst all this flurry? ;-) /jus -- Justin Stanford Internet/Network Security & Solutions Consultant 4D Digital Security http://www.4dds.co.za Cell: (082) 7402741 E-Mail: jus@security.za.net PGP Key: http://www.security.za.net/jus-pgp-key.txt On Wed, 5 Sep 2001, Karsten W. Rohrbach wrote: > horio shoichi(horio@pointer-software.com)@2001.09.05 09:57:02 +0000: > > Anton Yudin wrote: > > > > > > Hi > > > > > > Which pop3 server is the best for security reason ? > > > OS - FreeBSD 4.4RC ... > > > > Maybe kpop. > > > > Really clue-free. > > qmail-pop3d / qmail-popup / checkpassword have proven to be a very > performant and secure choice at the sites i maintain the mail servers. > it is Maildir/ only, but this should not be much of a problem if you use > qmail or postfix. > > /k > > -- > > Blessed are the meek for they shall inhibit the earth. > KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie > http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ > karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de > GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 > Please do not remove my address from To: and Cc: fields in mailing lists. 10x > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 8:44:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id C67F037B40B; Wed, 5 Sep 2001 08:44:02 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f85Fhxs83604; Wed, 5 Sep 2001 18:43:59 +0300 (EEST) (envelope-from ru) Date: Wed, 5 Sep 2001 18:43:59 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Cc: audit@FreeBSD.org Subject: Re: dropping ``setgid tty'' in dump(8) Message-ID: <20010905184359.X96906@sunbay.com> References: <20010903201909.C29616@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010903201909.C29616@sunbay.com>; from ru@FreeBSD.org on Mon, Sep 03, 2001 at 08:19:09PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This and that patches have been committed. On Mon, Sep 03, 2001 at 08:19:09PM +0300, Ruslan Ermilov wrote: > Hi! > > The attached patch replaces the ``wall -g'' functionality built > into dump(8) directly with the call to wall(1), thus making it > possible to drop the ``setgid tty'' privilege. > > The DIALUP check was weak, and was also removed. > > The patch is based on the OpenBSD's work. > > > I've posted another message to the -audit that makes ``wall -g'' > really work. > -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 9:30:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail35.sdc1.sfba.home.com (femail35.sdc1.sfba.home.com [24.254.60.25]) by hub.freebsd.org (Postfix) with ESMTP id 5A44937B406 for ; Wed, 5 Sep 2001 09:30:35 -0700 (PDT) Received: from bean.overtone.org ([24.249.254.100]) by femail35.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010905163035.YCZM19181.femail35.sdc1.sfba.home.com@bean.overtone.org> for ; Wed, 5 Sep 2001 09:30:35 -0700 Received: by bean.overtone.org (Postfix, from userid 1001) id AE85E5B4DB; Wed, 5 Sep 2001 16:30:34 +0000 (GMT) Date: Wed, 5 Sep 2001 16:30:07 +0000 From: Kevin Way To: Matt Dillon Subject: Re: Good practice for /tmp Message-ID: <20010905163007.A50585@bean.overtone.org> References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <20010904200054.A37836@jochem.dyndns.org> <200109041842.f84Igj693873@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109041842.f84Igj693873@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Sep 04, 2001 at 11:42:45AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > And these days people generally do not rm -rf /tmp at boot either. Unless they're using md/mfs, in which case they probably do clear /tmp on reboot. Kevin Way To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 9:47:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B6A4937B405; Wed, 5 Sep 2001 09:47:17 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f85GlGY44472; Wed, 5 Sep 2001 12:47:16 -0400 (EDT) (envelope-from wollman) Date: Wed, 5 Sep 2001 12:47:16 -0400 (EDT) From: Garrett Wollman Message-Id: <200109051647.f85GlGY44472@khavrinen.lcs.mit.edu> To: Robert Watson Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser In-Reply-To: References: <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > There are a number of situations where it's desirable to authorize based > on the current process, and others based on the current socket credential. I would argue that any file descriptor is, in and of itself, a (somewhat limited form of) credential. Presumably the 4.3BSD developers thought so as well, since they called the file-descriptor-passing mechanism in Unix-domain sockets SCM_RIGHTS and not SCM_PASSFDS or something similar. > Likewise, a concerning scenerio is one where a socket is provided by > a privileged process to an unprivileged process as its stdio on > execve() -- you don't want the child process to be able to > manipulate that socket in undesirable ways. Indeed. My general objection is not to using the caller's credentials -- although I think the whole issue with cached credentials needs to be rethought -- but to the reintroduction of references to `curproc', which I spent a good deal of time several years ago stamping out. > I suppose the more conservative view would be that, with the > exception of "traditional" file operations (read/write/close), all > operations on devices, sockets, et al, should use current process > credentials rather than cached credentials. An alternative model would be to explicitly associate privilege with file descriptors, and provide some mechanism to explicitly downgrade a descriptor's associated privilege. We actually did this: I introduced a socket option which, when set, would clear the SS_PRIV flag on the socket. Eventually this was forgone in favor of a true credential check in the places where SS_PRIV was formerly used. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 11: 2: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 6FC2F37B409 for ; Wed, 5 Sep 2001 11:02:00 -0700 (PDT) Received: from hades.hell.gr (patr530-b030.otenet.gr [195.167.121.158]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f85I1m718696; Wed, 5 Sep 2001 21:01:49 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f85FfOf01148; Wed, 5 Sep 2001 18:41:24 +0300 (EEST) (envelope-from charon@labs.gr) Date: Wed, 5 Sep 2001 18:41:24 +0300 From: Giorgos Keramidas To: "The Marino's" Cc: Matt Heckaman , horio shoichi , Anton Yudin , freebsd-security@freebsd.org Subject: Re: pop server Message-ID: <20010905184124.B1095@hades.hell.gr> References: <20010904211010.H14671-100000@epsilon.lucida.ca> <3B955DB9.C0B04845@mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B955DB9.C0B04845@mediaone.net>; from postroad@mediaone.net on Tue, Sep 04, 2001 at 11:03:21PM +0000 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: The Marino's Subject: Re: pop server Date: Tue, Sep 04, 2001 at 11:03:21PM +0000 > What's wrong with qpopper? The fact that it's relatively insecure. I've seen one too many security announcements for qpopper. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 11: 2:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 4726837B403 for ; Wed, 5 Sep 2001 11:02:10 -0700 (PDT) Received: from hades.hell.gr (patr530-b030.otenet.gr [195.167.121.158]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f85I20719236; Wed, 5 Sep 2001 21:02:05 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f85FdLa01128; Wed, 5 Sep 2001 18:39:21 +0300 (EEST) (envelope-from charon@labs.gr) Date: Wed, 5 Sep 2001 18:39:20 +0300 From: Giorgos Keramidas To: Jochem Kossen Cc: Matt Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Good practice for /tmp Message-ID: <20010905183920.A1095@hades.hell.gr> References: <200109041105.f84B5dq06623@bsd.ist-ffo.de> <20010904200054.A37836@jochem.dyndns.org> <200109041842.f84Igj693873@earth.backplane.com> <20010904234958.A487@jochem.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010904234958.A487@jochem.dyndns.org>; from j.kossen@home.nl on Tue, Sep 04, 2001 at 11:49:58PM +0200 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Jochem Kossen Subject: Re: Good practice for /tmp Date: Tue, Sep 04, 2001 at 11:49:58PM +0200 > On Tue, Sep 04, 2001 at 11:42:45AM -0700, Matt Dillon wrote: > > 'man tuning' (with a recent -stable). In it I talk about /tmp vs > > /var/tmp and why it doesn't make sense to keep them separate any more. > > And these days people generally do not rm -rf /tmp at boot either. > > Maybe in future releases, the /var/tmp directory/partition or the /tmp > directory/partition could be removed? Unfortunately, according to the > FHS they both need to exist... Then, they can not be removed. Not until the FHS allows it :-) They will either be removed, or changes incompatible with the FHS be avoided at all costs. One of the beautiful things of FreeBSD is the well-known and standard places where things are. It is very nice to know what to expect and where to find it. I think that breaking this is a terrible idea. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 11: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id C7AC837B407 for ; Wed, 5 Sep 2001 11:02:33 -0700 (PDT) Received: from hades.hell.gr (patr530-b030.otenet.gr [195.167.121.158]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f85I28719554; Wed, 5 Sep 2001 21:02:08 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f85FUFg00860; Wed, 5 Sep 2001 18:30:15 +0300 (EEST) (envelope-from charon@labs.gr) Date: Wed, 5 Sep 2001 18:30:15 +0300 From: Giorgos Keramidas To: Eli Dart Cc: Craig Cowen , freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010905183015.A824@hades.hell.gr> References: <20010904221809.B57312B@usul.nersc.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: <20010904221809.B57312B@usul.nersc.gov>; from dart@nersc.gov on Tue, Sep 04, 2001 at 03:18:09PM -0700 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Eli Dart Subject: Re: Good practice for /tmp Date: Tue, Sep 04, 2001 at 03:18:09PM -0700 > In reply to Craig Cowen : > > Solaris mounts it's swap on /tmp while FBSD does not make this availabl= e. > > Why not use the Solaris way of doing things? > > I don't know why FreeBSD doesn't do this (in other words, if this was=20 > a deliberate decision, I don't know what points were debated in=20 > coming to a decision), but I could see a problem where filling /tmp=20 > could run you out of swap. Mount /tmp then as MFS with a limited size. Works nicely, for me. This is not very different from having to make a special partition of fixed size just to keep /tmp from filling /. There is an important difference, though. The size of the MFS /tmp is easy to change by modifying /etc/fstab it's a much better way to use this than create a fixed partition (which is admittedly much harder to resize). -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 14:37: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ike-ext.ab.videon.ca (ike-ext.ab.videon.ca [206.75.216.35]) by hub.freebsd.org (Postfix) with SMTP id 7441A37B407 for ; Wed, 5 Sep 2001 14:36:52 -0700 (PDT) Received: (qmail 24652 invoked from network); 5 Sep 2001 21:36:51 -0000 Received: from unknown (HELO videdmexg1.ab.videon.ca) ([24.108.62.15]) (envelope-sender ) by ike-ext.ab.videon.ca (qmail-ldap-1.03) with SMTP for ; 5 Sep 2001 21:36:51 -0000 Received: by videdmexg1.ab.videon.ca with Internet Mail Service (5.5.2653.19) id ; Wed, 5 Sep 2001 15:41:02 -0600 Message-ID: From: Laurence Brockman To: security@freebsd.org Subject: RE: Possible New Security Tool For FreeBSD, Need Your Help. Date: Wed, 5 Sep 2001 15:41:02 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Chris BeHanna [mailto:behanna@zbzoom.net] > Sent: Friday, August 31, 2001 10:08 PM > To: security@freebsd.org > Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. > > If your machine is attached to a cable modem, then there are 253 > other hosts in your neighborhood who can very easily sniff > your traffic. This is wrong in all but the worst Cable Modem Provider cases. Most modems communicate directly with the cable routers and do not broadcast ANY traffic but the broadcast traffic (ARP's, etc). You could sniff the RF on all of the modems on your node, but this should all be encrypted anyways (At least the Cable provider I work for does this, as well as most others that I know of). So, if your Cable provider is not filtering traffic, etc then I'd have a talk with them. It's very easy now days to implement filters on the cable modem (Including the dropping of spoofed packets to prevent things like SMURFs, etc). > > If you're trying to open ports remotely, then your key traffic is > going over the internet. Do a traceroute between the host you're > using and the host you're trying to manage, and ponder someone > sniffing along any of those hops. > > Although this is unlikely for the casual user, it becomes more > likely if the remote host is a corporate-owned machine in a highly > competitive area of industry. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before > responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 5 22:55:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 35B6F37B406 for ; Wed, 5 Sep 2001 22:55:13 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.1/8.10.1) with ESMTP id f865t6j29208; Thu, 6 Sep 2001 14:55:06 +0900 (JST) Received: from pointer-software.com (char.near.this [10.0.172.11]) by long.near.this (8.11.1/8.9.3) with ESMTP id f865t1442869; Thu, 6 Sep 2001 14:55:05 +0900 (JST) Message-ID: <3B970FB4.26EC7DC6@pointer-software.com> Date: Thu, 06 Sep 2001 14:55:00 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.76 [ja] (X11; U; Linux 2.2.18pre21 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: semat Cc: Anton Yudin , freebsd-security@FreeBSD.ORG Subject: Re: pop server References: <20010905103705.I1154-100000@nemesis.eahd.or.ug> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org semat wrote: > > > > Hi > > > > > > Which pop3 server is the best for security reason ? > > > OS - FreeBSD 4.4RC ... > > > > Maybe kpop. > > > > Really clue-free. > > I thought he was talking about a pop3 SERVER? not client!!! > > I use qmail-pop3d which also incidentally supports Maildir type > deliveries. > > Noah. It's kerberized pop3 which runs on port 1109. As for client, kerberized movemail, fetchmail, and push are available. horio shoichi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 1:51: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.private.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4]) by hub.freebsd.org (Postfix) with ESMTP id 8143537B403 for ; Thu, 6 Sep 2001 01:51:05 -0700 (PDT) Received: from ceri by cartman.private.techsupport.co.uk with local (Exim 3.31 #1) id 15euqp-0008Qk-00; Thu, 06 Sep 2001 09:49:31 +0100 Date: Thu, 6 Sep 2001 09:49:31 +0100 From: Ceri To: Giorgos Keramidas Cc: Eli Dart , Craig Cowen , freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010906094931.B30676@cartman.private.techsupport.co.uk> References: <20010904221809.B57312B@usul.nersc.gov> <20010905183015.A824@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010905183015.A824@hades.hell.gr>; from charon@labs.gr on Wed, Sep 05, 2001 at 06:30:15PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 05, 2001 at 06:30:15PM +0300, Giorgos Keramidas said: > From: Eli Dart > Subject: Re: Good practice for /tmp > Date: Tue, Sep 04, 2001 at 03:18:09PM -0700 > > > In reply to Craig Cowen : > > > Solaris mounts it's swap on /tmp while FBSD does not make this available. > > > Why not use the Solaris way of doing things? > > > > I don't know why FreeBSD doesn't do this (in other words, if this was > > a deliberate decision, I don't know what points were debated in > > coming to a decision), but I could see a problem where filling /tmp > > could run you out of swap. > > Mount /tmp then as MFS with a limited size. Works nicely, for me. **boggle** Swap mounted on an MFS /tmp ?? **shudder** Ceri -- Aren't we supposed to hate Darth Maul? Then why doesn't he do anything more evil than defeat one of his opponents in a 2-on-1 fight? --Jon Hall, rec.arts.tv.mst3k.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 2:12:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.halplant.com (24-168-203-47.wo.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id 261D737B406 for ; Thu, 6 Sep 2001 02:12:16 -0700 (PDT) Received: by mail.halplant.com (Postfix, from userid 1001) id 8A12A1F8D; Thu, 6 Sep 2001 05:12:07 -0400 (EDT) Date: Thu, 6 Sep 2001 05:12:07 -0400 From: Andrew J Caines To: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010906051207.O55388@hal9000.servehttp.com> Reply-To: Andrew J Caines Mail-Followup-To: freebsd-security@freebsd.org References: <20010904221809.B57312B@usul.nersc.gov> <20010905183015.A824@hades.hell.gr> <20010906094931.B30676@cartman.private.techsupport.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906094931.B30676@cartman.private.techsupport.co.uk>; from ceri@techsupport.co.uk on Thu, Sep 06, 2001 at 09:49:31AM +0100 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.4-RC X-PGP-Fingerprint: C59A 2F74 1139 9432 B457 0B61 DDF2 AA61 67C3 18A1 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ceri, > > From: Eli Dart > > Mount /tmp then as MFS with a limited size. Works nicely, for me. > > **boggle** Not at all boggling. It's as simple as possible. /dev/ad0s1b /tmp mfs rw,async,noatime,-s=32768 0 0 > Swap mounted on an MFS /tmp ?? > > **shudder** No, that's the noise you hear when your program is trying to do fast small I/O on your disk. With an mfs, it's more a smooth hum. Working on the well-established premise that /tmp is is for small, short-lived, non-persistent files with fast I/O and that /var/tmp (which at times and places used to sometimes be /usr/tmp) is for a shared persistent storage area for temporary files, /tmp on mfs/md and /var/tmp on disk works perfectly. Solaris does this by default, although it foolishly makes the whole VM available for storage for all users. FreeBSD errs on the side of simple conservatism out-of-the-box while allowing a bucketful of features. What makes you uncomfortable? -Andrew- -- ______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 2:43:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.private.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4]) by hub.freebsd.org (Postfix) with ESMTP id B39C937B408 for ; Thu, 6 Sep 2001 02:43:42 -0700 (PDT) Received: from ceri by cartman.private.techsupport.co.uk with local (Exim 3.31 #1) id 15evhX-0000WI-00; Thu, 06 Sep 2001 10:43:59 +0100 Date: Thu, 6 Sep 2001 10:43:59 +0100 From: Ceri To: Andrew J Caines Cc: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010906104359.E30676@cartman.private.techsupport.co.uk> References: <20010904221809.B57312B@usul.nersc.gov> <20010905183015.A824@hades.hell.gr> <20010906094931.B30676@cartman.private.techsupport.co.uk> <20010906051207.O55388@hal9000.servehttp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906051207.O55388@hal9000.servehttp.com>; from A.J.Caines@halplant.com on Thu, Sep 06, 2001 at 05:12:07AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 06, 2001 at 05:12:07AM -0400, Andrew J Caines said: > Ceri, > > > > From: Eli Dart > > > Mount /tmp then as MFS with a limited size. Works nicely, for me. > > > > **boggle** > > Not at all boggling. It's as simple as possible. > > /dev/ad0s1b /tmp mfs rw,async,noatime,-s=32768 0 0 > > > Swap mounted on an MFS /tmp ?? > > > > **shudder** > > > What makes you uncomfortable? In the lines you quoted ? Nothing. Having my swap partition mounted on a memory file system makes me uncomfortable, which is why I quoted those parts of the previous posts. Ceri -- We've tried this God stuff long enough. It's time for a change. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 2:57:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.halplant.com (24-168-203-47.wo.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id AA3C537B407 for ; Thu, 6 Sep 2001 02:57:11 -0700 (PDT) Received: by mail.halplant.com (Postfix, from userid 1001) id 7AE7A1F8D; Thu, 6 Sep 2001 05:57:08 -0400 (EDT) Date: Thu, 6 Sep 2001 05:57:08 -0400 From: Andrew J Caines To: freebsd-security@freebsd.org Subject: Re: Good practice for /tmp Message-ID: <20010906055708.P55388@hal9000.servehttp.com> Reply-To: Andrew J Caines Mail-Followup-To: freebsd-security@freebsd.org References: <20010904221809.B57312B@usul.nersc.gov> <20010905183015.A824@hades.hell.gr> <20010906094931.B30676@cartman.private.techsupport.co.uk> <20010906051207.O55388@hal9000.servehttp.com> <20010906104359.E30676@cartman.private.techsupport.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906104359.E30676@cartman.private.techsupport.co.uk>; from ceri@techsupport.co.uk on Thu, Sep 06, 2001 at 10:43:59AM +0100 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.4-RC X-PGP-Fingerprint: C59A 2F74 1139 9432 B457 0B61 DDF2 AA61 67C3 18A1 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ceri, This doesn't obviously have a security angle, so feel free to take it to -questions (with CC, please). > > What makes you uncomfortable? > In the lines you quoted ? Nothing. Ok. > Having my swap partition mounted on a memory file system makes me > uncomfortable I think it's a bit misleading to say that the "swap partition" is mounted. I think it more accurate to say that the storage device which backs this filesystem is the system's VM. The filesystem simply provides the semantics for the I/O. What about this makes you uncomfortable? -Andrew- -- ______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 6:12:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 0CC0337B401 for ; Thu, 6 Sep 2001 06:12:22 -0700 (PDT) Received: from win ([61.144.144.199]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f86DCEh07625 for ; Thu, 6 Sep 2001 21:12:19 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <015701c136d5$91352e00$9201a8c0@home.net> From: "edwin chan" To: Subject: when mail full /tmp partition, system cracked Date: Thu, 6 Sep 2001 21:12:16 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yesterday, one of our staff attack down by "sircam" virus(worm), he's computer send many many mail to all of us. So, many evil mails full the file system partition(/var). we got our mailserver died. just can ping the box, but telnet ssh web mysql etc all died, not one can login or do anything for the box. finally, we reboot box. we found the messages in log: Sep 5 21:00:33 www /kernel: swap_pager: out of swap space Sep 5 21:00:33 www /kernel: swap_pager_getswapspace: failed we know logs/mails/mysql-data stored in /var partition, which process crash the box ? or just full /var can crash my box ? edwin chen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 6:48: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id BBFF837B401 for ; Thu, 6 Sep 2001 06:47:55 -0700 (PDT) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA97368; Thu, 6 Sep 2001 10:45:47 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Thu, 6 Sep 2001 10:45:47 -0300 From: Fernando Schapachnik To: edwin chan Cc: freebsd-security@FreeBSD.ORG Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906104547.C56598@ns1.via-net-works.net.ar> References: <015701c136d5$91352e00$9201a8c0@home.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <015701c136d5$91352e00$9201a8c0@home.net>; from slack@suntop-cn.com on Thu, Sep 06, 2001 at 09:12:16PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, edwin chan escribió: > we found the messages in log: > > Sep 5 21:00:33 www /kernel: swap_pager: out of swap space > Sep 5 21:00:33 www /kernel: swap_pager_getswapspace: failed What might have happened is that a the great amount of email forked a great amount of processes which in turn ate all available memory and swap. Your machine ran out of swap. Either increase it (look at the FAQ & handbook for instructions) or add more memory. Or impose resource limits (can do it via login.conf and/or sendmail.cf -MaxDaemonChildren, RefuseLA, etc.-). Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 7: 3:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 6FFD737B401 for ; Thu, 6 Sep 2001 07:03:26 -0700 (PDT) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA27038 for ; Thu, 6 Sep 2001 09:03:21 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma027032; Thu, 6 Sep 01 09:02:57 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA25866 for ; Thu, 6 Sep 2001 09:02:57 -0500 (CDT) Message-ID: <3B978211.EB11940E@centtech.com> Date: Thu, 06 Sep 2001 09:02:57 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Racoon IPSEC issues Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, I have been setting up VPN's using IPSEC tunnel mode (ESP) with Racoon on FreeBSD 4.2 for some time now. I have 4 currently running just fine, and the 3 newest VPN don't work. It appears as though the Racoon's aren't talking to each other correctly. I have 1 VPN "server" that all the clients connect to, and the clients are small machines running from compact flash cards (a stripped down 30Mb freebsd 4.2 setup). I use the GIF interfaces to connect the vpn's together. I have gif0,1,3,4 are connected to VPN's that are up and running. Not that the gif's have anything to do with it, just extra info. Is there something I'm missing? I have tried configuring the non-working boxes just like the working ones, etc. I'm out of ideas! Here are some blurps from my logs on the vpn "server" box: 2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] 2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy(): not supported nested SA. Ignore. 2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy(): There is a difference between the in/out bound policies. 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed to create saprop. 2001-09-06 08:51:55: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed to get proposal for responder. 2001-09-06 08:51:55: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to pre-process packet. 2001-09-06 08:52:00: INFO: isakmp.c:1618:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2001-09-06 08:52:19: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde new phase 1 negotiation: xx.yy.zz.60[500]<=>xx.yy.zz.128[500] 2001-09-06 08:52:19: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin Aggressive mode. 2001-09-06 08:52:20: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA established xx.yy.zz.60[500]-xx.yy.zz.128[500] spi:9c0e0730a89724fc:3 4e869a34c12cf49 2001-09-06 08:52:21: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] 2001-09-06 08:52:21: ERROR: proposal.c:951:set_proposal_from_policy(): not supported nested SA. Ignore. 2001-09-06 08:52:21: ERROR: proposal.c:999:set_proposal_from_policy(): There is a difference between the in/out bound policies. 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed to create saprop. 2001-09-06 08:52:21: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed to get proposal for responder. 2001-09-06 08:52:21: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to pre-process packet. 2001-09-06 08:52:32: INFO: isakmp.c:1618:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2001-09-06 08:52:32: ERROR: isakmp.c:1676:isakmp_chkph1there(): phase1 negotiation failed due to time up. 2001-09-06 08:52:32: INFO: isakmp.c:1678:isakmp_chkph1there(): delete phase 2 handler. Help please! -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 7:34:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-m05.mx.aol.com (imo-m05.mx.aol.com [64.12.136.8]) by hub.freebsd.org (Postfix) with ESMTP id 9EDBC37B403 for ; Thu, 6 Sep 2001 07:34:16 -0700 (PDT) Received: from pichita3@netscape.net by imo-m05.mx.aol.com (mail_out_v31_r1.4.) id n.2c.1f07a7e (16242) for ; Thu, 6 Sep 2001 10:34:12 -0400 (EDT) Received: from netscape.com (mow-d02.webmail.aol.com [205.188.138.66]) by air-in03.mx.aol.com (v80.17) with ESMTP id MAILININ36-0906103412; Thu, 06 Sep 2001 10:34:12 -0400 Date: Thu, 06 Sep 2001 10:34:12 -0400 From: pichita3@netscape.net (Fernan Aguero) To: security@freebsd.org Subject: some weird stuff found Message-ID: <08705D38.78FF6AC2.00A48379@netscape.net> X-Mailer: Atlas Mailer 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In the last few days I started noticing strange things. Some of them I do not understand and perhaps are normal things (such as being scanned) and others may be more critical. I appreciate any help and insight you can give me. I am running FreeBSD-4.3.0p15 (RELENG_4_3). 1 - I have been receiving some messages at the console that I would like to understand better: arp: unknown hardware address format (0x0800) Lately I have many of these messages per day. What could be causing this? 2 - I also notice this in /var/log/messages Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P The messages in the console appear a little different, with a lot of gibberish after sm_stat: and /kernel: 3 - If I run 'nmap -v localhost' I can see a few ports open (The 1536 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open sunrpc 515/tcp open printer 548/tcp open afpovertcp 587/tcp open submission 1020/tcp open unknown 1021/tcp open unknown 2049/tcp open nfs 5432/tcp open postgres 6000/tcp open X11 What services run on 1020 and 1021? I am not aware of having enabled those, and they do not appear in /etc/services. And relating to this, do i need sendmail listening on 25 and 587 if I only need to send mail to a smart host? Also: I need to print to a network printer but I'm not a print server. Do I need 515 open? How do I close those ports (25,587,515)? And last, I am running xdm but I only allowed connections from localhost. Is this in any way related to X11 being on port 6000? (/etc/services shows xdm on port 177) 4 - I normally run tripwire each night on the system and I never noticed anything strange. But every time I update my system (cvsup, make world) I have to go over lots of new files that I need to tell tripwire to update. The last time I did this I noticed a strange thing under /bin: -r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[ I haven't tried to run it, though I run 'strings /bin/[' on it. The output is a little bit long to be posted (ask me if you need it) but following are a few lines: $FreeBSD: src/lib/libc/i386/string/rindex.S,v 1.5 1999/08/27 23:59:32 peter Exp $ $FreeBSD: src/lib/libc/i386/string/strcmp.S,v 1.5 1999/08/27 23:59:33 peter Exp $ $FreeBSD: src/lib/libc/i386/string/memchr.S,v 1.8 1999/08/27 23:59:31 peter Exp $ $NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $ $FreeBSD: src/lib/libc/i386/string/memset.S,v 1.5 1999/08/27 23:59:32 peter Exp $ $NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $ $FreeBSD: src/lib/libc/i386/sys/brk.S,v 1.7 1999/08/27 23:59:38 peter Exp $ ... Is this a normal binary? Perhaps it is and I just missed it before. Thanks in advance for suggestions and tips. pichita __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 7:38:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 6FF8237B403 for ; Thu, 6 Sep 2001 07:38:09 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f86Ec3r7020427; Fri, 7 Sep 2001 00:38:03 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) id f86Ec2Mq020422; Fri, 7 Sep 2001 00:38:02 +1000 (EST) From: Darren Reed Message-Id: <200109061438.f86Ec2Mq020422@cairo.anu.edu.au> Subject: Re: Racoon IPSEC issues To: anderson@centtech.com Date: Fri, 7 Sep 2001 00:38:02 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3B978211.EB11940E@centtech.com> from "Eric Anderson" at Sep 06, 2001 09:02:57 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Eric Anderson, sie said: [...] > 2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde > new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0] > 2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy(): > not supported nested SA. Ignore. > 2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy(): > There is a difference between the in/out bound policies. Those last messages might give you a hint. What does your racoon.conf & setkey's look like for the tunnels which do work and those that don't ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 7:53:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id AACBC37B405 for ; Thu, 6 Sep 2001 07:53:46 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id B67801361D; Thu, 6 Sep 2001 10:53:45 -0400 (EDT) Date: Thu, 6 Sep 2001 10:53:45 -0400 From: Chris Faulhaber To: Fernan Aguero Cc: security@freebsd.org Subject: Re: some weird stuff found Message-ID: <20010906105345.A8026@peitho.fxp.org> References: <08705D38.78FF6AC2.00A48379@netscape.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline In-Reply-To: <08705D38.78FF6AC2.00A48379@netscape.net> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 06, 2001 at 10:34:12AM -0400, Fernan Aguero wrote: > In the last few days I started noticing strange things. Some of them > I do not understand and perhaps are normal things (such as being scanned) > and others may be more critical. > I appreciate any help and insight you can give me. >=20 > I am running FreeBSD-4.3.0p15 (RELENG_4_3). >=20 > 1 - I have been receiving some messages at the console that I would like > to understand better: > arp: unknown hardware address format (0x0800) >=20 > Lately I have many of these messages per day. What could be > causing this? >=20 This is a FAQ. Basically a machine on your network is sending out invalid arps. Search the mailing list archives for details. > 2 - I also notice this in /var/log/messages =20 > Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat: > ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y > Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P >=20 > The messages in the console appear a little different, with a lot > of gibberish after sm_stat: and /kernel: >=20 Probably a Linux or Solaris rpc attack/exploit. Doesn't affect FreeBSD machines (except for annoying log entries). > 3 - If I run 'nmap -v localhost' I can see a few ports open *snip* > What services run on 1020 and 1021? I am not aware of having enabled > those, and they do not appear in /etc/services. > =20 Run sockstat (or lsof, etc) to see what is bound to those ports. > And relating to this, do i need sendmail listening on 25 and 587 if > I only need to send mail to a smart host? You can probably just use -q30m for sendmail flags if you are not accepting email which will not opening listening sockets. > Also: I need to print to a network printer but I'm not a print server. > Do I need 515 open? Nope. See the lpd(8) man page (-p option). > How do I close those ports (25,587,515)? First see what programs are bound to those ports (see above). 25 =3D=3D telnetd (run from inetd) 515 =3D=3D lpd (see above) > And last, I am running xdm but I only allowed connections from > localhost. Is this in any way related to X11 being on port 6000? > (/etc/services shows xdm on port 177) >=20 Probably. 6000 range of ports are usually X listening. > 4 - I normally run tripwire each night on the system and I never noticed > anything strange. But every time I update my system (cvsup, make worl= d) > I have to go over lots of new files that I need to tell tripwire to > update. > The last time I did this I noticed a strange thing under /bin: > -r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[ /bin/[ is a hard link to /bin/test (normal); 'man [' for details. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuXjfkACgkQObaG4P6BelAipgCfUQ94+V4A117wsgUyXBBz1d+g QO8An3Xba68Sdqy72BIVQMQBti5k89jj =VbW7 -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 7:58:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 1AE7337B403 for ; Thu, 6 Sep 2001 07:58:10 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 790E91361F; Thu, 6 Sep 2001 10:58:09 -0400 (EDT) Date: Thu, 6 Sep 2001 10:58:09 -0400 From: Chris Faulhaber To: Fernan Aguero Cc: security@freebsd.org Subject: Re: some weird stuff found Message-ID: <20010906105809.B8026@peitho.fxp.org> References: <08705D38.78FF6AC2.00A48379@netscape.net> <20010906105345.A8026@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lEGEL1/lMxI0MVQ2" Content-Disposition: inline In-Reply-To: <20010906105345.A8026@peitho.fxp.org> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lEGEL1/lMxI0MVQ2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 06, 2001 at 10:53:45AM -0400, Chris Faulhaber wrote: > 25 =3D=3D telnetd (run from inetd) Oops, that's smtp (sendmail) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --lEGEL1/lMxI0MVQ2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuXjwEACgkQObaG4P6BelCoGgCfa4mgp2uCsh9K9i+hPMn3Z3Yb Wz4Ani4nDGMw3USk8PzXzXo19IsCHz1g =612D -----END PGP SIGNATURE----- --lEGEL1/lMxI0MVQ2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 8: 6:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by hub.freebsd.org (Postfix) with ESMTP id D89FF37B401 for ; Thu, 6 Sep 2001 08:06:43 -0700 (PDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id KAA08819; Thu, 6 Sep 2001 10:06:37 -0500 (CDT) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Thu, 6 Sep 2001 10:06:37 -0500 (CDT) From: Tim Zingelman X-Sender: To: Fernan Aguero Cc: Subject: Re: some weird stuff found In-Reply-To: <08705D38.78FF6AC2.00A48379@netscape.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 6 Sep 2001, Fernan Aguero wrote: > In the last few days I started noticing strange things. Some of them > I do not understand and perhaps are normal things (such as being scanned) > and others may be more critical. > I appreciate any help and insight you can give me. > > Also: I need to print to a network printer but I'm not a print server. > Do I need 515 open? > How do I close those ports (25,587,515)? No and no. Add: sendmail_flags="-q30m" ldp_flags="-p" to your /etc/rc.conf. This will stop them from listening. > And last, I am running xdm but I only allowed connections from > localhost. Is this in any way related to X11 being on port 6000? > (/etc/services shows xdm on port 177) xdm is already not listening on 177, likely due to the line: DisplayManager.requestPort: 0 in /usr/X11R6/lib/X11/xdm/xdm-config. The same can be accomplished by adding -udpPort 0 to the xdm line in /etc/ttys like this: ttyv8 "/usr/X11R6/bin/xdm -nodaemon -udpPort 0" xterm on secure To make the X server stop listening on port 6000, you should edit /usr/X11R6/lib/X11/xdm/Xsetup_0 amd add -nolisten tcp, like this: :0 local /usr/X11R6/bin/X -nolisten tcp - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 8:14: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id C46C237B401 for ; Thu, 6 Sep 2001 08:13:57 -0700 (PDT) Received: (qmail 78319 invoked by uid 1000); 6 Sep 2001 15:18:41 -0000 Date: Thu, 6 Sep 2001 16:18:41 +0100 From: Marc Rogers To: Chris Faulhaber Cc: Fernan Aguero , security@freebsd.org Subject: Re: some weird stuff found Message-ID: <20010906161841.E99287@shady.org> References: <08705D38.78FF6AC2.00A48379@netscape.net> <20010906105345.A8026@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20010906105345.A8026@peitho.fxp.org>; from jedgar@fxp.org on Thu, Sep 06, 2001 at 10:53:45AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Probably a Linux or Solaris rpc attack/exploit. Doesn't affect > FreeBSD machines (except for annoying log entries). I would take this as a warning however. It is a sure sign of someone attempting (in a rather clumsy and inaccurate way typical of most kiddies) to break into your hosts. Mos kids these days use a scattergun approach to hacking and justf ire off as many exploits as possible till one gets a result. I swear half of them dont even know which way to pint them. You should probably take steps to block access to your network from the ip ranges these attacks are originating from. You might want to think about installing snort. > > > 3 - If I run 'nmap -v localhost' I can see a few ports open > *snip* > > What services run on 1020 and 1021? I am not aware of having enabled > > those, and they do not appear in /etc/services. > > > > Run sockstat (or lsof, etc) to see what is bound to those ports. run lsof, but just to be safe, I would download it as a clean install file from a trusted location (ftp.freebsd.org for example) and compile it just before you plan to use it. This is the safest way to ensure you are seeing a true representation of what is running on your system. Look for those ports you are unsure about, and see which open files are linked in to them. This will show you which binary was responsible for opening that socket. If in doubt, kill off the process, and chmod the binary to prevent useage. > > > And relating to this, do i need sendmail listening on 25 and 587 if > > I only need to send mail to a smart host? > > You can probably just use -q30m for sendmail flags if you are not > accepting email which will not opening listening sockets. I would advise against running sendmail period. There are many better and more secure alternatives these days (personaly I like postfix or qmail). You certainly do not need to be running sendmail as a daemon. Killall -9 sendmail will releive you of that particular worry. (dont forget to edit your rc.conf, adding sendmail_enable="NO" to prevent it being restarted at boot time. > > > Also: I need to print to a network printer but I'm not a print server. > > Do I need 515 open? > > Nope. See the lpd(8) man page (-p option). > > > How do I close those ports (25,587,515)? > > First see what programs are bound to those ports (see above). > 25 == telnetd (run from inetd) errm 23 is usualy telnetd. 25 is the external port of sendmail. See my comments on sendmail, above. as mentioned before, use lsof and netstat (careful with what netstat says tho as it is easily compromised and might be lying) to diagnose whats running and decide if you need those services. I would seriously consider to adding a local firewall to your host though, especialy as you are running an x server. Good security should be like an onion, layered. hope this helps, Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 10:41:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-m07.mx.aol.com (imo-m07.mx.aol.com [64.12.136.162]) by hub.freebsd.org (Postfix) with ESMTP id DC36937B408 for ; Thu, 6 Sep 2001 10:41:38 -0700 (PDT) Received: from pichita3@netscape.net by imo-m07.mx.aol.com (mail_out_v31_r1.4.) id j.56.b77697 (16232); Thu, 6 Sep 2001 13:40:42 -0400 (EDT) Received: from netscape.com (mow-d02.webmail.aol.com [205.188.138.66]) by air-in02.mx.aol.com (v80.17) with ESMTP id MAILININ28-0906134042; Thu, 06 Sep 2001 13:40:42 -0400 Date: Thu, 06 Sep 2001 13:40:42 -0400 From: pichita3@netscape.net (Fernan Aguero) To: marcr@shady.org (Marc Rogers), jedgar@fxp.org (Chris Faulhaber), zingelman@fnal.gov, ghelmer@palisadesys.com, mistwolf@mushhaven.net Cc: security@freebsd.org Subject: Re: some weird stuff found Message-ID: <2C006D77.2802EF95.00A48379@netscape.net> X-Mailer: Atlas Mailer 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To all who replied: Thanks for the tips and insight! I looked into sockstat and found that ports 1020 and 1021 were used by nfs. Now I know how to have both sendmail and lpd working without listening to external calls. Thanks! Regarding the following: arp: unknown hardware address format (0x0800) I'm not using cablemodem. I will pass this to the sys/net admin. I also know that I must do something to protect my machine. I will investigate setting up a firewall (I have a 1-nic machine). Thanks again! __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 12:15:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.home.se (smtp1.home.se [195.66.35.200]) by hub.freebsd.org (Postfix) with ESMTP id D163137B406 for ; Thu, 6 Sep 2001 12:15:24 -0700 (PDT) Received: from bubblefish.asaka.net [213.116.238.214] by smtp1.home.se with Novonyx SMTP Server $Revision: 2.74 $; Thu, 06 Sep 2001 21:11:33 +0200 (ECTD) Content-Type: text/plain; charset="iso-8859-1" From: Stefan Gustavsson To: freebsd-security@freebsd.org Date: Thu, 6 Sep 2001 19:15:39 +0000 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <01090619153900.45214@bubblefish.asaka.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 12:33:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 243BC37B401 for ; Thu, 6 Sep 2001 12:33:45 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id E993544A9E9 for ; Thu, 6 Sep 2001 15:33:43 -0400 (EDT) Received: (qmail 44179 invoked by uid 1001); 6 Sep 2001 19:28:32 -0000 Date: Thu, 6 Sep 2001 15:28:32 -0400 From: Steve Shorter To: Fernando Schapachnik Cc: edwin chan , freebsd-security@FreeBSD.ORG Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906152832.A44174@nomad.lets.net> References: <015701c136d5$91352e00$9201a8c0@home.net> <20010906104547.C56598@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010906104547.C56598@ns1.via-net-works.net.ar>; from fschapachnik@vianetworks.com.ar on Thu, Sep 06, 2001 at 10:45:47AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 06, 2001 at 10:45:47AM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, edwin chan escribió: > > we found the messages in log: > > > > Sep 5 21:00:33 www /kernel: swap_pager: out of swap space > > Sep 5 21:00:33 www /kernel: swap_pager_getswapspace: failed > > What might have happened is that a the great amount of email forked a > great amount of processes which in turn ate all available memory and > swap. Your machine ran out of swap. Either increase it (look at the > FAQ & handbook for instructions) or add more memory. Or impose > resource limits (can do it via login.conf and/or sendmail.cf > -MaxDaemonChildren, RefuseLA, etc.-). What is supposed to happen is the largest process is supposed to be killed if virtual memory is exhausted. There is a bug in 4.3-RELEASE that prevents this from happening. The kernel hangs before any processes get killed. It has fixed in STABLE. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 13:48:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id BFE6337B405 for ; Thu, 6 Sep 2001 13:48:18 -0700 (PDT) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f86KmIf59430; Thu, 6 Sep 2001 16:48:18 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f86KmGs59418; Thu, 6 Sep 2001 16:48:16 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Thu, 6 Sep 2001 16:48:14 -0400 (EDT) From: Rob Simmons To: Chris Faulhaber Cc: Fernan Aguero , Subject: Re: some weird stuff found In-Reply-To: <20010906105345.A8026@peitho.fxp.org> Message-ID: <20010906164620.G79894-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 6 Sep 2001, Chris Faulhaber wrote: > You can probably just use -q30m for sendmail flags if you are not > accepting email which will not opening listening sockets. Also, if you need to have port 25 open, but you don't want the MSA port open as well (port 587), just add this line to sendmail's mc file and rebuild your cf: FEATURE(no_default_msa) This will open port 25 only. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 13:51:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id ADB8037B405 for ; Thu, 6 Sep 2001 13:51:11 -0700 (PDT) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id PAA08269 for ; Thu, 6 Sep 2001 15:51:11 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma008267; Thu, 6 Sep 01 15:51:08 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA08450 for ; Thu, 6 Sep 2001 15:51:07 -0500 (CDT) Message-ID: <3B97E1BC.91E0EC79@centtech.com> Date: Thu, 06 Sep 2001 15:51:08 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: AirSnort / WEP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone messed with AirSnort or WEPCrack with FreeBSD yet? Is there an equivalent tool, since these are both based around linux? -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 14:18:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4F54D37B406; Thu, 6 Sep 2001 14:18:20 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f86LIKN76091; Thu, 6 Sep 2001 14:18:20 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 6 Sep 2001 14:18:20 -0700 (PDT) Message-Id: <200109062118.f86LIKN76091@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:57 Security Advisory FreeBSD, Inc. Topic: sendmail contains local root vulnerability [REVISED] Category: core Module: sendmail Announced: 2001-08-27 Revised: 2001-09-06 Credits: Cade Cairnss Affects: FreeBSD 4-STABLE after August 27, 2000 and prior to the correction date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE Corrected: 2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE) 2001-08-22 05:34:11 UTC (RELENG_4_3) FreeBSD only: NO 0. Revision History v1.0 2001-08-27 Initial release v1.1 2001-08-30 Update package to remove setuid bit from saved file; add non-openssl package; correct typo in package instructions; note that $Id$ not updated in RELENG_4_3. v1.2 2001-09-06 No changes to advisory, but the sendmail-crypto upgrade package had incorrect permissions for the sendmail binary. Update this package. I. Background sendmail is a mail transfer agent. II. Problem Description Sendmail contains an input validation error which may lead to the execution of arbitrary code with elevated privileges by local users. Due to the improper use of signed integers in code responsible for the processing of debugging arguments, a local user may be able to supply the signed integer equivalent of a negative value supplied to sendmail's "trace vector". This may allow a local user to write data anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, the attacker may be able to cause arbitrary code to be executed with root privileges. III. Impact Local users may be able to execute arbitrary code with root privileges. IV. Workaround Do not allow untrusted users to execute the sendmail binary. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction date: The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libsmutil # make depend && make all # cd /usr/src/usr.sbin/sendmail # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: ** NOTE: The initial version of the upgrade package did not remove ** setuid root privileges from the saved copy of the sendmail binary. ** To correct this, deinstall the old package using the pkg_delete(1) ** command and install the corrected package as described below. An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Two versions of the package are available, depending on whether or not OpenSSL is installed. If the file /usr/lib/libcrypto.so exists on the local system, follow the directions in section 1a) below, otherwise follow the directions in section 1b). After adding the package, proceed with the instructions in section 2). 1a) If crypto is installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-crypto-01.57.tgz 1b) If crypto is not installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-nocrypto-01.57.tgz 2) Restart sendmail after applying the patch by executing the following commands as root: # killall sendmail # /usr/sbin/sendmail -bd -q30m The flags to sendmail may need to be adjusted as required for the local system configuration. VI. Correction details The following is the sendmail $Id$ revision number of the file that was corrected for the supported branches of FreeBSD. The $Id$ revision number of the installed source can be examined using the ident(1) command. Note that the $Id$ tag was not updated on the RELENG_4_3 branch because a newer vendor release of sendmail was not imported, instead only this vulnerability was patched. Revision Path 8.20.22.4 src/contrib/sendmail/src/trace.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO5fm9FUuHi5z0oilAQHcxQP/Skg7PHfrJfo/t4b4u7XHSjdHiLzl4aiG qKhEJjcNDFMNxSCfTZ19aP0KUtcgxN5tB8gTF7d2gG0HTAJ7NZ07DutTgMxdziMa 1R9n/NbRQ7Qu7EYv6jTLaBbgeovUp9kA2QY+/1DiPM1sS4TUwqvVnefXlpnJbQhj 6WOhcCaAaBU= =WnTC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 14:35:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C22BF37B406; Thu, 6 Sep 2001 14:35:31 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f86LZVb77673; Thu, 6 Sep 2001 14:35:31 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 6 Sep 2001 14:35:31 -0700 (PDT) Message-Id: <200109062135.f86LZVb77673@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:59 Security Advisory FreeBSD, Inc. Topic: rmuser contains a race condition exposing /etc/master.passwd [REVISED] Category: core Module: rmuser Announced: 2001-09-04 Revised: 2001-09-06 Credits: dynamo@harvard.net Affects: FreeBSD 4.2-RELEASE, 4.3-RELEASE FreeBSD 4.3-STABLE prior to the correction date. Corrected: 2001-08-01 20:26:37 UTC (4.3-STABLE) 2001-09-05 05:24:55 UTC (RELENG_4_3) FreeBSD only: Yes 0. Revision History v1.0 2001-09-04 Initial release v1.1 2001-09-06 Update patch. Update correction times. Update upgrade package as a result. I. Background rmuser is a perl script used to completely remove users from a system. II. Problem Description When removing a user from the system with the rmuser utility, the /etc/master.passwd file and it's corresponding database /etc/spwd.db must be updated. The rmuser script was incorrectly doing this by creating a new master.passwd file with an unsafe umask and then using chmod to set its permissions to 0600. Between the time that the file was created and the time that its permissions were changed the file is world-readable. This is only a minor security vulnerability since the rmuser command is only used infrequently on most systems, and the attack is highly timing-dependent. All versions of FreeBSD prior to the correction date including FreeBSD 4.3 contain this problem. The base system that will ship with FreeBSD 4.4 does not contain this problem since it was corrected prior to the release. III. Impact For a brief amount of time while running rmuser, a world-readable copy of /etc/master.passwd is available. A local attacker who reads this file can extract password hashes from the copy of /etc/master.passwd. This information could be used by attackers to escalate their privileges, possibly yielding root privileges on the local system, by mounting an offline dictionary attack in order to guess the plaintext passwords of the accounts on the local system. IV. Workaround Use the pw(8) utility to remove users instead of rmuser. - "pw userdel " will only remove the user from /etc/passwd, /etc/master.passwd and /etc/group - "pw -r userdel " will also remove the user's home dirrectory V. Solution 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 security branch, dated after the respective correction dates. Note that the initial correction dates did not include complete fixes for the rmuser utility, and sources dated before the updated correction date given in this advisory will not work. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.v1.1 # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.v1.1.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to FreeBSD 4.2-RELEASE and 4.3-RELEASE. It may or may not apply to older, unsupported releases of FreeBSD. # cd /usr/src/usr.sbin/adduser # patch -p < /path/to/patch # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-rmuser-01.59.tgz VI. CVS Revisions The following $FreeBSD$ CVS revision contain the fixes for this vulnerability. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. These revision IDs are not updated by applying the patch referenced above. [FreeBSD 4.3-STABLE] Revision Path 1.8.2.7 src/usr.sbin/rmuser.perl [RELENG_4_3] Revision Path 1.8.2.2.2.2 src/usr.sbin/rmuser.perl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO5frolUuHi5z0oilAQH+nQP+PMDfqxyGdScn/nlR7Z1JCyK5HFgIhh73 OpUVGtJUVfWTyTe9mwrP2F0Ce+3bdeLfxj2hKQn7ST9Gl3YJg03ZTmvntYnOvok7 TMrXXQRuwTUvG/b+LcPK2oufcU7rqiPyYXzny0Ne+pvBraKcUdR0tBOYquMCeN0c MvytYjbZCao= =p5P7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 14:45:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from ambrisko.com (adsl-64-174-51-42.dsl.snfc21.pacbell.net [64.174.51.42]) by hub.freebsd.org (Postfix) with ESMTP id 351E637B407 for ; Thu, 6 Sep 2001 14:45:34 -0700 (PDT) Received: (from ambrisko@localhost) by ambrisko.com (8.11.3/8.11.3) id f86LieC10282; Thu, 6 Sep 2001 14:44:40 -0700 (PDT) (envelope-from ambrisko) From: Doug Ambrisko Message-Id: <200109062144.f86LieC10282@ambrisko.com> Subject: Re: AirSnort / WEP In-Reply-To: <3B97E1BC.91E0EC79@centtech.com> To: anderson@centtech.com Date: Thu, 6 Sep 2001 14:44:40 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson writes: | Has anyone messed with AirSnort or WEPCrack with FreeBSD yet? Is there an equivalent tool, since these are both based | around linux? This could be ported to the RFMOM patches that I have for the Aironet card. I haven't done it yet but thought about porting it. http://www.ambrisko.com/doug/an/ Doug A. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 15: 7:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id A336D37B401 for ; Thu, 6 Sep 2001 15:07:33 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id DDCAC2DDD3C; Thu, 6 Sep 2001 17:07:32 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f86M7Vs19001; Thu, 6 Sep 2001 17:07:31 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 6 Sep 2001 17:07:31 -0500 From: D J Hawkey Jr To: steve@nomad.tor.lets.net, freebsd-security@freebsd.org Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906170731.A18984@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20010906152832.A44174_nomad.lets.net@ns.sol.net>, steve@nomad.tor.lets.net writes: > On Thu, Sep 06, 2001 at 10:45:47AM -0300, Fernando Schapachnik wrote: >> En un mensaje anterior, edwin chan escribi: >> > we found the messages in log: >> > >> > Sep 5 21:00:33 www /kernel: swap_pager: out of swap space >> > Sep 5 21:00:33 www /kernel: swap_pager_getswapspace: failed >> >> What might have happened is that a the great amount of email forked a >> great amount of processes which in turn ate all available memory and >> swap. Your machine ran out of swap. Either increase it (look at the >> FAQ & handbook for instructions) or add more memory. Or impose >> resource limits (can do it via login.conf and/or sendmail.cf >> -MaxDaemonChildren, RefuseLA, etc.-). > > What is supposed to happen is the largest process is supposed > to be killed if virtual memory is exhausted. There is a bug in > 4.3-RELEASE that prevents this from happening. The kernel hangs > before any processes get killed. Is "the largest process" selective, to some degree or another? That is, will it (can it?) discern a "more valuable" process from a "lesser one"? Can it be told to kill off the last process started, as opposed to the largest? I myself would find this preferable in many cases. > It has fixed in STABLE. No patch for the RELENG_4_3 tree in store, I take it? I browsed the CVS tree; is the fix contained entirely in vm_map.c? > -steve Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 16:31:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id E825D37B407; Thu, 6 Sep 2001 16:31:36 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f86NVf318544; Thu, 6 Sep 2001 19:31:41 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Thu, 6 Sep 2001 19:31:36 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Good practice for /tmp In-Reply-To: <20010906055708.P55388@hal9000.servehttp.com> Message-ID: <20010906192746.D18481-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (Moved to questions from -security, with a BCC of this question to -security. Those on -security who want to answer should post their reponse to questions, and then we're done with this thread in -security.) On Thu, 6 Sep 2001, Andrew J Caines wrote: > This doesn't obviously have a security angle, so feel free to take it to > -questions (with CC, please). > > > > What makes you uncomfortable? > > In the lines you quoted ? Nothing. > > Ok. > > > Having my swap partition mounted on a memory file system makes me > > uncomfortable > > I think it's a bit misleading to say that the "swap partition" is mounted. > I think it more accurate to say that the storage device which backs this > filesystem is the system's VM. The filesystem simply provides the > semantics for the I/O. > > What about this makes you uncomfortable? Uhh, what happens when your machine panics? With a VM-backed swap, savecore can't grab the crash dump; therefore, you can't get a traceback. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 17:18:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 0A2C837B406 for ; Thu, 6 Sep 2001 17:18:26 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 4E08F44A922 for ; Thu, 6 Sep 2001 20:18:24 -0400 (EDT) Received: (qmail 44411 invoked by uid 1001); 7 Sep 2001 00:13:12 -0000 Date: Thu, 6 Sep 2001 20:13:12 -0400 From: Steve Shorter To: D J Hawkey Jr Cc: freebsd-security@freebsd.org Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906201312.A44397@nomad.lets.net> References: <20010906104547.C56598_ns1.via-net-works.net.ar@ns.sol.net> <20010906152832.A44174_nomad.lets.net@ns.sol.net> <200109062058.f86KwES05430@fanbuzz.com.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109062058.f86KwES05430@fanbuzz.com.>; from hawkeyd@visi.com on Thu, Sep 06, 2001 at 03:58:14PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 06, 2001 at 03:58:14PM -0500, D J Hawkey Jr wrote: > > No patch for the RELENG_4_3 tree in store, I take it? > > > -steve Actually, there is. I raised this issue, and got a patch from matt dillon for 4.3-SECURITY(RELEASE). This is the forwarded response below. -steve : :I am still interested in making a patch based on diffs from :4.3-STABLE and 4.3-SECURITY. Would this be easy to do or have there been a :lot of kernel changes that affect this issue. Is it good enough to look :at killproc() and vm_pagout.c or is there more to it than that. : : thanx - steve Sure. If you are comfortable building from a mod'd source tree, here is the relevant log and diff set. It should be very easy to patch in. -Matt dillon 2001/06/13 00:26:59 PDT Modified files: (Branch: RELENG_4) sys/vm vm_map.c vm_map.h vm_pageout.c Log: MFC the two out-of-swap fixes (kill the correct process and start blasting away at processes a little earlier, before the machine begins to lockup) Revision Changes Path 1.187.2.9 +36 -1 src/sys/vm/vm_map.c 1.54.2.2 +2 -1 src/sys/vm/vm_map.h 1.151.2.8 +9 -4 src/sys/vm/vm_pageout.c Index: vm_map.c =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_map.c,v retrieving revision 1.187.2.8 retrieving revision 1.187.2.9 diff -u -r1.187.2.8 -r1.187.2.9 --- vm_map.c 2001/03/14 07:05:05 1.187.2.8 +++ vm_map.c 2001/06/13 07:26:58 1.187.2.9 @@ -61,7 +61,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_map.c,v 1.187.2.8 2001/03/14 07:05:05 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_map.c,v 1.187.2.9 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -218,6 +218,41 @@ zfree(vmspace_zone, vm); } } + +/* + * vmspace_swap_count() - count the approximate swap useage in pages for a + * vmspace. + * + * Swap useage is determined by taking the proportional swap used by + * VM objects backing the VM map. To make up for fractional losses, + * if the VM object has any swap use at all the associated map entries + * count for at least 1 swap page. + */ +int +vmspace_swap_count(struct vmspace *vmspace) +{ + vm_map_t map = &vmspace->vm_map; + vm_map_entry_t cur; + int count = 0; + + for (cur = map->header.next; cur != &map->header; cur = cur->next) { + vm_object_t object; + + if ((cur->eflags & MAP_ENTRY_IS_SUB_MAP) == 0 && + (object = cur->object.vm_object) != NULL && + object->type == OBJT_SWAP + ) { + int n = (cur->end - cur->start) / PAGE_SIZE; + + if (object->un_pager.swp.swp_bcount) { + count += object->un_pager.swp.swp_bcount * + SWAP_META_PAGES * n / object->size + 1; + } + } + } + return(count); +} + /* * vm_map_create: Index: vm_map.h =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_map.h,v retrieving revision 1.54.2.1 retrieving revision 1.54.2.2 diff -u -r1.54.2.1 -r1.54.2.2 --- vm_map.h 2001/03/14 07:05:06 1.54.2.1 +++ vm_map.h 2001/06/13 07:26:58 1.54.2.2 @@ -61,7 +61,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_map.h,v 1.54.2.1 2001/03/14 07:05:06 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_map.h,v 1.54.2.2 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -375,6 +375,7 @@ void vm_freeze_copyopts __P((vm_object_t, vm_pindex_t, vm_pindex_t)); int vm_map_stack __P((vm_map_t, vm_offset_t, vm_size_t, vm_prot_t, vm_prot_t, int)); int vm_map_growstack __P((struct proc *p, vm_offset_t addr)); +int vmspace_swap_count __P((struct vmspace *vmspace)); #endif #endif /* _VM_MAP_ */ Index: vm_pageout.c =================================================================== RCS file: /home/ncvs/src/sys/vm/vm_pageout.c,v retrieving revision 1.151.2.7 retrieving revision 1.151.2.8 diff -u -r1.151.2.7 -r1.151.2.8 --- vm_pageout.c 2000/12/30 01:51:12 1.151.2.7 +++ vm_pageout.c 2001/06/13 07:26:58 1.151.2.8 @@ -65,7 +65,7 @@ * any improvements or extensions that they make and grant Carnegie the * rights to redistribute these changes. * - * $FreeBSD: src/sys/vm/vm_pageout.c,v 1.151.2.7 2000/12/30 01:51:12 dillon Exp $ + * $FreeBSD: src/sys/vm/vm_pageout.c,v 1.151.2.8 2001/06/13 07:26:58 dillon Exp $ */ /* @@ -1094,10 +1094,14 @@ } /* - * make sure that we have swap space -- if we are low on memory and - * swap -- then kill the biggest process. + * If we are out of swap and were not able to reach our paging + * target, kill the largest process. */ + if ((vm_swap_size < 64 && vm_page_count_min()) || + (swap_pager_full && vm_paging_target() > 0)) { +#if 0 if ((vm_swap_size < 64 || swap_pager_full) && vm_page_count_min()) { +#endif bigproc = NULL; bigsize = 0; for (p = allproc.lh_first; p != 0; p = p->p_list.le_next) { @@ -1119,7 +1123,8 @@ /* * get the process size */ - size = vmspace_resident_count(p->p_vmspace); + size = vmspace_resident_count(p->p_vmspace) + + vmspace_swap_count(p->p_vmspace); /* * if the this process is bigger than the biggest one * remember it. ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 6 17:30:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 532A837B403 for ; Thu, 6 Sep 2001 17:30:32 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 210B244A9F6 for ; Thu, 6 Sep 2001 20:30:31 -0400 (EDT) Received: (qmail 44428 invoked by uid 1001); 7 Sep 2001 00:25:20 -0000 Date: Thu, 6 Sep 2001 20:25:20 -0400 From: Steve Shorter To: D J Hawkey Jr Cc: steve@nomad.tor.lets.net, freebsd-security@freebsd.org Subject: Re: when mail full /tmp partition, system cracked Message-ID: <20010906202520.B44397@nomad.lets.net> References: <20010906170731.A18984@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906170731.A18984@sheol.localdomain>; from hawkeyd@visi.com on Thu, Sep 06, 2001 at 05:07:31PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 06, 2001 at 05:07:31PM -0500, D J Hawkey Jr wrote: > Is "the largest process" selective, to some degree or another? That is, > will it (can it?) discern a "more valuable" process from a "lesser one"? > > Can it be told to kill off the last process started, as opposed to the > largest? I myself would find this preferable in many cases. Actually, I was running a process that was killed because it was largest, but this process happened to be essential to the system function. It is easy to modify the kernel source to be more selective. I choose to kill only processes with uid > somenumber, since in the context of my particular system, I trust those processes not to hose it and/or have set appropriate resource limits. Check out the source in sys/vm/vm_pageout.c around if ((p->p_flag & P_SYSTEM) || (p->p_lock > 0) || (p->p_pid == 1) || ((p->p_pid < 48) && (vm_swap_size != 0))) { continue; } You need to search for the definitions of struct proc (which p points to) in /usr/include/sys/proc.h. Enjoy your kernel hacking! -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 3:25:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from bigline.kharkov.ua (gate.bigline.kharkov.ua [212.1.113.62]) by hub.freebsd.org (Postfix) with SMTP id 200E837B408 for ; Fri, 7 Sep 2001 03:25:34 -0700 (PDT) Received: (qmail 42308 invoked from network); 7 Sep 2001 10:25:32 -0000 Received: from unknown (HELO tatarin.development.bigline) (192.168.0.71) by 212.1.113.1 with SMTP; 7 Sep 2001 10:25:32 -0000 Date: Fri, 7 Sep 2001 13:26:21 +0300 From: Igor Russian X-Mailer: The Bat! (v1.49) Reply-To: Igor Russian Organization: BIGLINE X-Priority: 2 (High) Message-ID: <265742827.20010907132621@bigline.net> Disposition-Notification-To: kaba@bigline.net To: FreeBSD-security@FreeBSD.org Subject: i have Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 3:37:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from xlr82xs.shacknet.nu (untimed-19.bri.eis.net.au [203.12.171.234]) by hub.freebsd.org (Postfix) with ESMTP id EF91937B406 for ; Fri, 7 Sep 2001 03:37:19 -0700 (PDT) Received: (from xlr82xs@localhost) by xlr82xs.shacknet.nu (8.11.6/8.11.4) id f87AbGF46934 for freebsd-security@freebsd.org; Fri, 7 Sep 2001 20:37:16 +1000 (EST) (envelope-from xlr82xs) Date: Fri, 7 Sep 2001 20:37:14 +1000 From: xlr82xs To: freebsd-security@freebsd.org Subject: Re: i have Message-ID: <20010907203714.A46899@xlr82xs.shacknet.nu> References: <265742827.20010907132621@bigline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <265742827.20010907132621@bigline.net>; from kaba@bigline.net on Fri, Sep 07, 2001 at 01:26:21PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it just a misconfiguration on my part, or was that a message flagged high priority, that had no content ? On Fri, Sep 07, 2001 at 01:26:21PM +0300, Igor Russian wrote: > X-From_: owner-freebsd-security@FreeBSD.ORG Fri Sep 7 20:27:56 2001 > Delivered-To: freebsd-security@freebsd.org > Date: Fri, 7 Sep 2001 13:26:21 +0300 > From: Igor Russian > X-Mailer: The Bat! (v1.49) > Reply-To: Igor Russian > Organization: BIGLINE > X-Priority: 2 (High) > To: FreeBSD-security@FreeBSD.ORG > Subject: i have > List-ID: > List-Archive: (Web Archive) > List-Help: (List Instructions) > List-Subscribe: > List-Unsubscribe: > X-Loop: FreeBSD.org > Precedence: bulk > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Where do you think you're going today? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 5:24:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 69BA737B407 for ; Fri, 7 Sep 2001 05:24:19 -0700 (PDT) Received: from hades.hell.gr (patr530-a032.otenet.gr [212.205.215.32]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f87CO9A27788; Fri, 7 Sep 2001 15:24:11 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f87AZmK04397; Fri, 7 Sep 2001 13:35:49 +0300 (EEST) (envelope-from charon@labs.gr) Date: Fri, 7 Sep 2001 13:35:48 +0300 From: Giorgos Keramidas To: D J Hawkey Jr Cc: steve@nomad.tor.lets.net, freebsd-security@FreeBSD.ORG Subject: running very low on memory (was: Re:when mail full /tmp partition, system cracked) Message-ID: <20010907133548.A3833@hades.hell.gr> References: <20010906170731.A18984@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906170731.A18984@sheol.localdomain>; from hawkeyd@visi.com on Thu, Sep 06, 2001 at 05:07:31PM -0500 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: D J Hawkey Jr Subject: Re: when mail full /tmp partition, system cracked Date: Thu, Sep 06, 2001 at 05:07:31PM -0500 > In article <20010906152832.A44174_nomad.lets.net@ns.sol.net>, > steve@nomad.tor.lets.net writes: > > On Thu, Sep 06, 2001 at 10:45:47AM -0300, Fernando Schapachnik wrote: > > > > What is supposed to happen is the largest process is supposed > > to be killed if virtual memory is exhausted. There is a bug in > > 4.3-RELEASE that prevents this from happening. The kernel hangs > > before any processes get killed. > > Is "the largest process" selective, to some degree or another? That is, > will it (can it?) discern a "more valuable" process from a "lesser one"? Nope, it isn't. The 'largest' means just that. The largest. But you're missing the point. The idea is to *not* reach this state of memory being 'exchausted' by carefully setting up user limits. If you start running so low on memory (and swap), there's not much difference in killing one process or the other. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 5:42:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id D6F6637B403 for ; Fri, 7 Sep 2001 05:42:05 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 0BFF62D06CE; Fri, 7 Sep 2001 07:42:05 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f87Cg3w22421; Fri, 7 Sep 2001 07:42:03 -0500 (CDT) (envelope-from hawkeyd) Date: Fri, 7 Sep 2001 07:42:03 -0500 From: D J Hawkey Jr To: Giorgos Keramidas Cc: steve@nomad.tor.lets.net, freebsd-security@FreeBSD.ORG Subject: Re: running very low on memory (was: Re:when mail full /tmp partition, system cracked) Message-ID: <20010907074203.A22380@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010906170731.A18984@sheol.localdomain> <20010907133548.A3833@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010907133548.A3833@hades.hell.gr>; from charon@labs.gr on Fri, Sep 07, 2001 at 01:35:48PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 07, at 01:35 PM, Giorgos Keramidas wrote: > > From: D J Hawkey Jr > Subject: Re: when mail full /tmp partition, system cracked > Date: Thu, Sep 06, 2001 at 05:07:31PM -0500 > > > In article <20010906152832.A44174_nomad.lets.net@ns.sol.net>, > > steve@nomad.tor.lets.net writes: > > > On Thu, Sep 06, 2001 at 10:45:47AM -0300, Fernando Schapachnik wrote: > > > > > > What is supposed to happen is the largest process is supposed > > > to be killed if virtual memory is exhausted. There is a bug in > > > 4.3-RELEASE that prevents this from happening. The kernel hangs > > > before any processes get killed. > > > > Is "the largest process" selective, to some degree or another? That is, > > will it (can it?) discern a "more valuable" process from a "lesser one"? > > Nope, it isn't. The 'largest' means just that. The largest. > > But you're missing the point. The idea is to *not* reach this state > of memory being 'exchausted' by carefully setting up user limits. Agreed. But... > If you start running so low on memory (and swap), there's not much > difference in killing one process or the other. ...should it happen, and the choice was between a [larger] named and a [smaller] lpd or ntpd, I'd rather either of the latter be killed (just as an example). Actually, in my mind, rather than this tact at all, I'd opt for simply not spawning the task that brought on this condition to begin with (or is that what happens with properly tuned user limits?). > -giorgos This thread is getting a bit off-topic for this mailing list, no? Let's take it "off line" if we wish to continue. SeeYa, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 9: 9:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id CA45437B408 for ; Fri, 7 Sep 2001 09:09:45 -0700 (PDT) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f87G9j280427 for freebsd-security@freebsd.org; Fri, 7 Sep 2001 12:09:45 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f87G9he80418 for ; Fri, 7 Sep 2001 12:09:44 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Fri, 7 Sep 2001 12:09:39 -0400 (EDT) From: Rob Simmons To: Subject: netbsd vulnerabilities Message-ID: <20010907120248.V78071-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Is FreeBSD affected by either of the new vulnerabilities NetBSD just released, 2001-015 and 2001-016? 2001-015 = "Insufficient checking of lengths passed from userland to kernel." 2001-016 = "unsafe chdir usage in fts(3)." Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mPFHv8Bofna59hYRA7QZAJ9zOoQdhp6IRoQHeOo5EPa2cyzJaQCdGzYD DFIFarA2CNGauwBeFB/yKvo= =62OI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 10:32:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id C270837B401; Fri, 7 Sep 2001 10:32:25 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f87HWNB23662; Fri, 7 Sep 2001 20:32:23 +0300 (EEST) (envelope-from ru) Date: Fri, 7 Sep 2001 20:32:23 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Cc: re@FreeBSD.org Subject: Re: NetBSD Security Advisory 2001-015: Insufficient checking of lengths passed to kernel Message-ID: <20010907203223.B20016@sunbay.com> References: <20010906095742.A8644@mail.netbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906095742.A8644@mail.netbsd.org>; from security-officer@netbsd.org on Thu, Sep 06, 2001 at 09:57:42AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oh, and we are vulnerable to this too. :-( At least the semop() thing. On Thu, Sep 06, 2001 at 09:57:42AM -0700, NetBSD Security Officer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > NetBSD Security Advisory 2001-015 > ================================= > > Topic: Insufficient checking of lengths passed from userland to kernel > > Version: NetBSD-current: source prior to August 5, 2001 > NetBSD-1.5.1: affected > NetBSD-1.5: affected > NetBSD-1.4.*: affected > > Severity: Any local user can panic the system, and/or execute > arbitrary code and gain root privileges. > > Fixed: NetBSD-current: August 5, 2001 > NetBSD-1.5 branch: August 16, 2001 (1.5.2 includes the fix) > > > Abstract > ======== > > The problem for which NetBSD SA2001-011 was issued (``Insufficient > msg_controllen checking for sendmsg(2)'') urged an audit of > NetBSD code to look for similar issues in other parts of kernel. > > A number of issues were found. In a number of places lengths or > sizes passed from userland were used by the kernel without sufficient > checks. > > Most of the problems involved errors handling signed versus unsigned > values, in some cases the code was not checking for negative values. > > The actual severity of these problems varies, and three different > problem severity groups have been identified: > > 1. semop(2) - exploitable by any user for denial of service or > to execute arbitrary kernel code > > 2. mount args - exploitable by any user for denial of service if > user mounts are enabled (it's disabled by default on NetBSD 1.5 > and later) > > 3. some device ioctls - exploitable by any user with write access > to appropriate device files (by default only root has write access > on most device files) > > Technical Details > ================= > > The kernel function sys_semop() (which is the entry point for the > semop(2) syscall) stores an unsigned argument 'nsops' in a local signed > variable. If a user passes a sufficiently big 'nsops' value (>INT_MAX), > the local signed variable ends up negative and passes the bound check. > The value is then used for copyin() data from user memory to local array > on the process's kernel stack. Since the number of bytes to copyin is > computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an > almost arbitrary number of bytes from userland to the caller process's > kernel stack due to int overflow. This can be exploited to cause a > kernel trap, or call arbitrary kernel code. This can also be exploited > to execute arbitrary code on architectures where stack memory is > executable. > > NFS did not check the nfs file handle size. This could be exploited in > a way similar to the semop(2) issue. Furthermore, NFS did not check the > size of authenticator and verifier strings sufficiently. UMAPFS did not > check the nentries and gnentries mount arguments. > Generic code in kern/nfs_subr.c:vfs_hand_addrlist() did not properly > bound check the specified size of export addresses; this code is > used by all filesystems to handle exports. All these problems > could be exploited to cause a panic. > > The following drivers had potentially exploitable weak checking in their > ioctl(9) routines. These should be exploitable to cause a kernel > panic. Some of these drivers are new on -current and don't exist > in NetBSD/1.5. > > amiga: majority of graphic grf-like device drivers > arm32: vidcvideo > hpcmips: plumvideo > macppc: ofb > sparc: cgtwo, fb > sun3: cg2, fb > hpcsh: hd64461video > machine-independant: coda, bt, mlx, pci/tga, tc/cfb, tc/mfb, > tc/sfb, tc/tfb, tc/xcfb, tc/sfbplus, tc/stic, > wsdisplay, wskbd, ccd, ppp, isdn > > The lfs_markv(2) system call did not check the blkcnt argument. This > problem is exploitable to cause a panic. This system call is restricted > to root only. > > Solutions and Workarounds > ========================= > > NetBSD official releases up to and including 1.5.1 are vulnerable. > NetBSD 1.5.2 is NOT vulnerable. > > Kernel sources must be updated and a new kernel built and installed. > Once the kernel sources have been updated, rebuild the kernel, > install it, and reboot. For more information on how to do this, > see: > http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > > The instructions for updating your kernel sources depend upon which > particular NetBSD release you are running. > > > * NetBSD-current: > > Systems running NetBSD-current dated from before 2001-08-05 > should be upgraded to NetBSD-current dated 2001-08-06 or later. > > The following source directories need to be updated from > the netbsd-current CVS branch (aka HEAD): > src/sys/kern > src/sys/miscfs/umapfs > src/sys/ufs/lfs > src/sys/nfs > src/sys/dev > src/sys/arch > > > Alternatively, apply the following patch (with potential offset > differences): > ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-current.patch > > To patch: > # cd src/sys > # patch < /path/to/SA2001-015-kernlen-current.patch > > > * NetBSD 1.5, 1.5.1: > > Systems running NetBSD 1.5 dated from before 2001-08-16 should be > upgraded from NetBSD 1.5 sources dated 2001-08-17 or later. > > The following source directory needs to be updated from the > netbsd-1-5 CVS branch: > src/sys/kern > src/sys/miscfs/umapfs > src/sys/nfs > src/sys/dev > src/sys/arch > > > Alternatively, apply the following patch (with potential offset > differences): > ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-1.5.patch > > To patch: > # cd src/sys > # patch < /path/to/SA2001-015-kernlen-1.5.patch > > > * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: > > At this time there are no fixes or patches available for > the NetBSD 1.4 branch. > > > Thanks To > ========= > > Jaromir Dolecek for copyin/malloc audit work. > > Konrad Schroder for review of LFS fix. > > Ken Ashcraft @ Stanford, Constantine Sapuntzakis and > Frank van den Linden for finding and fixing > the NFS file handle length problem. > > Andrew Doran for review of the mlx fix. > > Steve Woodford for review of sun3/vme and xd/xy driver changes, > which turned out to not be necessary. > > Christos Zoulas for general feedback. > > > Revision History > ================ > > 2001-09-06 Initial release > > > More Information > ================ > > An up-to-date PGP signed copy of this release will be maintained at > ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > > Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. > > $NetBSD: NetBSD-SA2001-015.txt,v 1.9 2001/09/06 13:52:31 lukem Exp $ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (NetBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBO5d/Gj5Ru2/4N2IFAQF9YAP/ckqmwEHQcuqaOiJ/XJw7zREJ6luIgp5j > CLz0ahgcpFgbDe6QGUQBdouK4FlD6/uTAc4euJ9Dyiq0tVRty2U5yAbJPjOznv8r > T72DjjK+HN4UDvnz+DRniC7upWzDjfEgdi/tb74sWKF/RA9e+3mk0Ecd4UzpmMrl > CxH4j9XcqTI= > =exNB > -----END PGP SIGNATURE----- -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 10:47:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id C96C237B406 for ; Fri, 7 Sep 2001 10:47:39 -0700 (PDT) Received: (qmail 92190 invoked by uid 1000); 7 Sep 2001 17:48:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Sep 2001 17:48:11 -0000 Date: Fri, 7 Sep 2001 13:48:11 -0400 (EDT) From: project10 To: Rob Simmons Cc: Subject: Re: netbsd vulnerabilities In-Reply-To: <20010907120248.V78071-100000@mail.wlcg.com> Message-ID: <20010907134719.S92125-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rob, I believe the fts(3) issue was resolved in an earlier issue -- I remeber applying the patch for it. It may, however, have been an unrelated issue. I guess we'll just have to wait and see. -Shawn On Fri, 7 Sep 2001, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Is FreeBSD affected by either of the new vulnerabilities NetBSD just > released, 2001-015 and 2001-016? > > 2001-015 = "Insufficient checking of lengths passed from userland to > kernel." > > 2001-016 = "unsafe chdir usage in fts(3)." > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE7mPFHv8Bofna59hYRA7QZAJ9zOoQdhp6IRoQHeOo5EPa2cyzJaQCdGzYD > DFIFarA2CNGauwBeFB/yKvo= > =62OI > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 13:44:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id A9BDD37B405 for ; Fri, 7 Sep 2001 13:44:27 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5213E66D0A; Fri, 7 Sep 2001 13:44:27 -0700 (PDT) Date: Fri, 7 Sep 2001 13:44:27 -0700 From: Kris Kennaway To: Rob Simmons Cc: freebsd-security@freebsd.org Subject: Re: netbsd vulnerabilities Message-ID: <20010907134427.A55600@xor.obsecurity.org> References: <20010907120248.V78071-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010907120248.V78071-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Fri, Sep 07, 2001 at 12:09:39PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 07, 2001 at 12:09:39PM -0400, Rob Simmons wrote: > Is FreeBSD affected by either of the new vulnerabilities NetBSD just > released, 2001-015 and 2001-016? >=20 > 2001-015 =3D "Insufficient checking of lengths passed from userland to > kernel." I don't know about this one.. we may be. Someone will have to look into it. > 2001-016 =3D "unsafe chdir usage in fts(3)." We fixed that one several months ago..they even credit us in the advisory. Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mTGqWry0BWjoQKURAnSJAJ9xpFQ+zOXLqCX68n2HXacfmNZFUgCdEO6u ratoPAA4Fwc/LLX0o68S5oY= =c7XR -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 14:10:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 49F7437B403 for ; Fri, 7 Sep 2001 14:10:29 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f87LAHH01030; Fri, 7 Sep 2001 17:10:17 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 7 Sep 2001 17:10:16 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities In-Reply-To: <20010907134427.A55600@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 7 Sep 2001, Kris Kennaway wrote: : :I don't know about this one.. we may be. Someone will have to look :into it. In terms of -015 vuln from netbsd: 1) semop: -STABLE (44-RC from 8/28/01) seems to be vulnerable. If we look at sys/kern/sysv_sem.c, we can see that we do: int semop(p, uap) struct proc *p; register struct semop_args *uap; { int semid = uap->semid; int nsops = uap->nsops; nsops, defined from the man page and sysproto.h semop_args structure, is _unsigned_. So, I'd say we are vulnerable to #1. Solution: make the local nsops variable unsigned (size_t might be better?) 2) still need to look into, will follow-up if no one else has when i loo into it 3) same as 2 hpe this helps. *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 7 14:24:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A0CD237B406 for ; Fri, 7 Sep 2001 14:24:19 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f87LOAd01147; Fri, 7 Sep 2001 17:24:10 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 7 Sep 2001 17:24:09 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities In-Reply-To: <20010907134427.A55600@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org more... in terms of #2 (nfs mount args), seems peter took in the patch late July and it was MFC'd aug10 & 11. and as for #3, Im not sure, but I bet it's worth it for people familiar with the drivers (especially machine independent pieces) to help out and review the NetBSD patches and check out the code. Who's up? andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 2:39:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id 6B1CA37B409; Sat, 8 Sep 2001 02:39:39 -0700 (PDT) Received: from blood (pool-138-88-72-170.res.east.verizon.net [138.88.72.170]) by aries.ai.net (8.9.3/8.9.3) with SMTP id FAA02736; Sat, 8 Sep 2001 05:47:23 -0400 (EDT) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: , "freebsd-hackers@FreeBSD. ORG" Subject: Kernel-loadable Root Kits Date: Sat, 8 Sep 2001 05:43:41 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Short question: Is there a way to prevent the kernel from allowing loadable modules? Thought process -- --- With the advent of the kernel-loadable root kit, intrusion detection has gotten a bit more complicated. Is there a _simple_ solution to detecting the presence of a kernel-based root kit once it is running? Scenario: System is violated, Root kit is installed, Root kit [binaries] are deleted from the machine. Solution: Reboot machine How does one DETECT that the root kit is there in the first place to know to reboot it? Thanks, Deepak Jain AiNET To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 2:45:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 6568837B401 for ; Sat, 8 Sep 2001 02:45:52 -0700 (PDT) Received: (qmail 9160 invoked by uid 1000); 8 Sep 2001 09:45:28 -0000 Date: Sat, 8 Sep 2001 12:45:28 +0300 From: Peter Pentchev To: Deepak Jain Cc: freebsd-security@freebsd.org, "freebsd-hackers@FreeBSD. ORG" Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908124528.D2176@ringworld.oblivion.bg> Mail-Followup-To: Deepak Jain , freebsd-security@freebsd.org, "freebsd-hackers@FreeBSD. ORG" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from deepak@ai.net on Sat, Sep 08, 2001 at 05:43:41AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 05:43:41AM -0400, Deepak Jain wrote: > > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? Run your system in securelevel 1 or higher. See the init(8) manual page and the kern_securelevel_enable and kern_securelevel variables in the rc.conf(5) manual page. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 3:44: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 99E2737B405 for ; Sat, 8 Sep 2001 03:44:00 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f88Ahn709170; Sat, 8 Sep 2001 06:43:50 -0400 (EDT) (envelope-from arr@watson.org) Date: Sat, 8 Sep 2001 06:43:49 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: security@freebsd.org Subject: Re: netbsd vulnerabilities In-Reply-To: <20010907134427.A55600@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1636531804-999945829=:9148" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1636531804-999945829=:9148 Content-Type: TEXT/PLAIN; charset=US-ASCII Hey, The attached code fixes the semop bug which is specified in the recent NetBSD security announcement. I'm not positive about hte naming scheme wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made it u_int b/c i saw in sysproto.h that there seemed to be more u_int's instead of size_t's :-) Great logic. Btw, this was written for: FreeBSD aitutaki 4.4-RC FreeBSD 4.4-RC #4: Sat Sep 8 00:38:48 PDT 2001 root@aitutaki:/usr/obj/usr/src/sys/GENERIC i386 Anyway, in terms of there being an exploit or not... From what we (eugene t. and myself) did, basically we can cause the machine to panic and that's about it. Seem to lose control over what occurs b/c we cause copyin to copy 2gigs (iirc) of junk to kernel space... Guh. Also, if you want to do a different patch than what was simply done in what is attached, just keep in mind that nsops should be unsigned 32-bits. Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead --0-1636531804-999945829=:9148 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="semop-fix.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: LS0tIGtlcm4vc3lzdl9zZW0uYy5vcmlnCVNhdCBTZXAgIDggMDM6MTE6MjEg MjAwMQ0KKysrIGtlcm4vc3lzdl9zZW0uYwlTYXQgU2VwICA4IDAzOjIwOjIz IDIwMDENCkBAIC02NzIsNyArNjcyLDcgQEANCiBzdHJ1Y3Qgc2Vtb3BfYXJn cyB7DQogCWludAlzZW1pZDsNCiAJc3RydWN0CXNlbWJ1ZiAqc29wczsNCi0J aW50CW5zb3BzOw0KKwl1X2ludAluc29wczsNCiB9Ow0KICNlbmRpZg0KIA0K QEAgLTY4MiwxNyArNjgyLDE4IEBADQogCXJlZ2lzdGVyIHN0cnVjdCBzZW1v cF9hcmdzICp1YXA7DQogew0KIAlpbnQgc2VtaWQgPSB1YXAtPnNlbWlkOw0K LQlpbnQgbnNvcHMgPSB1YXAtPm5zb3BzOw0KKwl1X2ludCBuc29wcyA9IHVh cC0+bnNvcHM7DQogCXN0cnVjdCBzZW1idWYgc29wc1tNQVhfU09QU107DQog CXJlZ2lzdGVyIHN0cnVjdCBzZW1pZF9kcyAqc2VtYXB0cjsNCiAJcmVnaXN0 ZXIgc3RydWN0IHNlbWJ1ZiAqc29wcHRyOw0KIAlyZWdpc3RlciBzdHJ1Y3Qg c2VtICpzZW1wdHI7DQogCXN0cnVjdCBzZW1fdW5kbyAqc3VwdHIgPSBOVUxM Ow0KLQlpbnQgaSwgaiwgZXZhbDsNCisJdV9pbnQgaSwgajsNCisJaW50IGV2 YWw7DQogCWludCBkb193YWtldXAsIGRvX3VuZG9zOw0KIA0KICNpZmRlZiBT RU1fREVCVUcNCi0JcHJpbnRmKCJjYWxsIHRvIHNlbW9wKCVkLCAweCV4LCAl ZClcbiIsIHNlbWlkLCBzb3BzLCBuc29wcyk7DQorCXByaW50ZigiY2FsbCB0 byBzZW1vcCglZCwgMHgleCwgJXUpXG4iLCBzZW1pZCwgc29wcywgbnNvcHMp Ow0KICNlbmRpZg0KIA0KIAlpZiAoIWphaWxfc3lzdmlwY19hbGxvd2VkICYm IHAtPnBfcHJpc29uICE9IE5VTEwpDQpAQCAtNzE4LDE0ICs3MTksMTQgQEAN CiANCiAJaWYgKG5zb3BzID4gTUFYX1NPUFMpIHsNCiAjaWZkZWYgU0VNX0RF QlVHDQotCQlwcmludGYoInRvbyBtYW55IHNvcHMgKG1heD0lZCwgbnNvcHM9 JWQpXG4iLCBNQVhfU09QUywgbnNvcHMpOw0KKwkJcHJpbnRmKCJ0b28gbWFu eSBzb3BzIChtYXg9JWQsIG5zb3BzPSV1KVxuIiwgTUFYX1NPUFMsIG5zb3Bz KTsNCiAjZW5kaWYNCiAJCXJldHVybihFMkJJRyk7DQogCX0NCiANCiAJaWYg KChldmFsID0gY29weWluKHVhcC0+c29wcywgJnNvcHMsIG5zb3BzICogc2l6 ZW9mKHNvcHNbMF0pKSkgIT0gMCkgew0KICNpZmRlZiBTRU1fREVCVUcNCi0J CXByaW50ZigiZXZhbCA9ICVkIGZyb20gY29weWluKCUwOHgsICUwOHgsICVk KVxuIiwgZXZhbCwNCisJCXByaW50ZigiZXZhbCA9ICVkIGZyb20gY29weWlu KCUwOHgsICUwOHgsICV1KVxuIiwgZXZhbCwNCiAJCSAgICB1YXAtPnNvcHMs ICZzb3BzLCBuc29wcyAqIHNpemVvZihzb3BzWzBdKSk7DQogI2VuZGlmDQog CQlyZXR1cm4oZXZhbCk7DQotLS0gc3lzL3NlbS5oLm9yaWcJU2F0IFNlcCAg OCAwMzoyMTowOCAyMDAxDQorKysgc3lzL3NlbS5oCVNhdCBTZXAgIDggMDM6 MjE6MjcgMjAwMQ0KQEAgLTEwMSw3ICsxMDEsNyBAQA0KIGludCBzZW1zeXMg X19QKChpbnQsIC4uLikpOw0KIGludCBzZW1jdGwgX19QKChpbnQsIGludCwg aW50LCAuLi4pKTsNCiBpbnQgc2VtZ2V0IF9fUCgoa2V5X3QsIGludCwgaW50 KSk7DQotaW50IHNlbW9wIF9fUCgoaW50LCBzdHJ1Y3Qgc2VtYnVmICosdW5z aWduZWQpKTsNCitpbnQgc2Vtb3AgX19QKChpbnQsIHN0cnVjdCBzZW1idWYg KiwgdV9pbnQpKTsNCiBfX0VORF9ERUNMUw0KICNlbmRpZiAvKiAhX0tFUk5F TCAqLw0KIA0K --0-1636531804-999945829=:9148-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 3:49:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 8737837B407 for ; Sat, 8 Sep 2001 03:49:30 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 82EB881D05; Sat, 8 Sep 2001 05:49:30 -0500 (CDT) Date: Sat, 8 Sep 2001 05:49:30 -0500 From: Alfred Perlstein To: "Andrew R. Reiter" Cc: Kris Kennaway , security@freebsd.org Subject: Re: netbsd vulnerabilities Message-ID: <20010908054930.F2965@elvis.mu.org> References: <20010907134427.A55600@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@watson.org on Sat, Sep 08, 2001 at 06:43:49AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Andrew R. Reiter [010908 05:44] wrote: > Hey, > > The attached code fixes the semop bug which is specified in the recent > NetBSD security announcement. I'm not positive about hte naming scheme > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > instead of size_t's :-) Great logic. Uh, why don't you just compare the int arg against 0, if it's less than then just return EINVAL. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 3:52:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 9954B37B406 for ; Sat, 8 Sep 2001 03:52:29 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id A62DA2D04AB; Sat, 8 Sep 2001 05:52:28 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88AqRG30016; Sat, 8 Sep 2001 05:52:27 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 05:52:27 -0500 (CDT) Message-Id: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 0.9.8a Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: In-Reply-To: From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Kernel-loadable Root Kits X-Original-Newsgroups: sol.lists.freebsd.hackers,sol.lists.freebsd.security To: deepak@ai.net, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article , deepak@ai.net writes: > > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? If you're dealing with a "fixed purpose" server, the kernel may not need any KLD. On two of my servers, only blank_saver.ko is loaded, and that could be eliminated too, by not using a screensaver. > Thought process -- > > With the advent of the kernel-loadable root kit, intrusion detection has > gotten a bit more complicated. Is there a _simple_ solution to detecting the > presence of a kernel-based root kit once it is running? > > Scenario: > > System is violated, > Root kit is installed, > Root kit [binaries] are deleted from the machine. > > Solution: > > Reboot machine Rebooting won't necessarily fix anything. IIRC, one Linux rootkit replaces a module with the backdoor. If the kernel needed that module once, it'll need it again. > How does one DETECT that the root kit is there in the first place to know to > reboot it? Tripwire. > Thanks, > Deepak Jain > AiNET Hope this helps, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 4:24:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CF99B37B405 for ; Sat, 8 Sep 2001 04:24:27 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f88BOHa09340; Sat, 8 Sep 2001 07:24:17 -0400 (EDT) (envelope-from arr@watson.org) Date: Sat, 8 Sep 2001 07:24:16 -0400 (EDT) From: "Andrew R. Reiter" To: Alfred Perlstein Cc: Kris Kennaway , security@freebsd.org Subject: Re: netbsd vulnerabilities In-Reply-To: <20010908054930.F2965@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In defense of that, that'd work obviously, I was just going for the route that best reflected the man page (and should therefore reflect how it is used by a user). the man page states taht nsops is unsigned... the sem.h prototype states that, yet in semop_args and in the function, we essentially make it signed. checking for < 0 is a solution, but i guess I was thinking for more along the lines of getting that code a bit more cleaned up. I just think it's minorly confusing that what a man page states, really isn't... Either way will clear it up tho :-) Andrew On Sat, 8 Sep 2001, Alfred Perlstein wrote: :* Andrew R. Reiter [010908 05:44] wrote: :> Hey, :> :> The attached code fixes the semop bug which is specified in the recent :> NetBSD security announcement. I'm not positive about hte naming scheme :> wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made :> it u_int b/c i saw in sysproto.h that there seemed to be more u_int's :> instead of size_t's :-) Great logic. : :Uh, why don't you just compare the int arg against 0, if it's less than :then just return EINVAL. : :-Alfred : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5: 7:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server1.tampabay.rr.com (smtp-server1.cfl.rr.com [65.32.2.68]) by hub.freebsd.org (Postfix) with ESMTP id 6BAB237B406 for ; Sat, 8 Sep 2001 05:07:41 -0700 (PDT) Received: from kriss (24161242hfc240.tampabay.rr.com [24.161.242.240]) by smtp-server1.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f88C7es22722 for ; Sat, 8 Sep 2001 08:07:40 -0400 (EDT) Message-ID: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> From: "Kristen Doyle" To: "FreeBSD securit" Subject: Remote Shell Trojan Date: Sat, 8 Sep 2001 08:07:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone say for certian if FreeBSD is effected either as a base system or under linux compat the description of the vuln is here http://www.qualys.com/alert/remoteshell.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5:16:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 15B6937B407 for ; Sat, 8 Sep 2001 05:16:56 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88CGuc07099; Sat, 8 Sep 2001 14:16:56 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88CGtu07095; Sat, 8 Sep 2001 14:16:56 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id OAA16348; Sat, 8 Sep 2001 14:16:54 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88CH1d53754; Sat, 8 Sep 2001 14:17:02 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 14:17:00 +0200 From: Alexander Langer To: D J Hawkey Jr Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109081052.f88AqRG30016@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 05:52:27AM -0500 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake D J Hawkey Jr (hawkeyd@visi.com): > If you're dealing with a "fixed purpose" server, the kernel may not > need any KLD. On two of my servers, only blank_saver.ko is loaded, > and that could be eliminated too, by not using a screensaver. This still lets you load own kernel modules. And from what I've heard, there are also ways to load kernel modules if securelevel > 1, though I can't imagine, how. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5:25:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 7A7E137B407 for ; Sat, 8 Sep 2001 05:25:50 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 45D112DDBBF; Sat, 8 Sep 2001 07:25:49 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88CPhn63017; Sat, 8 Sep 2001 07:25:43 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 07:25:42 -0500 From: D J Hawkey Jr To: Alexander Langer Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908072542.A57605@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908141700.A53738@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 02:17:00PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 02:17 PM, Alexander Langer wrote: > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > If you're dealing with a "fixed purpose" server, the kernel may not > > need any KLD. On two of my servers, only blank_saver.ko is loaded, > > and that could be eliminated too, by not using a screensaver. > > This still lets you load own kernel modules. Not if you blow away the /modules directory (note that I haven't tried this). > And from what I've heard, there are also ways to load kernel modules > if securelevel > 1, though I can't imagine, how. Don't know. > Alex Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5:32:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id D7E1A37B401 for ; Sat, 8 Sep 2001 05:32:26 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88CWRc07905; Sat, 8 Sep 2001 14:32:27 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88CWQu07901; Sat, 8 Sep 2001 14:32:26 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id OAA16799; Sat, 8 Sep 2001 14:32:24 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88CWWo53814; Sat, 8 Sep 2001 14:32:32 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 14:32:31 +0200 From: Alexander Langer To: D J Hawkey Jr Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908143231.A53801@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908072542.A57605@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 07:25:42AM -0500 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > This still lets you load own kernel modules. > Not if you blow away the /modules directory (note that I haven't tried > this). /me hands Dave a decent C compiler and some C h0h0magic. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5:44:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 194F037B40B for ; Sat, 8 Sep 2001 05:44:47 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 3475E2D041D; Sat, 8 Sep 2001 07:44:46 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88CijF77264; Sat, 8 Sep 2001 07:44:45 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 07:44:45 -0500 From: D J Hawkey Jr To: Alexander Langer Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908074445.A77252@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908143231.A53801@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 02:32:31PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 02:32 PM, Alexander Langer wrote: > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > This still lets you load own kernel modules. > > Not if you blow away the /modules directory (note that I haven't tried > > this). > > /me hands Dave a decent C compiler and some C h0h0magic. I didn't write "build the kernel without it". As I wrote, I hadn't tried it. I take it one cannot remove that tree, even after seeing that the kernel doesn't need it? I'm meaning run-time here, not build-time. > Alex Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 5:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id B53FF37B406 for ; Sat, 8 Sep 2001 05:44:58 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4162D66D0A; Sat, 8 Sep 2001 05:44:58 -0700 (PDT) Date: Sat, 8 Sep 2001 05:44:58 -0700 From: Kris Kennaway To: Kristen Doyle Cc: FreeBSD securit Subject: Re: Remote Shell Trojan Message-ID: <20010908054458.A68778@xor.obsecurity.org> References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com>; from colk@tampabay.rr.com on Sat, Sep 08, 2001 at 08:07:35AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 08:07:35AM -0400, Kristen Doyle wrote: > Can anyone say for certian if FreeBSD is effected either as a base system= or > under linux compat >=20 > the description of the vuln is here > http://www.qualys.com/alert/remoteshell.html You could do something like this under almost any operating system including FreeBSD. It doesn't exploit a security vulnerability per se, it relies on being introduced into the system in another manner. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mhLJWry0BWjoQKURAqHiAJ9yt2QLo+QLprS7jeewUf0qUcY0wQCfSuPs lZSTaaiz9swGknWRB6L0HdM= =lqlf -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 7:25: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 5506437B408 for ; Sat, 8 Sep 2001 07:25:01 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id EF3901D14; Sat, 8 Sep 2001 16:24:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 7A797552A; Sat, 8 Sep 2001 16:24:24 +0200 (CEST) Date: Sat, 8 Sep 2001 16:24:23 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: D J Hawkey Jr Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits In-Reply-To: <200109081052.f88AqRG30016@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > System is violated, > > Root kit is installed, > > Root kit [binaries] are deleted from the machine. > > > > Solution: > > > > Reboot machine > > Rebooting won't necessarily fix anything. IIRC, one Linux rootkit > replaces a module with the backdoor. If the kernel needed that module > once, it'll need it again. It will fix if the trojan module is removed. See below. > > How does one DETECT that the root kit is there in the first place to know to > > reboot it? > > Tripwire. Not straightforward. Scenario described above suggested doing something like # kldload trojan.ko && rm /modules/trojan.ko So the only alert you may get from tripwire is that ctime of /modules is changed. However, I was able to do that: lhotse# kldstat Id Refs Address Size Name 1 2 0xc0100000 21e4f4 kernel 2 1 0xc0784000 12000 linux.ko lhotse# cp /modules/warp_saver.ko /tmp lhotse# kldload /tmp/warp_saver.ko lhotse# kldstat Id Refs Address Size Name 1 3 0xc0100000 21e4f4 kernel 2 1 0xc0784000 12000 linux.ko 3 1 0xc0832000 2000 warp_saver.ko So it's possible to load a kernel module not located under /modules. So if attacker does # kldload /tmp/trojan.ko && rm /tmp/trojan.ko tripwire won't find anything. I thing the original question was: how to find a trojaned module in memory if there's no relevant binary on disk? However, in case of deleting module binary a reboot removes the root kit and assuming that no other changes to system were made effectively locks attacker out. Also, someone doing kldstat could see the trojan (if it's not stealth). So this attack scenario is useful only if: (i) machine has long uptime (no power failures etc.) (ii) no one does kldstat (assuming module is not stealth) Condition (ii) may be simply eliminated by adding kldstat to /etc/security. We may also consider adding a feature to kldload to load only modules from under /modules but I'm afraid this may be circumvented by attacker fetching her own kldload. A better way would be to implement an appropriate lock in kernel code but I don't know if it's possible. As for the question of locating the trojan code in memory my (unverified and possibly not implementable since I'm not a kernel hacker) idea is: read the module code by /proc or otherwise, fill all data area with 0's and compare MD5 checksums. Tripwire for running binaries ;) All comments welcome. Regards, Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 7:48: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 66DE937B401 for ; Sat, 8 Sep 2001 07:47:56 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88Eluc15428; Sat, 8 Sep 2001 16:47:56 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88Eltu15424; Sat, 8 Sep 2001 16:47:56 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id QAA20281; Sat, 8 Sep 2001 16:47:54 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88Em1F54163; Sat, 8 Sep 2001 16:48:02 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 16:48:00 +0200 From: Alexander Langer To: Krzysztof Zaraska Cc: D J Hawkey Jr , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908164800.A54141@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 08, 2001 at 04:24:23PM +0200 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl): > # kldload trojan.ko && rm /modules/trojan.ko No need to rm it. You can manipulate the ufs vnode layer to hide this file. See http://www.r4k.net/mod/ > So the only alert you may get from tripwire is that ctime of /modules is > changed. see above. > I thing the original question was: how to find a trojaned module in > memory if there's no relevant binary on disk? Write a module that checksums the relevant parts of kernel, the linker_file list and similar in-kernel stuff (e.g. accesses to all functions that are needed to load the trojan module). Be sure to hide this module as well. If an attacker isn't aware of such a module, he won't try to circumvent it. If he's aware, it's still hard to find and circumvent it, before his trojan module got loaded. It's even harder if he doesn't know what internal functions and data structures your module uses, so be sure to write your own :) > We may also consider adding a feature to kldload to load only modules > from under /modules but I'm afraid this may be circumvented by attacker > fetching her own kldload. You can still use /dev/mem. Oh, and if you are able to load a module in securelevel >= 1 mode, you are probably also able to tell kldload to load from other pathes :) Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:16: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 43C0937B408 for ; Sat, 8 Sep 2001 08:15:59 -0700 (PDT) Received: (qmail 1147 invoked by uid 1000); 8 Sep 2001 15:15:37 -0000 Date: Sat, 8 Sep 2001 18:15:37 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908181537.A840@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908074445.A77252@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 07:44:45AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote: > On Sep 08, at 02:32 PM, Alexander Langer wrote: > > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > > This still lets you load own kernel modules. > > > Not if you blow away the /modules directory (note that I haven't tried > > > this). > > > > /me hands Dave a decent C compiler and some C h0h0magic. > > I didn't write "build the kernel without it". > > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > even after seeing that the kernel doesn't need it? I'm meaning run-time > here, not build-time. I believe that what Alex meant is that you can simulate kldload(8)'s functionality in a little C program of your own. Even more than that, kldload(8) itself allows you to specify a full path to a module, not just a filename, so even if you blow away the /modules directory, J. Random Luser can still 'kldload /var/tmp/rkit.kld'. Yes, you can remove /modules; no, that does not gain you any safety. G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:20:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 4880C37B408 for ; Sat, 8 Sep 2001 08:20:21 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 7AFC91D14; Sat, 8 Sep 2001 16:53:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id A4A4C552A; Sat, 8 Sep 2001 16:53:06 +0200 (CEST) Date: Sat, 8 Sep 2001 16:53:05 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Kris Kennaway Cc: Kristen Doyle , FreeBSD securit Subject: Re: Remote Shell Trojan In-Reply-To: <20010908054458.A68778@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 08:07:35AM -0400, Kristen Doyle wrote: > > Can anyone say for certian if FreeBSD is effected either as a base system or > > under linux compat > > > > the description of the vuln is here > > http://www.qualys.com/alert/remoteshell.html > > You could do something like this under almost any operating system > including FreeBSD. It doesn't exploit a security vulnerability per > se, it relies on being introduced into the system in another manner. This is true, however let's consider the following scenario: 1. we have a FreeBSD machine with Linux binary support loaded 2. someone runs the trojaned binary 3. if it turns out to work it will try to infect stuff under /bin. If it was run by root (improbable) it may succeed. However I don't think a hybrid of a FreeBSD software and Linux viral code would work. IMHO the infection attempt would rather corrupt each affected file then let the virus spread. So we may end up with garbage in /bin and nothing more. Things may however turn out to be more complicated if there are Linux binaries on the machine and virus finds them. Unfortunately I don't have any expendable FreeBSD machine to confirm my suspitions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:22:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 4BFDC37B406 for ; Sat, 8 Sep 2001 08:22:14 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 49BD42D044A; Sat, 8 Sep 2001 10:22:13 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88FMBK77979; Sat, 8 Sep 2001 10:22:11 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 10:22:11 -0500 From: D J Hawkey Jr To: Krzysztof Zaraska Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908102211.A77764@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 08, 2001 at 04:24:23PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 04:24 PM, Krzysztof Zaraska wrote: > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > > System is violated, > > > Root kit is installed, > > > Root kit [binaries] are deleted from the machine. > > > > > > Solution: > > > > > > Reboot machine > > > > Rebooting won't necessarily fix anything. IIRC, one Linux rootkit > > replaces a module with the backdoor. If the kernel needed that module > > once, it'll need it again. > > It will fix if the trojan module is removed. See below. Well, "replaced" might be better phrasing, no? If the kernel needed it (as opposed to an user loading it), chances are it'll want it again. > > > How does one DETECT that the root kit is there in the first place to know to > > > reboot it? > > > > Tripwire. > > Not straightforward. Scenario described above suggested doing something > like > > # kldload trojan.ko && rm /modules/trojan.ko > > So the only alert you may get from tripwire is that ctime of /modules is > changed. That'd raise my short-hairs; that tree ought to be [completely?] static. > However, I was able to do that: > lhotse# kldstat > Id Refs Address Size Name > 1 2 0xc0100000 21e4f4 kernel > 2 1 0xc0784000 12000 linux.ko > lhotse# cp /modules/warp_saver.ko /tmp > lhotse# kldload /tmp/warp_saver.ko > lhotse# kldstat > Id Refs Address Size Name > 1 3 0xc0100000 21e4f4 kernel > 2 1 0xc0784000 12000 linux.ko > 3 1 0xc0832000 2000 warp_saver.ko > > So it's possible to load a kernel module not located under > /modules. So if attacker does > > # kldload /tmp/trojan.ko && rm /tmp/trojan.ko > > tripwire won't find anything. Except for a ctime change on /tmp (or wherever), you're right. > I thing the original question was: how to find a trojaned module in > memory if there's no relevant binary on disk? > > However, in case of deleting module binary a reboot removes the root kit > and assuming that no other changes to system were made effectively locks > attacker out. Also, someone doing kldstat could see the trojan (if it's > not stealth). So this attack scenario is useful only if: > > (i) machine has long uptime (no power failures etc.) > (ii) no one does kldstat (assuming module is not stealth) > > Condition (ii) may be simply eliminated by adding kldstat to /etc/security. Again, true enough. I've added quite a bit of stuff to /etc/security. > We may also consider adding a feature to kldload to load only modules > from under /modules but I'm afraid this may be circumvented by attacker > fetching her own kldload. A better way would be to implement an > appropriate lock in kernel code but I don't know if it's possible. The first pro'lly isn't worth the effort. You lost me with the last bit; a lock to determine or do what, prevent userland 'kldload's? This would seem to be a Good Thing(tm), but how do you lock the lock - or would this be a kernel build-time option? If I'm with you, it seems to me you'd also have to see that the kernel loads all the modules at boot that it would need to fulfill all runtime requirements, too, else it may load a trojan in the course of uptime. Either that, or build 'em into the kernel. > As for the question of locating the trojan code in memory my (unverified > and possibly not implementable since I'm not a kernel hacker) idea is: > read the module code by /proc or otherwise, fill all data area with 0's > and compare MD5 checksums. Compare against what, and when? I don't follow you here, either. > Tripwire for running binaries ;) > > All comments welcome. If 'kldload' logs [via syslogd], most of this activity would be traceable. Now, most crackers will sanitize the log(s), but that might leave tell-tail holes in time, too. One could log remotely, to [help] keep log integrity. All in all, it seems to me a kernel that needs no KLD modules, and denies all KLD loading, would be the easiest and most effective solution. > Regards, > Kris Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:28:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 7DFFB37B401 for ; Sat, 8 Sep 2001 08:28:17 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id A707B2D0487; Sat, 8 Sep 2001 10:28:16 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88FSGS78022; Sat, 8 Sep 2001 10:28:16 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 10:28:16 -0500 From: D J Hawkey Jr To: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908102816.B77764@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908181537.A840@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Sep 08, 2001 at 06:15:37PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 06:15 PM, Peter Pentchev wrote: > > On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote: > > On Sep 08, at 02:32 PM, Alexander Langer wrote: > > > > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > > > > This still lets you load own kernel modules. > > > > > > > > Not if you blow away the /modules directory (note that I haven't tried > > > > this). > > > > > > /me hands Dave a decent C compiler and some C h0h0magic. > > > > I didn't write "build the kernel without it". > > > > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > > even after seeing that the kernel doesn't need it? I'm meaning run-time > > here, not build-time. > > I believe that what Alex meant is that you can simulate kldload(8)'s > functionality in a little C program of your own. Even more than that, > kldload(8) itself allows you to specify a full path to a module, > not just a filename, so even if you blow away the /modules directory, > J. Random Luser can still 'kldload /var/tmp/rkit.kld'. > > Yes, you can remove /modules; no, that does not gain you any safety. Kris addressed this, too, and yes, you're both right. Q: Can the kernel be "forced" to load a module from within itself? That is, does a cracker need to be in userland? > G'luck, > Peter Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:37:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 5C34A37B405 for ; Sat, 8 Sep 2001 08:37:49 -0700 (PDT) Received: (qmail 1379 invoked by uid 1000); 8 Sep 2001 15:37:28 -0000 Date: Sat, 8 Sep 2001 18:37:28 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908183728.D840@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908102816.B77764@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:28:16AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > On Sep 08, at 06:15 PM, Peter Pentchev wrote: > > > > On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote: > > > On Sep 08, at 02:32 PM, Alexander Langer wrote: > > > > > > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > > > > > > This still lets you load own kernel modules. > > > > > > > > > > Not if you blow away the /modules directory (note that I haven't tried > > > > > this). > > > > > > > > /me hands Dave a decent C compiler and some C h0h0magic. > > > > > > I didn't write "build the kernel without it". > > > > > > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > > > even after seeing that the kernel doesn't need it? I'm meaning run-time > > > here, not build-time. > > > > I believe that what Alex meant is that you can simulate kldload(8)'s > > functionality in a little C program of your own. Even more than that, > > kldload(8) itself allows you to specify a full path to a module, > > not just a filename, so even if you blow away the /modules directory, > > J. Random Luser can still 'kldload /var/tmp/rkit.kld'. > > > > Yes, you can remove /modules; no, that does not gain you any safety. > > Kris addressed this, too, and yes, you're both right. > > Q: Can the kernel be "forced" to load a module from within itself? That > is, does a cracker need to be in userland? Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, nothing more, nothing userspace-magical. All a kernel routine needs to do is either invoke that syscall, or call the internal kernel functions that kldload(2) calls, like e.g. linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:44:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 21F0637B406 for ; Sat, 8 Sep 2001 08:44:30 -0700 (PDT) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id QAA05731; Sat, 8 Sep 2001 16:44:28 +0100 Date: Sat, 8 Sep 2001 16:44:27 +0100 (BST) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits In-Reply-To: <20010908102211.A77764@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > You lost me with the last bit; a lock to determine or do what, prevent > userland 'kldload's? This would seem to be a Good Thing(tm), but how do > [snippage] > requirements, too, else it may load a trojan in the course of uptime. > Either that, or build 'em into the kernel. I came from the Linux world not so long ago, and I used to use the LIDS kernel patch (www.lids.org). They seemed to have solved the problem under Linux (or, at least something similar...) Amongst the particularly cunning things it provided was a way of stopping modules from being loaded, unless you were authenticated to the system. This was done with another password hash (a doubly hashed RIPE-MD160, iirc). Once you had authenticated, you could then claim back certain priviledges, such as the ability to hcange the close, the routing table, the firewall rules, or to insert modules into the kernel. These abilites wer bestowed upon the login shell you ran the command-line tool from, and all of its decendants, until either you used to the tool to close the session (it was termed a LIDS Free Session), or you shut the shell down. At the time I used it, it was not possible to change the capability set of programs that were already running. If you strted a program in a LIDS Free Session, then whatever capbilities it had when you started it stayed with it. Another nice feature was that you could prtoect certain files (or the contents of a whole directory) from being changed. A sort of noschg. The twist was that you could also instruct the kernel not to run any programs that were unprotected. Again, one of the capabilities that you could get in a LIDS Free Sessions was the ability to change/overwrite the protected files and the protected files list. This would be handy for, say installing a new kernel (something I actually don't know how to do on a remote machine not running in runlevel -1 or 0. Good job all my machines are local right now. Can someone tell me how in a message not to the list, please?). It was a great tool, but a bit of a PITA to set up. That's just due to lack of development, and more trying to achieve functionality, and.. uh.. not writing documentation :) rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 8:53:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id F32EF37B403 for ; Sat, 8 Sep 2001 08:53:18 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 12A052DDB5C; Sat, 8 Sep 2001 10:53:09 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88Fr8378200; Sat, 8 Sep 2001 10:53:08 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 10:53:08 -0500 From: D J Hawkey Jr To: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908105308.A78138@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908183728.D840@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Sep 08, 2001 at 06:37:28PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 06:37 PM, Peter Pentchev wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, > nothing more, nothing userspace-magical. > All a kernel routine needs to do is either invoke that syscall, or > call the internal kernel functions that kldload(2) calls, like e.g. > linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading altogether, it should be a build-time option, and it should have nothing to over-ride this. Or am I still being too simplistic? I haven't been using KLD- or LKM- aware systems very long (~one year), but so far I've had little use for them (the modules). I get a box, I configure the kernel to it, and that's that. If the box changes, I build a new kernel. At least for the servers I've set up, this works fine. Now, a development or users' box, well... > G'luck, > Peter You too, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 10:15:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 86BA837B405 for ; Sat, 8 Sep 2001 10:15:43 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id DAA29974; Sun, 9 Sep 2001 03:15:26 +1000 Date: Sun, 9 Sep 2001 03:14:37 +1000 (EST) From: Bruce Evans X-X-Sender: To: Alfred Perlstein Cc: "Andrew R. Reiter" , Kris Kennaway , Subject: Re: netbsd vulnerabilities In-Reply-To: <20010908054930.F2965@elvis.mu.org> Message-ID: <20010909030758.B48694-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Alfred Perlstein wrote: > * Andrew R. Reiter [010908 05:44] wrote: > > Hey, > > > > The attached code fixes the semop bug which is specified in the recent > > NetBSD security announcement. I'm not positive about hte naming scheme > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > instead of size_t's :-) Great logic. > > Uh, why don't you just compare the int arg against 0, if it's less than > then just return EINVAL. The API apparently specified that it is unsigned (I checked the Linux version). And don't use the hack of type punning the unsigned to int (this part already happens) and checking for the int being less than 0 (this check is missing). We already use the hack of type punning an int to an unsigned in too many places (readv, writev, ...). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 10:17: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id C324E37B406 for ; Sat, 8 Sep 2001 10:17:02 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 8F2ED81D05; Sat, 8 Sep 2001 12:17:02 -0500 (CDT) Date: Sat, 8 Sep 2001 12:17:02 -0500 From: Alfred Perlstein To: Bruce Evans Cc: "Andrew R. Reiter" , Kris Kennaway , security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities Message-ID: <20010908121702.H2965@elvis.mu.org> References: <20010908054930.F2965@elvis.mu.org> <20010909030758.B48694-100000@alphplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909030758.B48694-100000@alphplex.bde.org>; from bde@zeta.org.au on Sun, Sep 09, 2001 at 03:14:37AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Bruce Evans [010908 12:15] wrote: > On Sat, 8 Sep 2001, Alfred Perlstein wrote: > > > * Andrew R. Reiter [010908 05:44] wrote: > > > Hey, > > > > > > The attached code fixes the semop bug which is specified in the recent > > > NetBSD security announcement. I'm not positive about hte naming scheme > > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > > instead of size_t's :-) Great logic. > > > > Uh, why don't you just compare the int arg against 0, if it's less than > > then just return EINVAL. > > The API apparently specified that it is unsigned (I checked the Linux > version). And don't use the hack of type punning the unsigned to int > (this part already happens) and checking for the int being less than 0 > (this check is missing). We already use the hack of type punning an > int to an unsigned in too many places (readv, writev, ...). Wait, don't check against < 0? Ok, then how do we fix it? -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 11:10:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id E130F37B405 for ; Sat, 8 Sep 2001 11:10:26 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 045AA1D14; Sat, 8 Sep 2001 20:07:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 07912552A; Sat, 8 Sep 2001 20:07:15 +0200 (CEST) Date: Sat, 8 Sep 2001 20:07:14 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits In-Reply-To: <20010908102211.A77764@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > On Sep 08, at 04:24 PM, Krzysztof Zaraska wrote: [...] > Except for a ctime change on /tmp (or wherever), you're right. But activity in /tmp is normal and will be ignored by tripwire, right? [...] > > attacker out. Also, someone doing kldstat could see the trojan (if it's > > not stealth). So this attack scenario is useful only if: > > > > (i) machine has long uptime (no power failures etc.) > > (ii) no one does kldstat (assuming module is not stealth) > > > > Condition (ii) may be simply eliminated by adding kldstat to /etc/security. > > Again, true enough. It came to me later that a skilled attacker may create a trojaned version of some real module, say linux.ko and play with me like that: # kldunload linux.ko # kldload /tmp/linux.ko # rm /tmp/linux.ko If the trojaned modules has _exactly_ the same length as original it will not be detectable with kldstat. But this may be somewhat difficult to achieve. Anyhow, doing kldstat in /etc/security every night and checking the results won't hurt you :). > I've added quite a bit of stuff to /etc/security. If it doesn't affect your security will you tell us what checks do you recommend? > > We may also consider adding a feature to kldload to load only modules > > from under /modules but I'm afraid this may be circumvented by attacker > > fetching her own kldload. A better way would be to implement an > > appropriate lock in kernel code but I don't know if it's possible. > > The first pro'lly isn't worth the effort. > > You lost me with the last bit; a lock to determine or do what, prevent > userland 'kldload's? This would seem to be a Good Thing(tm), but how do > you lock the lock - or would this be a kernel build-time option? A kernel option that would do some extra checks with kldload(2) or underlying functions. For example, the simplest thing would be to make sure that the module is loaded from under /modules, since that tree is static and watched by tripwire as you said. Or, something LIDS-like. Or, the M$ way: check the cryptographic signature of the module (IIRC they sign drivers). You build the kernel and modules at one time usually. You generate a new key pair, sign all the binaries, build the public key into the kernel and destroy the secret key (or store it on the floppy and keep in safe, but remove it from the protected machine). If someone tries to load module with incorrect signature the module is rejected. If you (=the sysadmin) want to add a new driver you use your key kept in safe or you rebuild the whole system in case you destroyed the key. The attacker does not have access to the secret key so she'd have to do a complete kernel rebuild and system restart. And something like that would leave lots of traces. Since all keys are in this scheme may be one-time the danger of secret key theft may be eliminated. Of course cryptographically verifying modules would eat some time, but you don't load them all the time. And I think this idea would be possible to implement. > > As for the question of locating the trojan code in memory my (unverified > > and possibly not implementable since I'm not a kernel hacker) idea is: > > read the module code by /proc or otherwise, fill all data area with 0's > > and compare MD5 checksums. > > Compare against what, and when? I don't follow you here, either. Okay. You have code in executable (module) file and code in memory. These should be the same, since IIRC code is first loaded from file to memory and then executed and code pages are locked read-only. At build time you calculate hash of the code in the file and store into database. Then at runtime you read the proces/module/kernel code from RAM and compare it against the file on disk (which is watched by tripwire anyhow) or calculate the hash and compare against build-time database. > All in all, it seems to me a kernel that needs no KLD modules, and denies > all KLD loading, would be the easiest and most effective solution. Definitely. However, I can see an exception. At least in Linux world (where i come from ;)) some time ago there were proprietary device drivers (sound cards, IIRC) distributed as compiled modules. So you needed module support. There may be a similar situation in the future, that say some SuperHardware Inc. releases it's new 10Gbit ethernet adapter giving away the compiled drivers as modules and not releasing the source code nor the hardware specifications. In this case you need module support, at least at boot time. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 11:25:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B53EF37B407 for ; Sat, 8 Sep 2001 11:25:31 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f88IPKr88715; Sat, 8 Sep 2001 14:25:20 -0400 (EDT) (envelope-from wollman) Date: Sat, 8 Sep 2001 14:25:20 -0400 (EDT) From: Garrett Wollman Message-Id: <200109081825.f88IPKr88715@khavrinen.lcs.mit.edu> To: Alfred Perlstein Cc: security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities In-Reply-To: <20010908121702.H2965@elvis.mu.org> References: <20010908054930.F2965@elvis.mu.org> <20010909030758.B48694-100000@alphplex.bde.org> <20010908121702.H2965@elvis.mu.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Wait, don't check against < 0? Ok, then how do we fix it? Use the correct type. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 11:37: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 4587B37B40A for ; Sat, 8 Sep 2001 11:36:57 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88Iavc02123; Sat, 8 Sep 2001 20:36:57 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88Iavu02119; Sat, 8 Sep 2001 20:36:57 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id UAA27167; Sat, 8 Sep 2001 20:36:55 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88Ib3e54546; Sat, 8 Sep 2001 20:37:03 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 20:37:02 +0200 From: Alexander Langer To: D J Hawkey Jr Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908203702.A54535@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908074445.A77252@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 07:44:45AM -0500 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > This still lets you load own kernel modules. > > > Not if you blow away the /modules directory (note that I haven't tried > > > this). > > /me hands Dave a decent C compiler and some C h0h0magic. > I didn't write "build the kernel without it". Yes, I know. But you can compile as many kld's as you want. > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > even after seeing that the kernel doesn't need it? I'm meaning run-time > here, not build-time. Of course you can. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 11:39:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 220A337B408 for ; Sat, 8 Sep 2001 11:39:30 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88IdUc02461; Sat, 8 Sep 2001 20:39:30 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88IdTu02455; Sat, 8 Sep 2001 20:39:29 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id UAA27236; Sat, 8 Sep 2001 20:39:28 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88IdZt54561; Sat, 8 Sep 2001 20:39:36 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 20:39:35 +0200 From: Alexander Langer To: D J Hawkey Jr Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908203935.B54535@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908105308.A78138@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:53:08AM -0500 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake D J Hawkey Jr (hawkeyd@visi.com): > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > altogether, it should be a build-time option, and it should have nothing > to over-ride this. > Or am I still being too simplistic? I haven't been using KLD- or LKM- You'd have to remove the whole kld code then, including all linker_file stuff. And, given that, you can still use /dev/mem to manipulate the kernel. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 12:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id AFC7437B401 for ; Sat, 8 Sep 2001 12:34:52 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f88JYn907130 for ; Sat, 8 Sep 2001 15:34:51 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 08 Sep 2001 15:34:48 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Multiple vendor 'Taylor UUCP' problems. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I imagine FreeBSD is vulnerable to this was well :-( ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Sat, 8 Sep 2001 22:58:39 +1200 (NZST) >From: zen-parse >X-X-Sender: >To: >Subject: Multiple vendor 'Taylor UUCP' problems. > >******************* Brief description ************* > > Due to incorrect argument handling in a component of the > Taylor UUCP package, it is possible for local users to > gain uid/gid uucp. > > This may allow further elevation, depending on the system, > up to and including root access. > > On OpenBSD 2.8 (and probably others) it allows root compromise. > By overwriting the uucp owned program /usr/bin/uustat, arbitrary > commands may be executed as part of the /etc/daily crontab script. > > On Redhat 7.0 (and probably others) it allows creation of empty > files as root, and the ability to execute commands as if logged > in at the console (as checked via /lib/security/pam_console.so). > This may also allow further elevation of privileges, or denial of > service. (Tested against uucp-1.06.1-25) > > Other systems running this package are also affected to > a greater or lesser degree. > >*********************** Solution ****************** > >Patches should be available very soon, if not already, for most >affected systems. > >If you do not require uucp functionality, you should remove the >uucp packages from your system. > >********************** The Programs *************** > >uux (1) - Remote command execution over UUCP > If you specify an alternative configuration, it will run as the user > that called it, and pass the same configuration to uuxqt. > >uuxqt (1) - UUCP execution daemon > Defaults to allowing rmail and uucp to be run, and nothing else, > unless the configuration it is invoked with allows it to run other > commands. > >uucp (1) - Unix to Unix copy > If you specify an alternate configuration, it will also run as the user > that called it. > > uuxqt checks the arguments for the programs it is asked to execute > and gets rid of what it thinks are the potentially dangerous ones. > However, it does not remove long arguments. > >******************** The Exploit ****************** > >uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile' > >will execute uucp, but will not use the /tmp/vv.v configuration file. > >However, > >uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile' > >will use the supplied configuration, without dropping privileges. > >1) Make a configuration file that allows any command to be executed, and > allows files from anywhere to be copied to anywhere that is writable > by uid/gid uucp. ( /tmp/config.uucp ) >2) Make a command file with the command you want to be executed. > ( /tmp/commands.uucp ) >3) Do something like the following: > >$ THISHOST=`uuname -l` >$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337 >$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT} > >The commands in /tmp/commands.uucp file will be executed by uuxqt, with >the uid/gid of uucp. > >If you want to perform an exploit, and don't know what to put in the >files, you should read the documentation for uucp. > >(Proof of concept root exploit for OpenBSD was performed on the wargame >running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] ) > >-- zen-parse > >=========================================================================== > http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e > 'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73 > = and %73%6f%75%6e%64%73%20%6f%6b >=========================================================================== > >------------------------------------------------------------------------- >The preceding information is confidential and may not be redistributed >without explicit permission. Legal action may be taken to enforce this. >If this message was posted by zen-parse@gmx.net to a public forum it may >be redistributed as long as these conditions remain attached. If you are >mum or dad, this probably doesn't apply to you. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 13:45:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 8D59137B408 for ; Sat, 8 Sep 2001 13:45:47 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f88KjjK29003; Sat, 8 Sep 2001 13:45:45 -0700 (PDT) (envelope-from dillon) Date: Sat, 8 Sep 2001 13:45:45 -0700 (PDT) From: Matt Dillon Message-Id: <200109082045.f88KjjK29003@earth.backplane.com> To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :I imagine FreeBSD is vulnerable to this was well :-( : : ---Mike Looks like it. Boy that's stupid. We should probably chflags all binaries that are not owned by root but might be run by root 'schg'. At the very least. That's in addition to any fix of the problem. These binaries really have got to be set 'schg'. -r-sr-sr-x 1 uucp dialer 123888 Jul 23 22:22 cu -r-sr-xr-x 1 man wheel 28512 Jul 23 22:22 man -r-xr-xr-x 1 uucp dialer 38340 Jul 23 22:24 tip -r-sr-xr-x 1 uucp wheel 88228 Jul 23 22:22 uucp -r-sr-xr-x 1 uucp wheel 37312 Jul 23 22:22 uuname -r-sr-sr-x 1 uucp dialer 96752 Jul 23 22:22 uustat -r-sr-xr-x 1 uucp wheel 88844 Jul 23 22:22 uux chflags schg /usr/bin/{cu,man,tip,uucp,uuname,uustat,uux} -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 14: 3:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 49F0337B401; Sat, 8 Sep 2001 14:03:41 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f88L3fK29117; Sat, 8 Sep 2001 14:03:41 -0700 (PDT) (envelope-from dillon) Date: Sat, 8 Sep 2001 14:03:41 -0700 (PDT) From: Matt Dillon Message-Id: <200109082103.f88L3fK29117@earth.backplane.com> To: Jordan Hubbard Cc: security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jordan, I would like to commit this to -stable for the release, if it isn't too late. (and -current as well). This doesn't address the config file problems with uucp but it will prevent the root exploit. It also prevents 'tip' from being exploited. -Matt Index: usr.bin/tip/tip/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/tip/tip/Makefile,v retrieving revision 1.10.6.1 diff -u -r1.10.6.1 Makefile --- usr.bin/tip/tip/Makefile 2001/04/25 11:29:42 1.10.6.1 +++ usr.bin/tip/tip/Makefile 2001/09/08 21:00:03 @@ -21,11 +21,13 @@ MAN= tip.1 modems.5 SRCS= acu.c acutab.c cmds.c cmdtab.c cu.c hunt.c log.c partab.c \ remote.c tip.c tipout.c value.c vars.c +INSTALLFLAGS+= -fschg BINDIR?= /usr/bin BINOWN= uucp BINGRP= dialer #BINMODE?= 4510 + # XXX: there is some concern that `tip' in its current state shouldn't run # SUID. If it believed it should, the mode above may still no be proper. Index: gnu/libexec/uucp/cu/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/libexec/uucp/cu/Makefile,v retrieving revision 1.8 diff -u -r1.8 Makefile --- gnu/libexec/uucp/cu/Makefile 1999/08/27 23:33:06 1.8 +++ gnu/libexec/uucp/cu/Makefile 2001/09/08 20:57:47 @@ -12,6 +12,7 @@ DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) CFLAGS+= -I$(.CURDIR)/../common_sources\ -DVERSION=\"$(VERSION)\" +INSTALLFLAGS+= -fschg .include .PATH: $(.CURDIR)/../common_sources Index: gnu/libexec/uucp/uucp/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/libexec/uucp/uucp/Makefile,v retrieving revision 1.6 diff -u -r1.6 Makefile --- gnu/libexec/uucp/uucp/Makefile 1999/08/27 23:33:55 1.6 +++ gnu/libexec/uucp/uucp/Makefile 2001/09/08 20:57:57 @@ -11,6 +11,7 @@ DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) CFLAGS+= -I$(.CURDIR)/../common_sources\ -DVERSION=\"$(VERSION)\" +INSTALLFLAGS+= -fschg .include .PATH: $(.CURDIR)/../common_sources Index: gnu/libexec/uucp/uuname/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/libexec/uucp/uuname/Makefile,v retrieving revision 1.5 diff -u -r1.5 Makefile --- gnu/libexec/uucp/uuname/Makefile 1999/08/27 23:33:58 1.5 +++ gnu/libexec/uucp/uuname/Makefile 2001/09/08 20:58:14 @@ -11,7 +11,7 @@ DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) CFLAGS+= -I$(.CURDIR)/../common_sources\ -DVERSION=\"$(VERSION)\" - +INSTALLFLAGS+= -fschg .include .PATH: $(.CURDIR)/../common_sources Index: gnu/libexec/uucp/uustat/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/libexec/uucp/uustat/Makefile,v retrieving revision 1.5 diff -u -r1.5 Makefile --- gnu/libexec/uucp/uustat/Makefile 1999/08/27 23:34:02 1.5 +++ gnu/libexec/uucp/uustat/Makefile 2001/09/08 20:58:21 @@ -13,6 +13,7 @@ CFLAGS+= -I$(.CURDIR)/../common_sources\ -DOWNER=\"$(owner)\"\ -DVERSION=\"$(VERSION)\" +INSTALLFLAGS+= -fschg .include .PATH: $(.CURDIR)/../common_sources Index: gnu/libexec/uucp/uux/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/libexec/uucp/uux/Makefile,v retrieving revision 1.6 diff -u -r1.6 Makefile --- gnu/libexec/uucp/uux/Makefile 1999/08/27 23:34:05 1.6 +++ gnu/libexec/uucp/uux/Makefile 2001/09/08 20:58:25 @@ -11,6 +11,7 @@ DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) CFLAGS+= -I$(.CURDIR)/../common_sources\ -DVERSION=\"$(VERSION)\" +INSTALLFLAGS+= -fschg .include .PATH: $(.CURDIR)/../common_sources To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 15:16:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 241ED37B40A for ; Sat, 8 Sep 2001 15:16:48 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 41D622D04D1; Sat, 8 Sep 2001 17:16:47 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88MGgG79571; Sat, 8 Sep 2001 17:16:42 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 17:16:42 -0500 From: D J Hawkey Jr To: Krzysztof Zaraska Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908171641.A79354@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010908102211.A77764@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 08, 2001 at 08:07:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote: > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > Except for a ctime change on /tmp (or wherever), you're right. > > But activity in /tmp is normal and will be ignored by tripwire, right? Tripwire's policy file can reflect nearly any level of Admin paranoia. > > I've added quite a bit of stuff to /etc/security. > > If it doesn't affect your security will you tell us what checks do you > recommend? Well, I'm no expert (witness my blunders around here), but depending on the box's purpose(s), I've added the following log messages: - successful logins (in addition to failed ones) - denied SSH authentications, and maybe successful ones, too - selected HTTP entries - selected 'ipmon' entries - selected entries from a home-brewed periphery monitor The latter two are rather closely mated to their tool's rulesets. The last is something of a heuristic pattern matcher that "blacklists" perceived port scanners in semi-realtime. Not too sophisticated, but it shows promise as I continue to build on it. I seem to be developing a pattern of tweaking /etc/security to reflect the realities/interests of the moment. Were I to build an FTP server or a shell server, I'm sure I'd want to see different stuff from them. Maybe I'm too dependant on the logs as my reporting data, but ipfilter and tripwire continue to continue should a cracker wipe the log files. Or perhaps I place too much confidence in those tools, too? Gee, do ya think I second-guess myself a lot? ;-, > > > We may also consider adding a feature to kldload to load only modules > > > from under /modules but I'm afraid this may be circumvented by attacker > > > fetching her own kldload. A better way would be to implement an > > > appropriate lock in kernel code but I don't know if it's possible. Who's the "we"? The FreeBSD project? > > The first pro'lly isn't worth the effort. > > > > You lost me with the last bit; a lock to determine or do what, prevent > > userland 'kldload's? This would seem to be a Good Thing(tm), but how do > > you lock the lock - or would this be a kernel build-time option? > > A kernel option that would do some extra checks with kldload(2) or > underlying functions. For example, the simplest thing would be to make > sure that the module is loaded from under /modules, since that tree is > static and watched by tripwire as you said. Ah. > Or, something LIDS-like. You're the second to mention LIDS. I know so little about it as to refrain from comment (like, why should I let that stop me now?). Based on another's description, it strikes me as rather over-engineered, but that's an ignorant opinion. Maybe it has to be. RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least out-of-the-box, so perhaps the modules are more of a security issue? > > All in all, it seems to me a kernel that needs no KLD modules, and denies > > all KLD loading, would be the easiest and most effective solution. > > Definitely. > > However, I can see an exception. At least in Linux world (where i come > from ;)) some time ago there were proprietary device drivers (sound cards, > IIRC) distributed as compiled modules. So you needed module support. There > may be a similar situation in the future, that say some SuperHardware Inc. > releases it's new 10Gbit ethernet adapter giving away the compiled drivers > as modules and not releasing the source code nor the hardware > specifications. In this case you need module support, at least at boot > time. Or, wait for the more open-minded competition that'll be along shortly. :-) So far, out of this whole thread, I'd first wish for hacks to the kernel that deny KLDs. Were that I had the time to immerse myself that deeply... > Kris Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 15:19:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id DBFDF37B407 for ; Sat, 8 Sep 2001 15:19:41 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 064212D048D; Sat, 8 Sep 2001 17:19:41 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88MJe479589; Sat, 8 Sep 2001 17:19:40 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 17:19:40 -0500 From: D J Hawkey Jr To: Alexander Langer Cc: deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908171940.B79354@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908203935.B54535@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 08:39:35PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 08:39 PM, Alexander Langer wrote: > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > > altogether, it should be a build-time option, and it should have nothing > > to over-ride this. > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > > You'd have to remove the whole kld code then, including all > linker_file stuff. I have no idea as to the complexities of the task. I'll take your word for it. > And, given that, you can still use /dev/mem to manipulate the kernel. Perhaps it's too off-topic for this list, but I have no clue how one would; I don't know squat about /dev/mem. > Alex Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 15:37: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0A47137B405 for ; Sat, 8 Sep 2001 15:37:01 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8478966D24; Sat, 8 Sep 2001 15:37:00 -0700 (PDT) Date: Sat, 8 Sep 2001 15:37:00 -0700 From: Kris Kennaway To: D J Hawkey Jr Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908153700.B72780@xor.obsecurity.org> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908102816.B77764@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:28:16AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --eJnRUKwClWJh1Khz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > Q: Can the kernel be "forced" to load a module from within itself? That > is, does a cracker need to be in userland? If you're at securelevel 1 or higher, you shouldn't be able to cause untrusted code to be loaded by the kernel by "legal" means, only by "illegal" means such as exploiting kernel buffer overflows and other bugs which may exist. Kris --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mp2LWry0BWjoQKURAonAAJ0XaUYb1qqfsHPioAE5jSG7htK5pwCfTRAD 45qWXe1+IdkXjTnB/Bn6rY0= =wQ9n -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 15:46:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 5779737B401; Sat, 8 Sep 2001 15:46:18 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E12F266D0A; Sat, 8 Sep 2001 15:46:17 -0700 (PDT) Date: Sat, 8 Sep 2001 15:46:17 -0700 From: Kris Kennaway To: Matt Dillon Cc: Jordan Hubbard , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908154617.A73143@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109082103.f88L3fK29117@earth.backplane.com>; from dillon@earth.backplane.com on Sat, Sep 08, 2001 at 02:03:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 02:03:41PM -0700, Matt Dillon wrote: > Jordan, I would like to commit this to -stable for the release, > if it isn't too late. (and -current as well). This doesn't address > the config file problems with uucp but it will prevent the root > exploit. It also prevents 'tip' from being exploited. >=20 > -Matt [...] > +INSTALLFLAGS+=3D -fschg As I understand it, the only reason these things are setuid uucp is for the purpose of creating lockfiles. What may be a better solution is to change them to be setgid uucp: members with privilege of the group of a binary cannot replace it, and this protects NFS installations too. This is the approach we uses for games ports which are probably insecure, but need extra privileges to write score/save files (if someone attacks the binary, they can't replace it or do anything else except modify score/save files) Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mp+5Wry0BWjoQKURAtvbAKDudl7w60Gkc8rn3Q/TLPJS/h8+RACglX8I gRXugzJUvu7tU7WlLL3nDyw= =T+MC -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 15:54:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 8645137B403 for ; Sat, 8 Sep 2001 15:54:52 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 958942DDC04; Sat, 8 Sep 2001 17:54:51 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88Mso679783; Sat, 8 Sep 2001 17:54:50 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 17:54:50 -0500 From: D J Hawkey Jr To: Kris Kennaway Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908175450.A79709@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908153700.B72780@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908153700.B72780@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 03:37:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 03:37 PM, Kris Kennaway wrote: > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > If you're at securelevel 1 or higher, you shouldn't be able to cause > untrusted code to be loaded by the kernel by "legal" means, only by > "illegal" means such as exploiting kernel buffer overflows and other > bugs which may exist. Peter described the function calls to pull it off; I'm not knowledgable enough to argue the accuracy/simplicity/complexity of what he wrote. Except (an after-thought here), that the cracker would have to be pretty darned knowledgable about FreeBSD, after IDing the targetted system as FreeBSD (and perhaps even what release/patchlevel), to have or build such a backdoor, no? I believe it's the "illegal means" that are the concerns of this thread. > Kris Feel free to join in, you seem to be a jack-of-all-trades in these groups! Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 16: 3:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0581837B40A for ; Sat, 8 Sep 2001 16:03:14 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7003866D0A; Sat, 8 Sep 2001 16:03:13 -0700 (PDT) Date: Sat, 8 Sep 2001 16:03:13 -0700 From: Kris Kennaway To: D J Hawkey Jr Cc: Kris Kennaway , Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908160313.A74275@xor.obsecurity.org> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908153700.B72780@xor.obsecurity.org> <20010908175450.A79709@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908175450.A79709@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 05:54:50PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 05:54:50PM -0500, D J Hawkey Jr wrote: > On Sep 08, at 03:37 PM, Kris Kennaway wrote: > >=20 > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > >=20 > > > Q: Can the kernel be "forced" to load a module from within itself? Th= at > > > is, does a cracker need to be in userland? > >=20 > > If you're at securelevel 1 or higher, you shouldn't be able to cause > > untrusted code to be loaded by the kernel by "legal" means, only by > > "illegal" means such as exploiting kernel buffer overflows and other > > bugs which may exist. >=20 > Peter described the function calls to pull it off; I'm not knowledgable > enough to argue the accuracy/simplicity/complexity of what he wrote. No, the kldload(2) syscall itself is denied at securelevel >=3D1. > Except (an after-thought here), that the cracker would have to be > pretty darned knowledgable about FreeBSD, after IDing the targetted > system as FreeBSD (and perhaps even what release/patchlevel), to have > or build such a backdoor, no? Well, only one person needs to be knowledgeable. Then they package up their knowledge into a script and all the kiddies in the world can use it. > I believe it's the "illegal means" that are the concerns of this thread. No, they're bugs in FreeBSD, and are fixed as soon as they're pointed out to us, and should never again recur. Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mqOwWry0BWjoQKURAgXfAKCfFtdGgljZLm8F5YyurNVbINlJjACgoDFn VYhNh0eRSkU8iF4AG7Zpklk= =rBp7 -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17: 3: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 50FCA37B401; Sat, 8 Sep 2001 17:02:58 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D09F866D0A; Sat, 8 Sep 2001 17:02:57 -0700 (PDT) Date: Sat, 8 Sep 2001 17:02:57 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908170257.A82082@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908154617.A73143@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 03:46:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 03:46:17PM -0700, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 02:03:41PM -0700, Matt Dillon wrote: > > Jordan, I would like to commit this to -stable for the release, > > if it isn't too late. (and -current as well). This doesn't addr= ess > > the config file problems with uucp but it will prevent the root > > exploit. It also prevents 'tip' from being exploited. > >=20 > > -Matt >=20 > [...] >=20 > > +INSTALLFLAGS+=3D -fschg >=20 > As I understand it, the only reason these things are setuid uucp is > for the purpose of creating lockfiles. What may be a better solution > is to change them to be setgid uucp: members with privilege of the > group of a binary cannot replace it, and this protects NFS > installations too. This is the approach we uses for games ports which > are probably insecure, but need extra privileges to write score/save > files (if someone attacks the binary, they can't replace it or do > anything else except modify score/save files) Unfortunately, after a bit of thought I don't think you can do this: a few things are mode 6555 and uucp:dialer, and we can't grant both privileges any other way. If I combine the setuid uucp and setgid dialer privileges into one group, then users in the dialer group get permission to read and modify all UUCP spool files. Looks like setting the schg flag is the only feasible containment solution for now. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mrGxWry0BWjoQKURAhrOAKCjhREme7buBmhy6xSikhfoLuqoCwCg2iBo how+Nc9FlQIyQz9rtcVNJjA= =23Oh -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17:38:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id 3EDF737B401 for ; Sat, 8 Sep 2001 17:38:05 -0700 (PDT) Received: from blood (pool-138-88-72-170.res.east.verizon.net [138.88.72.170]) by aries.ai.net (8.9.3/8.9.3) with SMTP id UAA19631; Sat, 8 Sep 2001 20:45:40 -0400 (EDT) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: "Kris Kennaway" , "D J Hawkey Jr" Cc: "Alexander Langer" , Subject: RE: Kernel-loadable Root Kits Date: Sat, 8 Sep 2001 20:41:53 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010908153700.B72780@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Presumably, a user in userland has root to be loading a kernel module in the first place. This user could easily edit the rc.conf file to boot up in securelevel=-1 and reboot the machine -- as well as circumvent most notifications about the reboot. Hell, if I wanted to compromise a box, screwing the kernel directly is the way to go. Especially for remotely administered boxes, there is almost no downside. Deepak Jain AiNET -----Original Message----- From: Kris Kennaway [mailto:kris@obsecurity.org] Sent: Saturday, September 08, 2001 6:37 PM To: D J Hawkey Jr Cc: Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > Q: Can the kernel be "forced" to load a module from within itself? That > is, does a cracker need to be in userland? If you're at securelevel 1 or higher, you shouldn't be able to cause untrusted code to be loaded by the kernel by "legal" means, only by "illegal" means such as exploiting kernel buffer overflows and other bugs which may exist. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17:40:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id CBE0737B406 for ; Sat, 8 Sep 2001 17:40:43 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3540066D0A; Sat, 8 Sep 2001 17:40:43 -0700 (PDT) Date: Sat, 8 Sep 2001 17:40:42 -0700 From: Kris Kennaway To: Deepak Jain Cc: Kris Kennaway , D J Hawkey Jr , Alexander Langer , freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908174042.A88337@xor.obsecurity.org> References: <20010908153700.B72780@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from deepak@ai.net on Sat, Sep 08, 2001 at 08:41:53PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 08:41:53PM -0400, Deepak Jain wrote: >=20 > Presumably, a user in userland has root to be loading a kernel module in = the > first place. >=20 > This user could easily edit the rc.conf file to boot up in securelevel=3D= -1 > and reboot the machine -- as well as circumvent most notifications about = the > reboot. >=20 > Hell, if I wanted to compromise a box, screwing the kernel directly is the > way to go. Especially for remotely administered boxes, there is almost no > downside. Yes, you're now getting into the reasons why securelevel isn't a very robust security feature, which has been well-covered on this list in the past. Kris --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mrqKWry0BWjoQKURAvOAAJ0dWZ7iGKyDqvC/+EJuEHpFAJPw4QCguR5m LLAsFLXZDMuDCmX8CEl6jbc= =G/A+ -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17:43:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id E2BEB37B406; Sat, 8 Sep 2001 17:43:04 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7200C66D0A; Sat, 8 Sep 2001 17:43:04 -0700 (PDT) Date: Sat, 8 Sep 2001 17:43:04 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908174304.A88816@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908170257.A82082@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 05:02:57PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > Looks like setting the schg flag is the only feasible containment > solution for now. Here's a proposed fix. It just disallows anyone other than root from specifying an alternate configuration file, for the setuid utilities (which was the cause of the vulnerability here, AFAIK). Kris Index: uucico/uucico.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucico/uucico.c,v retrieving revision 1.9 diff -u -b -r1.9 uucico.c --- uucico/uucico.c 1999/08/27 23:33:51 1.9 +++ uucico/uucico.c 2001/09/09 00:32:03 @@ -376,6 +376,11 @@ case 'I': /* Set configuration file name (default is in sysdep.h). */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uucp/uucp.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucp/uucp.c,v retrieving revision 1.7 diff -u -b -r1.7 uucp.c --- uucp/uucp.c 1999/08/27 23:33:56 1.7 +++ uucp/uucp.c 2001/09/09 00:32:01 @@ -198,6 +198,11 @@ case 'I': /* Name configuration file. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uuname/uuname.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uuname/uuname.c,v retrieving revision 1.6 diff -u -b -r1.6 uuname.c --- uuname/uuname.c 1999/08/27 23:33:59 1.6 +++ uuname/uuname.c 2001/09/09 00:27:52 @@ -86,6 +86,11 @@ case 'I': /* Configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uustat/uustat.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uustat/uustat.c,v retrieving revision 1.7 diff -u -b -r1.7 uustat.c --- uustat/uustat.c 1999/08/27 23:34:03 1.7 +++ uustat/uustat.c 2001/09/09 00:34:26 @@ -279,6 +279,11 @@ case 'I': /* Set configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uux/uux.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uux/uux.c,v retrieving revision 1.11 diff -u -b -r1.11 uux.c --- uux/uux.c 1999/08/27 23:34:06 1.11 +++ uux/uux.c 2001/09/09 00:25:35 @@ -235,6 +235,11 @@ case 'I': /* Configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17:49: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 0634037B401 for ; Sat, 8 Sep 2001 17:49:01 -0700 (PDT) Received: from hades.hell.gr (patr530-b118.otenet.gr [195.167.121.246]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f890muA16303; Sun, 9 Sep 2001 03:48:57 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f88LUBg07098; Sun, 9 Sep 2001 00:30:11 +0300 (EEST) (envelope-from charon@labs.gr) Date: Sun, 9 Sep 2001 00:30:11 +0300 From: Giorgos Keramidas To: Alexander Langer Cc: D J Hawkey Jr , deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909003011.B6949@hades.hell.gr> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908203935.B54535@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 08:39:35PM +0200 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Alexander Langer Subject: Re: Kernel-loadable Root Kits Date: Sat, Sep 08, 2001 at 08:39:35PM +0200 > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > > altogether, it should be a build-time option, and it should have nothing > > to over-ride this. > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > > You'd have to remove the whole kld code then, including all > linker_file stuff. > > And, given that, you can still use /dev/mem to manipulate the kernel. Simple fix to all this is: sysctl kern.securelevel=1. The manpage (and the code of both kldload() syscall and linker_load_file()) explains it clearly: % man 8 init 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded. So, on securelevels >=1 neither modules can be loaded, nor /dev/mem and /dev/kmem tampered with. Guys, this has a simple and elegant solution. Raise your securelevel, if you are worried so much. You don't have to do some special kernel-hacker magic. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 17:52:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id D1C5437B40B; Sat, 8 Sep 2001 17:52:49 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f890qTC33725; Sun, 9 Sep 2001 04:52:29 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 04:52:27 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909045226.A33654@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010908174304.A88816@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > > > Looks like setting the schg flag is the only feasible containment > > solution for now. > > Here's a proposed fix. It just disallows anyone other than root from > specifying an alternate configuration file, for the setuid utilities > (which was the cause of the vulnerability here, AFAIK). What you try to fix this way? It brokes normal users dialing to theirs systems, they always specify their own files. Consider uu* as user level utilities. The only point of restriction is restrict their access to dialing devices, not to utulities. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18: 8:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 37A3D37B406 for ; Sat, 8 Sep 2001 18:08:29 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f8918DC14673; Sat, 8 Sep 2001 21:08:13 -0400 (EDT) (envelope-from arr@watson.org) Date: Sat, 8 Sep 2001 21:08:12 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway , bright@mu.org, bde@zeta.org.au Cc: security@freebsd.org Subject: Re: netbsd vulnerabilities In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, I'd like to bring this to conclusion as this bug sucks :-( So, I propose that the patch I submitted is "ok" (:-)) b/c it #1 solves the unsigned -> int -> unsigned (copyin call) issue, and #2 conforms to what is specified in the man page _and_ in sys/sys/sem.h. However, if this is not the correct usage of semop(), ie. we don't want to have it unsigned, then we must #1 fix to check < 0 for the vuln, #2 fix the man page, #3 fix code that was written to the man page spec, and #4 fix sys/sys/sem.h. Thoughts? Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18: 8:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0F7D837B409; Sat, 8 Sep 2001 18:08:49 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5D4C366D0A; Sat, 8 Sep 2001 18:08:48 -0700 (PDT) Date: Sat, 8 Sep 2001 18:08:48 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909045226.A33654@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 04:52:27AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 04:52:27AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote: > > On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > >=20 > > > Looks like setting the schg flag is the only feasible containment > > > solution for now. > >=20 > > Here's a proposed fix. It just disallows anyone other than root from > > specifying an alternate configuration file, for the setuid utilities > > (which was the cause of the vulnerability here, AFAIK). >=20 > What you try to fix this way? It brokes normal users dialing to theirs > systems, they always specify their own files. Consider uu* as user level > utilities. The only point of restriction is restrict their access to > dialing devices, not to utulities. The vulnerability involves uucp being made to run arbitrary commands as the uucp user through specifying a custom configuration file - see bugtraq. There may be other problems resulting from user-specified configuration files. I don't have time to go through the code and fix up the revocation of privileges right now..in the meantime, this prevents the root exploit where a user replaces a uucp-owned binary like uustat, which is called daily by /etc/periodic. Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7msEfWry0BWjoQKURAsqNAJ9in4houn79ZDPgchdBuFdR/NzTNQCfcU/A YUiKjRdCEl0osBNUB6doQ5Y= =8BHV -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:17:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id 096C837B406 for ; Sat, 8 Sep 2001 18:17:12 -0700 (PDT) Received: from localhost (jkh@localhost [127.0.0.1]) by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id f891GqT45013; Sat, 8 Sep 2001 18:16:53 -0700 (PDT) (envelope-from jkh@freebsd.org) To: dillon@earth.backplane.com Cc: security@freebsd.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <200109082103.f88L3fK29117@earth.backplane.com> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> X-Mailer: Mew version 1.94.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010908181652H.jkh@freebsd.org> Date: Sat, 08 Sep 2001 18:16:52 -0700 From: Jordan Hubbard X-Dispatcher: imput version 20000228(IM140) Lines: 118 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmmmm. Stripping the suid bit I can understand, but what's really bought by making it immutable? I'm also truly loath to accept any changes to -stable at this point which don't fix demonstrably critical issues, so unless the security officers can cite evidence that this is a significant security hole, I'm inclined to reject the change. Thanks. - Jordan From: Matt Dillon Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Date: Sat, 8 Sep 2001 14:03:41 -0700 (PDT) > Jordan, I would like to commit this to -stable for the release, > if it isn't too late. (and -current as well). This doesn't address > the config file problems with uucp but it will prevent the root > exploit. It also prevents 'tip' from being exploited. > > -Matt > > > Index: usr.bin/tip/tip/Makefile > =================================================================== > RCS file: /home/ncvs/src/usr.bin/tip/tip/Makefile,v > retrieving revision 1.10.6.1 > diff -u -r1.10.6.1 Makefile > --- usr.bin/tip/tip/Makefile 2001/04/25 11:29:42 1.10.6.1 > +++ usr.bin/tip/tip/Makefile 2001/09/08 21:00:03 > @@ -21,11 +21,13 @@ > MAN= tip.1 modems.5 > SRCS= acu.c acutab.c cmds.c cmdtab.c cu.c hunt.c log.c partab.c \ > remote.c tip.c tipout.c value.c vars.c > +INSTALLFLAGS+= -fschg > > BINDIR?= /usr/bin > BINOWN= uucp > BINGRP= dialer > #BINMODE?= 4510 > + > > # XXX: there is some concern that `tip' in its current state shouldn't run > # SUID. If it believed it should, the mode above may still no be proper. > Index: gnu/libexec/uucp/cu/Makefile > =================================================================== > RCS file: /home/ncvs/src/gnu/libexec/uucp/cu/Makefile,v > retrieving revision 1.8 > diff -u -r1.8 Makefile > --- gnu/libexec/uucp/cu/Makefile 1999/08/27 23:33:06 1.8 > +++ gnu/libexec/uucp/cu/Makefile 2001/09/08 20:57:47 > @@ -12,6 +12,7 @@ > DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) > CFLAGS+= -I$(.CURDIR)/../common_sources\ > -DVERSION=\"$(VERSION)\" > +INSTALLFLAGS+= -fschg > > .include > .PATH: $(.CURDIR)/../common_sources > Index: gnu/libexec/uucp/uucp/Makefile > =================================================================== > RCS file: /home/ncvs/src/gnu/libexec/uucp/uucp/Makefile,v > retrieving revision 1.6 > diff -u -r1.6 Makefile > --- gnu/libexec/uucp/uucp/Makefile 1999/08/27 23:33:55 1.6 > +++ gnu/libexec/uucp/uucp/Makefile 2001/09/08 20:57:57 > @@ -11,6 +11,7 @@ > DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) > CFLAGS+= -I$(.CURDIR)/../common_sources\ > -DVERSION=\"$(VERSION)\" > +INSTALLFLAGS+= -fschg > > .include > .PATH: $(.CURDIR)/../common_sources > Index: gnu/libexec/uucp/uuname/Makefile > =================================================================== > RCS file: /home/ncvs/src/gnu/libexec/uucp/uuname/Makefile,v > retrieving revision 1.5 > diff -u -r1.5 Makefile > --- gnu/libexec/uucp/uuname/Makefile 1999/08/27 23:33:58 1.5 > +++ gnu/libexec/uucp/uuname/Makefile 2001/09/08 20:58:14 > @@ -11,7 +11,7 @@ > DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) > CFLAGS+= -I$(.CURDIR)/../common_sources\ > -DVERSION=\"$(VERSION)\" > - > +INSTALLFLAGS+= -fschg > > .include > .PATH: $(.CURDIR)/../common_sources > Index: gnu/libexec/uucp/uustat/Makefile > =================================================================== > RCS file: /home/ncvs/src/gnu/libexec/uucp/uustat/Makefile,v > retrieving revision 1.5 > diff -u -r1.5 Makefile > --- gnu/libexec/uucp/uustat/Makefile 1999/08/27 23:34:02 1.5 > +++ gnu/libexec/uucp/uustat/Makefile 2001/09/08 20:58:21 > @@ -13,6 +13,7 @@ > CFLAGS+= -I$(.CURDIR)/../common_sources\ > -DOWNER=\"$(owner)\"\ > -DVERSION=\"$(VERSION)\" > +INSTALLFLAGS+= -fschg > > .include > .PATH: $(.CURDIR)/../common_sources > Index: gnu/libexec/uucp/uux/Makefile > =================================================================== > RCS file: /home/ncvs/src/gnu/libexec/uucp/uux/Makefile,v > retrieving revision 1.6 > diff -u -r1.6 Makefile > --- gnu/libexec/uucp/uux/Makefile 1999/08/27 23:34:05 1.6 > +++ gnu/libexec/uucp/uux/Makefile 2001/09/08 20:58:25 > @@ -11,6 +11,7 @@ > DPADD+= $(LIBUNIX) $(LIBUUCONF) $(LIBUUCP) > CFLAGS+= -I$(.CURDIR)/../common_sources\ > -DVERSION=\"$(VERSION)\" > +INSTALLFLAGS+= -fschg > > .include > .PATH: $(.CURDIR)/../common_sources To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:21: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id B73AC37B40C; Sat, 8 Sep 2001 18:20:56 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f891Kt908067; Sat, 8 Sep 2001 21:20:55 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010908211920.02949008@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 08 Sep 2001 21:20:53 -0400 To: Jordan Hubbard From: Mike Tancsa Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Cc: security@FreeBSD.ORG In-Reply-To: <20010908181652H.jkh@freebsd.org> References: <200109082103.f88L3fK29117@earth.backplane.com> <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:16 PM 9/8/2001 -0700, Jordan Hubbard wrote: >Hmmmm. Stripping the suid bit I can understand, but what's really >bought by making it immutable? I'm also truly loath to accept any >changes to -stable at this point which don't fix demonstrably critical >issues, so unless the security officers can cite evidence that this is >a significant security hole, I'm inclined to reject the change. >Thanks. A local root exploit doesnt cut it ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:21:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97]) by hub.freebsd.org (Postfix) with ESMTP id 9F9DA37B401; Sat, 8 Sep 2001 18:21:41 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891KvM14677; Sat, 8 Sep 2001 19:20:57 -0600 (MDT) Message-Id: <200109090120.f891KvM14677@xerxes.courtesan.com> To: Kris Kennaway Cc: "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT." <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> Date: Sat, 08 Sep 2001 19:20:56 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010908180848.A94567@xor.obsecurity.org> so spake Kris Kennaway (kris): > The vulnerability involves uucp being made to run arbitrary commands > as the uucp user through specifying a custom configuration file - see > bugtraq. There may be other problems resulting from user-specified > configuration files. I don't have time to go through the code and fix > up the revocation of privileges right now..in the meantime, this > prevents the root exploit where a user replaces a uucp-owned binary > like uustat, which is called daily by /etc/periodic. Is there really any reason to run uustat as root? Why not just run it as user uucp via su? For that matter, running non-root owned executables from daily seems like a really bad idea. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:23:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id 2917637B406 for ; Sat, 8 Sep 2001 18:23:39 -0700 (PDT) Received: from localhost (jkh@localhost [127.0.0.1]) by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id f891N4T45061; Sat, 8 Sep 2001 18:23:04 -0700 (PDT) (envelope-from jkh@freebsd.org) To: mike@sentex.net Cc: security@freebsd.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <5.1.0.14.0.20010908211920.02949008@192.168.0.12> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> <5.1.0.14.0.20010908211920.02949008@192.168.0.12> X-Mailer: Mew version 1.94.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010908182304C.jkh@freebsd.org> Date: Sat, 08 Sep 2001 18:23:04 -0700 From: Jordan Hubbard X-Dispatcher: imput version 20000228(IM140) Lines: 21 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I fail to see the cited evidence I'm asking for. Hand-waving I can have for free. - Jordan From: Mike Tancsa Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Date: Sat, 08 Sep 2001 21:20:53 -0400 > At 06:16 PM 9/8/2001 -0700, Jordan Hubbard wrote: > >Hmmmm. Stripping the suid bit I can understand, but what's really > >bought by making it immutable? I'm also truly loath to accept any > >changes to -stable at this point which don't fix demonstrably critical > >issues, so unless the security officers can cite evidence that this is > >a significant security hole, I'm inclined to reject the change. > >Thanks. > > A local root exploit doesnt cut it ? > > ---Mike > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:46:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 0CE8C37B407; Sat, 8 Sep 2001 18:46:36 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f891j0o34410; Sun, 9 Sep 2001 05:45:01 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 05:44:58 +0400 From: "Andrey A. Chernov" To: "Todd C. Miller" Cc: Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909054457.A34319@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200109090120.f891KvM14677@xerxes.courtesan.com> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 19:20:56 -0600, Todd C. Miller wrote: > In message <20010908180848.A94567@xor.obsecurity.org> > so spake Kris Kennaway (kris): > > > The vulnerability involves uucp being made to run arbitrary commands > > as the uucp user through specifying a custom configuration file - see > > bugtraq. There may be other problems resulting from user-specified > > configuration files. I don't have time to go through the code and fix > > up the revocation of privileges right now..in the meantime, this > > prevents the root exploit where a user replaces a uucp-owned binary > > like uustat, which is called daily by /etc/periodic. > > Is there really any reason to run uustat as root? Why not just run > it as user uucp via su? For that matter, running non-root owned > executables from daily seems like a really bad idea. I agree. There is no needs to deal with privileges revocation at all if "uucp" user itself is well restricted, just protect system "uucp" owned binaries from owerwritting by "uucp" user using schg flag. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:47:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 7E66D37B405 for ; Sat, 8 Sep 2001 18:47:36 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 64D622DDBC0; Sat, 8 Sep 2001 20:47:35 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f891lYA80717; Sat, 8 Sep 2001 20:47:34 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 20:47:34 -0500 From: D J Hawkey Jr To: Giorgos Keramidas Cc: Alexander Langer , deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908204734.A80568@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> <20010909003011.B6949@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909003011.B6949@hades.hell.gr>; from charon@labs.gr on Sun, Sep 09, 2001 at 12:30:11AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 09, at 12:30 AM, Giorgos Keramidas wrote: > > From: Alexander Langer > Subject: Re: Kernel-loadable Root Kits > Date: Sat, Sep 08, 2001 at 08:39:35PM +0200 > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > > > altogether, it should be a build-time option, and it should have nothing > > > to over-ride this. > > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > > > > You'd have to remove the whole kld code then, including all > > linker_file stuff. > > > > And, given that, you can still use /dev/mem to manipulate the kernel. > > Simple fix to all this is: sysctl kern.securelevel=1. > > The manpage (and the code of both kldload() syscall and > linker_load_file()) explains it clearly: > > % man 8 init > > 1 Secure mode - the system immutable and system append-only flags may > not be turned off; disks for mounted filesystems, /dev/mem, and > /dev/kmem may not be opened for writing; kernel modules (see > kld(4)) may not be loaded or unloaded. > > So, on securelevels >=1 neither modules can be loaded, nor /dev/mem > and /dev/kmem tampered with. > > Guys, this has a simple and elegant solution. Raise your securelevel, > if you are worried so much. You don't have to do some special > kernel-hacker magic. As I wrote to someone else "off line", there are instances where securelevel cannot be used. An X server is the most documented instance. At >1, log rotation (and/or other O_CREAT open()s) may well be broken. Maybe at =1 too? I haven't messed with securelevel (no spare box |-( ), so I have no experience; I'm just going by the man page. Does "system append-only flags may not be turned off" at >=1 prevent file creation? Having said that, I'm certainly not demeaning or bemoaning securelevel's usefulness and power. > -giorgos Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 27D3737B405; Sat, 8 Sep 2001 18:48:16 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f891mFu34458; Sun, 9 Sep 2001 05:48:15 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 05:48:14 +0400 From: "Andrey A. Chernov" To: Jordan Hubbard Cc: dillon@earth.backplane.com, security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909054814.B34319@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010908181652H.jkh@freebsd.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 08, 2001 at 18:16:52 -0700, Jordan Hubbard wrote: > Hmmmm. Stripping the suid bit I can understand, but what's really I can not. It breaks uu* functionality. > bought by making it immutable? I'm also truly loath to accept any By making them immutable we prevent overwritting uu* binaries by "uucp" user. I think it is good move. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:53:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97]) by hub.freebsd.org (Postfix) with ESMTP id 29D4937B40D; Sat, 8 Sep 2001 18:53:40 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891r4p01038; Sat, 8 Sep 2001 19:53:04 -0600 (MDT) Message-Id: <200109090153.f891r4p01038@xerxes.courtesan.com> To: Kris Kennaway Cc: "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT." <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> Date: Sat, 08 Sep 2001 19:53:03 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010908180848.A94567@xor.obsecurity.org> so spake Kris Kennaway (kris): > The vulnerability involves uucp being made to run arbitrary commands > as the uucp user through specifying a custom configuration file - see > bugtraq. There may be other problems resulting from user-specified > configuration files. I don't have time to go through the code and fix > up the revocation of privileges right now..in the meantime, this > prevents the root exploit where a user replaces a uucp-owned binary > like uustat, which is called daily by /etc/periodic. It's not clear how you would fix revocation of privileges on this since, correctly if I'm wrong, when uucp is run via uux both real and effective uids are set to uucp. As such it is not immediately obvious to me how to really make uucp safe while still allowing user configs but I'm not a UUCP guy :-) - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:54:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id B105C37B405; Sat, 8 Sep 2001 18:54:16 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C3D5866D0A; Sat, 8 Sep 2001 18:54:15 -0700 (PDT) Date: Sat, 8 Sep 2001 18:54:15 -0700 From: Kris Kennaway To: "Todd C. Miller" Cc: Kris Kennaway , "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908185415.A5619@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109090120.f891KvM14677@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Sat, Sep 08, 2001 at 07:20:56PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 07:20:56PM -0600, Todd C. Miller wrote: > In message <20010908180848.A94567@xor.obsecurity.org> > so spake Kris Kennaway (kris): >=20 > > The vulnerability involves uucp being made to run arbitrary commands > > as the uucp user through specifying a custom configuration file - see > > bugtraq. There may be other problems resulting from user-specified > > configuration files. I don't have time to go through the code and fix > > up the revocation of privileges right now..in the meantime, this > > prevents the root exploit where a user replaces a uucp-owned binary > > like uustat, which is called daily by /etc/periodic. >=20 > Is there really any reason to run uustat as root? Why not just run > it as user uucp via su? For that matter, running non-root owned > executables from daily seems like a really bad idea. Yeah, thats probably a good change to make. However the uucp vulnerability still lets e.g. arbitrary users read/modify uucp spool data, create files, access the uucp:dialer devices, etc. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7msvHWry0BWjoQKURAgOsAKDUaW67EnSmSBPj/wNhDf1GTr3YJgCfUhp2 l39v0hcNcqdhOFtbvN3UZnE= =m8Gv -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 18:56:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id CB9C737B407; Sat, 8 Sep 2001 18:56:02 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3F8D166E93; Sat, 8 Sep 2001 18:56:02 -0700 (PDT) Date: Sat, 8 Sep 2001 18:56:02 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908185602.B5619@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909054457.A34319@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 05:44:58AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 05:44:58AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 19:20:56 -0600, Todd C. Miller wrote: > > In message <20010908180848.A94567@xor.obsecurity.org> > > so spake Kris Kennaway (kris): > >=20 > > > The vulnerability involves uucp being made to run arbitrary commands > > > as the uucp user through specifying a custom configuration file - see > > > bugtraq. There may be other problems resulting from user-specified > > > configuration files. I don't have time to go through the code and fix > > > up the revocation of privileges right now..in the meantime, this > > > prevents the root exploit where a user replaces a uucp-owned binary > > > like uustat, which is called daily by /etc/periodic. > >=20 > > Is there really any reason to run uustat as root? Why not just run > > it as user uucp via su? For that matter, running non-root owned > > executables from daily seems like a really bad idea. >=20 > I agree. There is no needs to deal with privileges revocation at all if > "uucp" user itself is well restricted, just protect system "uucp" owned > binaries from owerwritting by "uucp" user using schg flag. That doesn't protect NFS-mounted systems, and doesn't prevent arbitrary users from reading/modifying the UUCP spool files. Kris --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mswxWry0BWjoQKURAp32AJ490Un7HFu9RX4ZM1BRl2xMrhLbawCeMRVD 1l4ASx2eVxt1qTlI066TCQU= =Waf9 -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19: 0:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2238437B40A; Sat, 8 Sep 2001 19:00:29 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f891x4C34643; Sun, 9 Sep 2001 05:59:04 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 05:59:03 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909055903.A34519@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <20010908185415.A5619@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote: >=20 > Yeah, thats probably a good change to make. However the uucp > vulnerability still lets e.g. arbitrary users read/modify uucp spool > data, create files, access the uucp:dialer devices, etc. All you mention is historical old-days uucp subsystem bad 'features', it is not fool proff and require ethic behaviour of its users. To eliminate this things main uucp developers must be contacted, because this things hardly integrated in normal usage flow and can't be deattached easily. I.e. it is not FreeBSD security problem but uucp problem (as designed). All we need is to protect uucp binaries from modifications (via schg). --=20 Andrey A. Chernov http://ache.pp.ru/ --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rM5+JgpPLZnQjrAQGk7wP+O8XJJZhw/le2xxseELLWnHhRO6clY+o4 +36koQrNRLqq0b0dGOXTu4ARDVC+jCu5qPDH0y1lN58AwJm8Ltp57dR1sShac6sN jbjhAYF7ntRhJXccOSVzRel9v0lueUTNhIcSl+gnSNyPeRi6Mnxlec7S+SPemtaq 0UA4YnSLDSw= =S0J6 -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19: 1: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 4415337B401; Sat, 8 Sep 2001 19:01:04 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8EBDE66D0A; Sat, 8 Sep 2001 19:01:03 -0700 (PDT) Date: Sat, 8 Sep 2001 19:01:03 -0700 From: Kris Kennaway To: Jordan Hubbard Cc: mike@sentex.net, security@freebsd.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908190103.A5814@xor.obsecurity.org> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> <5.1.0.14.0.20010908211920.02949008@192.168.0.12> <20010908182304C.jkh@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908182304C.jkh@freebsd.org>; from jkh@freebsd.org on Sat, Sep 08, 2001 at 06:23:04PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Sep 08, 2001 at 06:23:04PM -0700, Jordan Hubbard wrote: > I fail to see the cited evidence I'm asking for. Hand-waving I can > have for free. The uucp suite has the ability to specify an alternate configuration file on the command-line (Andrey tells me this is a commonly used feature :-( ) Using configuration file options they can be made to execute arbitrary commands as the uucp user. The uucp user owns the uucp binaries in question. uustat is executed by default by root in /etc/periodic. There are other consequences of the underlying vulnerability (full read/write access to the /var/spool/uucp directories, for example), so preventing the uucp user from overwriting the binaries (with the schg flag) only fixes the most serious of the side-effects. Kris --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ms1fWry0BWjoQKURAlH5AKDe8pGtV5yFr9OEEHn5cu17PEenzwCeIh8p FPu7uANTJCMH0NP1nQ2Htjc= =5f+H -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19: 3:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 4A7B337B408; Sat, 8 Sep 2001 19:03:09 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f8921j034731; Sun, 9 Sep 2001 06:01:45 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:01:44 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909060144.B34519@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="E39vaYmALEf/7YXx" Content-Disposition: inline In-Reply-To: <20010908185602.B5619@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --E39vaYmALEf/7YXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 18:56:02 -0700, Kris Kennaway wrote: >=20 > That doesn't protect NFS-mounted systems, and doesn't prevent Don't have ideas about NFS. Is schg not works there? > arbitrary users from reading/modifying the UUCP spool files. It is bad design of UUCP, it is not our problem. Moreover, it can't be fixed easily without total UUCP redesign. See my prev. message explaining it more. --=20 Andrey A. Chernov http://ache.pp.ru/ --E39vaYmALEf/7YXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rNiOJgpPLZnQjrAQENHQP7BVdBvd1NFKrGNyo7J9NOaEa0gN+810OI wj2bUrvGlDD/Q5wJAVwzxzxKcVwLaWEuO/3zGDp8yu3XZQsoHWYH4LdUdbYFmWCn vWdyKWxMbNBvATPblHt2GSQ/iHLZthMnCzlKPdQlF+d10Wi8Bup09GgRqkQOgolV +zCwVw7PqbE= =4hb3 -----END PGP SIGNATURE----- --E39vaYmALEf/7YXx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19: 4:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 367C137B401; Sat, 8 Sep 2001 19:04:31 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f8924Ro34766; Sun, 9 Sep 2001 06:04:27 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:04:26 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: Jordan Hubbard , mike@sentex.net, security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909060426.C34519@nagual.pp.ru> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> <5.1.0.14.0.20010908211920.02949008@192.168.0.12> <20010908182304C.jkh@freebsd.org> <20010908190103.A5814@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="c3bfwLpm8qysLVxt" Content-Disposition: inline In-Reply-To: <20010908190103.A5814@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --c3bfwLpm8qysLVxt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 19:01:03 -0700, Kris Kennaway wrote: > uucp binaries in question. uustat is executed by default by root in > /etc/periodic. uustat must be executed by 'su -m uucp' in any case. > There are other consequences of the underlying vulnerability (full > read/write access to the /var/spool/uucp directories, for example), so It can't be fixed without total UUCP redesign, it is their problem, not ours. --=20 Andrey A. Chernov http://ache.pp.ru/ --c3bfwLpm8qysLVxt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rOKuJgpPLZnQjrAQEt0wQA3fAFAPI0doie+Y9ZMBagAIJfwV/H27JP 1HJUP8/sHFQkL5odVAYdin1Z1F/b2lw/L9pwJwibpQTZQjlvEqceIA//ERch/Sdc EO1F7bp2CJfi9LlPKEKgbImCTQcN1Og4OqzbUg3nV4NmEaO+rOnPlGS2LiZXVdOt X6fv5kwnl9U= =Rv4o -----END PGP SIGNATURE----- --c3bfwLpm8qysLVxt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19: 7:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 90AAB37B401; Sat, 8 Sep 2001 19:07:01 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 207CF66E58; Sat, 8 Sep 2001 19:07:01 -0700 (PDT) Date: Sat, 8 Sep 2001 19:07:00 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908190700.A5881@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909055903.A34519@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 05:59:03AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 05:59:03AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote: > >=20 > > Yeah, thats probably a good change to make. However the uucp > > vulnerability still lets e.g. arbitrary users read/modify uucp spool > > data, create files, access the uucp:dialer devices, etc. >=20 > All you mention is historical old-days uucp subsystem bad 'features', it > is not fool proff and require ethic behaviour of its users. To eliminate > this things main uucp developers must be contacted, because this things > hardly integrated in normal usage flow and can't be deattached easily. >=20 > I.e. it is not FreeBSD security problem but uucp problem (as designed). > All we need is to protect uucp binaries from modifications (via schg). Hmm. These flaws in the UUCP suite need to be documented, then. I'm also very uneasy at having a local root exploited foiled only by the setting of UFS file flags (mostly because of the NFS-mounted /usr case). I think it's finally time to make UUCP into a port: I'll work on that later tonight. Kris --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ms7EWry0BWjoQKURAuC3AJ4pcRUxdoH5eLUPbjARvB8kaTJr+wCg1gnG fbpUR2H4kCFObrb4Am7Nb/M= =i5+C -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:10:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 1B45737B401; Sat, 8 Sep 2001 19:10:14 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AEC1866D0A; Sat, 8 Sep 2001 19:10:13 -0700 (PDT) Date: Sat, 8 Sep 2001 19:10:13 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908191013.B5881@xor.obsecurity.org> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909060144.B34519@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 06:01:44AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 06:01:44AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 18:56:02 -0700, Kris Kennaway wrote: > >=20 > > That doesn't protect NFS-mounted systems, and doesn't prevent >=20 > Don't have ideas about NFS. Is schg not works there? Actually, I think I was overstating a bit. You can't set UFS file flags on an NFS volume, but they should work fine if already set on the server and /usr is mounted by a client. What will break is trying to do an installworld onto a remote NFS volume, or installworld within a jail, since in order for that to succeed you have to tell it not to set file flags, and that will leave you with a local root exploit on the installed system. > > arbitrary users from reading/modifying the UUCP spool files. >=20 > It is bad design of UUCP, it is not our problem. Moreover, it can't be > fixed easily without total UUCP redesign. See my prev. message explaining > it more. Fair enough. Kris --1LKvkjL3sHcu1TtY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ms+FWry0BWjoQKURAn+QAJ9y0f+N+136QeDZwgWTZeY+glk8qwCg5B3a sC89TS409DO7yOcnIRXGvbs= =Jt6o -----END PGP SIGNATURE----- --1LKvkjL3sHcu1TtY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:15:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 33F0E37B406 for ; Sat, 8 Sep 2001 19:15:25 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8C79566D0A; Sat, 8 Sep 2001 19:15:24 -0700 (PDT) Date: Sat, 8 Sep 2001 19:15:24 -0700 From: Kris Kennaway To: security@FreeBSD.org Subject: [rwatson@FreeBSD.org: Re: [zen-parse@gmx.net: Multiple vendor 'Taylor UUCP' problems.]] Message-ID: <20010908191523.A6220@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Forwarded message from Robert Watson ----- Delivered-To: kkenn@localhost.obsecurity.org Date: Sat, 08 Sep 2001 22:11:47 -0400 (EDT) From: Robert Watson Subject: Re: [zen-parse@gmx.net: Multiple vendor 'Taylor UUCP' problems.] In-reply-to: <20010908170533.B82247@xor.obsecurity.org> X-Sender: robert@fledge.watson.org To: Kris Kennaway Cc: security-officer@FreeBSD.org Delivered-to: kris@freebsd.org Note that any fix that relies on schg is broken when the client runs over NFS from a non-BSD server (or installed via NFS). Fixes can rely on permissions or ownership changes, but not BSD-specific file flags (the dillon solution will not work in some situations, in other words) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:16: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 7A64237B407 for ; Sat, 8 Sep 2001 19:15:54 -0700 (PDT) Received: (qmail 92789 invoked by uid 1000); 9 Sep 2001 02:15:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Sep 2001 02:15:49 -0000 Date: Sat, 8 Sep 2001 21:15:49 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: "Andrey A. Chernov" , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , , Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <20010908190700.A5881@xor.obsecurity.org> Message-ID: <20010908211441.A48947-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Kris Kennaway wrote: > Hmm. These flaws in the UUCP suite need to be documented, then. > > I'm also very uneasy at having a local root exploited foiled only by > the setting of UFS file flags (mostly because of the NFS-mounted /usr > case). > > I think it's finally time to make UUCP into a port: I'll work on that > later tonight. > > Kris If uustat being called from the daily scripts is the exploit "vector", can't we just remove uustat from the daily scripts for now? I doubt many of us use uucp, and those that do can get along without daily stats for a little while. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:17:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id EEDA037B403; Sat, 8 Sep 2001 19:17:26 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f892G2M34965; Sun, 9 Sep 2001 06:16:03 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:16:01 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909061601.A34828@nagual.pp.ru> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> <20010908190700.A5881@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline In-Reply-To: <20010908190700.A5881@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 19:07:00 -0700, Kris Kennaway wrote: > > I.e. it is not FreeBSD security problem but uucp problem (as designed). > > All we need is to protect uucp binaries from modifications (via schg). >=20 > Hmm. These flaws in the UUCP suite need to be documented, then. The are documented (read docs :-) not as 'flaws' but as normal functionality. By specifying the same system as anybody else you can easily create havoc there, but UUCP assume that it is 'never happens' or handled by system admin reactions. Users that have uucp access treated as one team, not enemies. > I think it's finally time to make UUCP into a port: I'll work on that > later tonight. Maybe. It is rarely enough used nowdays to deserve that. --=20 Andrey A. Chernov http://ache.pp.ru/ --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rQ4eJgpPLZnQjrAQGnpQQA3YL/ntWxnFyDfMSfibmHcLsuYwlrxfg/ 6Xg+9cVgPa6Ws1ZRTuU+gwOz0wT9hutSR62JvZ26rlI4rG+in1HPIuPrbuBkRMj/ bZEj5bQ1/6KAAx1gihXkCFfcpNX8b/Uijczz7jhNZxlHbjb3FBfa5zmk46WHaUj/ 5KnvVcXkTxY= =bgyD -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:21:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id E944E37B403; Sat, 8 Sep 2001 19:21:48 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f892KQ935017; Sun, 9 Sep 2001 06:20:26 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:20:25 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909062025.B34828@nagual.pp.ru> References: <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: <20010908191013.B5881@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 19:10:13 -0700, Kris Kennaway wrote: > Actually, I think I was overstating a bit. You can't set UFS file > flags on an NFS volume, but they should work fine if already set on > the server and /usr is mounted by a client. >=20 > What will break is trying to do an installworld onto a remote NFS > volume, or installworld within a jail, since in order for that to > succeed you have to tell it not to set file flags, and that will leave > you with a local root exploit on the installed system. This is different problem we already have in other places, since we install f.e. libc, sliplogin, login, chpass, etc. etc. with -fschg It means no remote NFS installation allowed. --=20 Andrey A. Chernov http://ache.pp.ru/ --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rR6eJgpPLZnQjrAQFb3QQA0zpLYjrB6n8Qeqa2JDlNBG3E156a00Hr 1Y3h6xLDx7x+Aqho+IOg2ukLdNu8gyOBxOyoiqXTpSa9e8frMHGeh3WiCk7wZZRq EeFRjmVtAk4EN6zy9ohwtVYHjy/xrPkPoCL3j5ykpsXwpWY5jnB4brVDUoblsrYE 4ouE6wBiFmo= =qb5e -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:29:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 7F73F37B401 for ; Sat, 8 Sep 2001 19:29:21 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f892TF908300; Sat, 8 Sep 2001 22:29:15 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 08 Sep 2001 22:29:13 -0400 To: "Andrey A. Chernov" From: Mike Tancsa Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Cc: security@FreeBSD.ORG In-Reply-To: <20010909061601.A34828@nagual.pp.ru> References: <20010908190700.A5881@xor.obsecurity.org> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> <20010908190700.A5881@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:16 AM 9/9/2001 +0400, Andrey A. Chernov wrote: > > I think it's finally time to make UUCP into a port: I'll work on that > > later tonight. > >Maybe. It is rarely enough used nowdays to deserve that. For mail delivery to non permanently connected sites, its a damn site better than ETRN or pop3. That being said, we have no more than 10 customers using it still.... ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:33: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 485D137B405; Sat, 8 Sep 2001 19:32:53 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C6C5C66D0A; Sat, 8 Sep 2001 19:32:52 -0700 (PDT) Date: Sat, 8 Sep 2001 19:32:52 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908193252.A7066@xor.obsecurity.org> References: <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> <20010909062025.B34828@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909062025.B34828@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 06:20:25AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 06:20:25AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 19:10:13 -0700, Kris Kennaway wrote: > > Actually, I think I was overstating a bit. You can't set UFS file > > flags on an NFS volume, but they should work fine if already set on > > the server and /usr is mounted by a client. > >=20 > > What will break is trying to do an installworld onto a remote NFS > > volume, or installworld within a jail, since in order for that to > > succeed you have to tell it not to set file flags, and that will leave > > you with a local root exploit on the installed system. >=20 > This is different problem we already have in other places, since we > install f.e. libc, sliplogin, login, chpass, etc. etc. with -fschg >=20 > It means no remote NFS installation allowed. That's slightly different: the fact that those files don't have the schg flags doesn't expose any runtime security holes, it just means that root can overwrite them. The difference is that here *any* user can overwrite the uu* binaries, which is equivalent to a local root exploit if root runs that binary (which it does currently, once a day). Kris --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mtTUWry0BWjoQKURAmJqAJ9tdgURj1BSlA7hEbxlD1ZLR9P+cgCgsc0+ guQXT9Ana05/ud+XtT4mL+c= =ndkQ -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:34:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 47CAB37B405 for ; Sat, 8 Sep 2001 19:34:39 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CEE8166D0A; Sat, 8 Sep 2001 19:34:38 -0700 (PDT) Date: Sat, 8 Sep 2001 19:34:38 -0700 From: Kris Kennaway To: Mike Tancsa Cc: "Andrey A. Chernov" , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908193438.A9754@xor.obsecurity.org> References: <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> <20010908190700.A5881@xor.obsecurity.org> <20010909061601.A34828@nagual.pp.ru> <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12>; from mike@sentex.net on Sat, Sep 08, 2001 at 10:29:13PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 10:29:13PM -0400, Mike Tancsa wrote: > At 06:16 AM 9/9/2001 +0400, Andrey A. Chernov wrote: >=20 > > > I think it's finally time to make UUCP into a port: I'll work on that > > > later tonight. > > > >Maybe. It is rarely enough used nowdays to deserve that. >=20 >=20 > For mail delivery to non permanently connected sites, its a damn site=20 > better than ETRN or pop3. That being said, we have no more than 10=20 > customers using it still.... I've almost finished the port..I'll try and include an 'upgrade' target for migrating existing configuration. Kris --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mtU9Wry0BWjoQKURAoVLAJ4nfz7EyzMJZWUV0f6lLO9818XsfQCdEP1u daeOvWvH/CESJzh+UD3gUQ4= =okmD -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:44:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6328137B406 for ; Sat, 8 Sep 2001 19:44:27 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA07442; Sat, 8 Sep 2001 19:44:08 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07440; Sat Sep 8 19:43:59 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f892hxB17461; Sat, 8 Sep 2001 19:43:59 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda17458; Sat Sep 8 19:43:18 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f892hID99147; Sat, 8 Sep 2001 19:43:18 -0700 (PDT) Message-Id: <200109090243.f892hID99147@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdC99141; Sat Sep 8 19:42:52 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Mike Tancsa Cc: "Andrey A. Chernov" , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-reply-to: Your message of "Sat, 08 Sep 2001 22:29:13 EDT." <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 08 Sep 2001 19:42:52 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12>, Mike Tancsa write s: > At 06:16 AM 9/9/2001 +0400, Andrey A. Chernov wrote: > > > > I think it's finally time to make UUCP into a port: I'll work on that > > > later tonight. > > > >Maybe. It is rarely enough used nowdays to deserve that. > > > For mail delivery to non permanently connected sites, its a damn site > better than ETRN or pop3. That being said, we have no more than 10 > customers using it still.... How about the following solution? Install the UUCP binaries without the setuid bit set and ship a script that would enable UUCP (turn on setuid/setgid bits) for sites that need it. Of course the script would print an appropriate warning that enabling UUCP could lead to compromise. Could not a UUCP based mail delivery system run in a jailed environment? How about fetchmail? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:50:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 0C63E37B40A for ; Sat, 8 Sep 2001 19:50:42 -0700 (PDT) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0/8.12.0) with ESMTP id f892ofIo005656 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Sat, 8 Sep 2001 19:50:41 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0/8.12.0/Submit) id f892ob1H005653; Sat, 8 Sep 2001 19:50:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15258.55549.285245.769691@horsey.gshapiro.net> Date: Sat, 8 Sep 2001 19:50:37 -0700 From: Gregory Neil Shapiro To: security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <200109090243.f892hID99147@cwsys.cwsent.com> References: <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> <200109090243.f892hID99147@cwsys.cwsent.com> X-Mailer: VM 6.95 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cy.Schubert> How about the following solution? Install the UUCP binaries Cy.Schubert> without the setuid bit set and ship a script that would enable Cy.Schubert> UUCP (turn on setuid/setgid bits) for sites that need it. Of Cy.Schubert> course the script would print an appropriate warning that Cy.Schubert> enabling UUCP could lead to compromise. Also, at the very least, Jordon may approve of this diff for RELENG_4 for 4.4. There is no reason for non-UUCP systems (probably most of them out there) to run these anyway. Index: periodic.conf =================================================================== RCS file: /src/FreeBSD/cvsrepo/src/etc/defaults/periodic.conf,v retrieving revision 1.7.2.8 diff -u -u -r1.7.2.8 periodic.conf --- periodic.conf 2001/07/28 11:44:22 1.7.2.8 +++ periodic.conf 2001/09/09 02:49:20 @@ -89,14 +89,14 @@ daily_news_expire_enable="YES" # Run news.expire # 340.uucp -daily_uuclean_enable="YES" # Run uuclean.daily +daily_uuclean_enable="NO" # Run uuclean.daily # 400.status-disks daily_status_disks_enable="YES" # Check disk status daily_status_disks_df_flags="-k -t nonfs" # df(1) flags for check # 410.status-uucp -daily_status_uucp_enable="YES" # Check uucp status +daily_status_uucp_enable="NO" # Check uucp status # 420.status-network daily_status_network_enable="YES" # Check network status @@ -149,7 +149,7 @@ weekly_clean_kvmdb_verbose="YES" # Mention files deleted # 300.uucp -weekly_uucp_enable="YES" # Clean uucp weekly +weekly_uucp_enable="NO" # Clean uucp weekly # 310.locate weekly_locate_enable="YES" # Update locate weekly To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:51:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 6CB0E37B406 for ; Sat, 8 Sep 2001 19:51:27 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E777166D0A; Sat, 8 Sep 2001 19:51:26 -0700 (PDT) Date: Sat, 8 Sep 2001 19:51:26 -0700 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: Mike Tancsa , "Andrey A. Chernov" , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908195126.A13080@xor.obsecurity.org> References: <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> <200109090243.f892hID99147@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109090243.f892hID99147@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sat, Sep 08, 2001 at 07:42:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 07:42:52PM -0700, Cy Schubert - ITSD Open Systems G= roup wrote: > How about the following solution? Install the UUCP binaries without=20 > the setuid bit set and ship a script that would enable UUCP (turn on=20 > setuid/setgid bits) for sites that need it. Of course the script would= =20 > print an appropriate warning that enabling UUCP could lead to=20 > compromise. No, if we're going to do that (install binaries by default which are useless by default) then we might as well just make it a port. I'm almost done with that..I should be ready to commit in half an hour or so (I won't be removing uucp yet). The only question is what to do with cu, which is apparently used by a lot of people separately to uucp. We could either leave gnu/libexec/uucp/{cu,common_source} in place, or make it into a port as well. > Could not a UUCP based mail delivery system run in a jailed environment? Probably. Kris --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mtkuWry0BWjoQKURAqpPAKCU2oo8lKQ/kxahbCYXIzyrs+cNUACgo2Wa 0mP+Uan3+lteoGs3Nu9Y4zI= =ekAl -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 19:55:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by hub.freebsd.org (Postfix) with ESMTP id 37BA937B407 for ; Sat, 8 Sep 2001 19:55:20 -0700 (PDT) Received: from 209-122-223-52.s2250.apx1.nyw.ny.dialup.rcn.com ([209.122.223.52] helo=confusion) by smtp02.mrf.mail.rcn.net with smtp (Exim 3.33 #10) id 15fukg-0005rV-00 for freebsd-security@freebsd.org; Sat, 08 Sep 2001 22:55:18 -0400 Message-ID: <001401c10822$99f27ac0$34df7ad1@unstable.org> From: "Klik" To: Subject: ipfw + natd woes Date: Sun, 8 Jul 2001 22:55:22 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0011_01C10801.11C383E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0011_01C10801.11C383E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I'm having trouble setting up my ipfw firewall with a default rule of = deny while using natd.. My setup is as follow: Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB natd flags: -w -s -n nic1 If I remove the 'allow ip from any to any' rule and add bunch of permit = statements for DNS, HTTP, IRC, etc.. The packets will only go to the = FreeBSD machine. None of the machines on the local network are able to = access the outside world. I've read the past threads about ipfw and = natd, the natd and ipfw man pages ...I'm about to pull my hair out Any help would be greatly appreciated Greg ------=_NextPart_000_0011_01C10801.11C383E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
 
I'm having trouble setting up my ipfw = firewall with=20 a default rule of deny while using natd.. My setup is as = follow:
 
Cablemodem--> nic1--| FreeBSD box = |--nic2-->=20 HUB
 
natd flags:  -w -s -n = nic1
 
If I remove the 'allow ip from any to = any' rule and=20 add bunch of permit statements for DNS, HTTP, IRC, etc..  The = packets=20 will only go to the FreeBSD machine. None of the machines on the local network are able to access the = outside=20 world.  I've read the past threads about ipfw and natd, = the natd=20 and ipfw man pages ...I'm about to pull my hair out
 
Any help would be greatly appreciated
Greg
------=_NextPart_000_0011_01C10801.11C383E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 20:49:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 67DA337B401 for ; Sat, 8 Sep 2001 20:49:16 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EE91066D0A; Sat, 8 Sep 2001 20:49:15 -0700 (PDT) Date: Sat, 8 Sep 2001 20:49:15 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , "Andrey A. Chernov" , security@FreeBSD.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908204915.A24987@xor.obsecurity.org> References: <5.1.0.14.0.20010908222654.060f1ea8@192.168.0.12> <200109090243.f892hID99147@cwsys.cwsent.com> <20010908195126.A13080@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908195126.A13080@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 07:51:26PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 07:51:26PM -0700, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 07:42:52PM -0700, Cy Schubert - ITSD Open Systems= Group wrote: >=20 > > How about the following solution? Install the UUCP binaries without=20 > > the setuid bit set and ship a script that would enable UUCP (turn on=20 > > setuid/setgid bits) for sites that need it. Of course the script would= =20 > > print an appropriate warning that enabling UUCP could lead to=20 > > compromise. >=20 > No, if we're going to do that (install binaries by default which are > useless by default) then we might as well just make it a port. I'm > almost done with that..I should be ready to commit in half an hour or > so (I won't be removing uucp yet). Okay, I've committed a first cut of the freebsd-uucp port. Anyone who makes use of uucp, please test this and let me know if there's anything else I should be doing to smooth the transition path from the base system version. Since I don't use UUCP, I might be missing something. Once people are happy with the port, I'll remove the uucp stuff from the base system (leaving cu behind, probably) Kris --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mua7Wry0BWjoQKURAk0NAKCKXD98L8N5I2lDvTDCO9LvtPWQQACgh26f 051shBxomwa2VjtA4GfM3mI= =B8S0 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 21:52: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 1CD7437B406; Sat, 8 Sep 2001 21:52:01 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f894puV31109; Sat, 8 Sep 2001 21:51:56 -0700 (PDT) (envelope-from dillon) Date: Sat, 8 Sep 2001 21:51:56 -0700 (PDT) From: Matt Dillon Message-Id: <200109090451.f894puV31109@earth.backplane.com> To: "Andrey A. Chernov" , Kris Kennaway , "Todd C. Miller" , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> <20010909062025.B34828@nagual.pp.ru> <20010908193252.A7066@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wow. A lot of replies on this thread! I've read every one and would like to interject a couple of points if I may: * Regardless of security problems with the uucp binaries, it is still our job to protect root. * No binary in a standard system path (/bin, /usr/bin, /sbin, /usr/sbin) should be editable by non-root, no matter what. Even if cron doesn't run the binary, a sysop su'd to root might, or someone from another user account. 'schg' accomplishes this. * I don't understand the person who was saying that NFS installs wouldn't work. I use NFS based installs for everything, it works fine. The typical method is to remotely mount /usr/src and do a local 'make installworld', not to remotely mount the destination host and do the 'make installworld' with the mount as a target. * Several other binaries, such as 'man', are already installed noschg, as well as some libraries. We aren't breaking new ground here. I think it's worth getting into -stable for the release, but it's Jordan's decision. I *am* going to commit the schg changes to -current now since there does not seem to be any opposition to it. Remember guys: security should always be a layered onion approach, we are not precluding additional fixes by making this change. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 8 22:14:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by hub.freebsd.org (Postfix) with ESMTP id C06B637B409 for ; Sat, 8 Sep 2001 22:14:00 -0700 (PDT) Received: from 209-122-223-52.s2250.apx1.nyw.ny.dialup.rcn.com ([209.122.223.52] helo=confusion) by smtp02.mrf.mail.rcn.net with smtp (Exim 3.33 #10) id 15fwuq-0003aN-00 for freebsd-security@freebsd.org; Sun, 09 Sep 2001 01:13:57 -0400 Message-ID: <001101c10835$f7e8c2c0$34df7ad1@unstable.org> From: "Klik" To: References: <001401c10822$99f27ac0$34df7ad1@unstable.org> Subject: Re: ipfw + natd woes Date: Mon, 9 Jul 2001 01:14:01 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000E_01C10814.6FEDAD20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Here is some more info in the setup,sorry about the incomplete post... extra kernel options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET results of netstat -nr: Routing tables Internet: Destination Gateway Flags Refs Use Netif = Expire default 216.164.28.1 UGSc 5 8604782 rl0 127.0.0.1 127.0.0.1 UH 0 54 lo0 192.168.1 link#3 UC 3 0 ed1 192.168.1.3 0:40:33:d2:1f:9d UHLW 2 3201858 ed1 = 17 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 791 ed1 216.164.28/23 link#1 UC 2 0 rl0 216.164.28.1 0:30:94:a8:eb:54 UHLW 3 0 rl0 = 497 216.164.29.255 ff:ff:ff:ff:ff:ff UHLWb 0 2363 rl0=20 # firewall ruleset #!/bin/sh /sbin/ipfw add permit tcp from any 21 to any established in /sbin/ipfw add permit tcp from any 21 to any setup out /sbin/ipfw add permit tcp from any 22 to any established in /sbin/ipfw add permit tcp from any 22 to any setup out=20 /sbin/ipfw add permit tcp from any 25 to any established in=20 /sbin/ipfw add permit tcp from any 25 to any setup out /sbin/ipfw add permit tcp from any 53 to any established in /sbin/ipfw add permit tcp from any 53 to any setup out=20 /sbin/ipfw add permit tcp from any 80 to any established in=20 /sbin/ipfw add permit tcp from any 80 to any setup out=20 /sbin/ipfw add permit tcp from any 110 to any established in=20 /sbin/ipfw add permit tcp from any 110 to any setup out=20 /sbin/ipfw add permit tcp from any 113 to any established in=20 /sbin/ipfw add permit tcp from any 113 to any setup out=20 /sbin/ipfw add permit tcp from any 123 to any established in /sbin/ipfw add permit tcp from any 123 to any setup out /sbin/ipfw add permit tcp from any 143 to any established in /sbin/ipfw add permit tcp from any 143 to any setup out I tried all of these with outthe 'established' and 'setup' - no change # Stop RFC1918 nets on the outside interface /sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via rl0 /sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via rl0 /sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in via rl0 /sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via rl0 /sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via rl0 /sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via rl0 #nat line /sbin/ipfw add divert natd all from any to any via rl0 /etc/rc.conf: network_interfaces=3D"rl0 ed1 lo0" ifconfig_rl0=3D"DHCP" ifconfig_ed1=3D"inet 192.168.1.1 netmask 255.255.255.0" gateway_enable=3D"YES" natd: flags:=20 -m: Allocate a socket(2) in order to establish an FTP data or IRC DCC = send connection. -s: Try to keep the same port number when altering outgoing packets. ----- Original Message -----=20 From: Klik=20 To: freebsd-security@freebsd.org=20 Sent: Sunday, July 08, 2001 10:55 PM Subject: ipfw + natd woes Hello, I'm having trouble setting up my ipfw firewall with a default rule of = deny while using natd.. My setup is as follow: Cablemodem--> nic1--| FreeBSD box |--nic2--> HUB natd flags: -m -s -n nic1 If I remove the 'allow ip from any to any' rule and add bunch of = permit statements for DNS, HTTP, IRC, etc.. The packets will only go to = the FreeBSD machine. None of the machines on the local network are able = to access the outside world. I've read the past threads about ipfw and = natd, the natd and ipfw man pages ...I'm about to pull my hair out Any help would be greatly appreciated Greg ------=_NextPart_000_000E_01C10814.6FEDAD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Here is some more info in the = setup,sorry about the=20 incomplete post...
 
extra kernel options:
options        =20 IPDIVERT
options        =20 IPFIREWALL
options        =20 IPFIREWALL_VERBOSE
options       &n= bsp;=20 DUMMYNET
 
results of netstat -nr:
Routing tables
 
Internet:
Destination      &nbs= p;=20 Gateway           = =20 Flags    Refs      Use  = Netif=20 Expire
default         &n= bsp; =20 216.164.28.1      =20 UGSc        5  = 8604782   =20 rl0
127.0.0.1         =20 127.0.0.1         =20 UH         =20 0       54   =20 lo0
192.168.1         =20 link#3           &= nbsp;=20 UC         =20 3        0   =20 ed1
192.168.1.3       =20 0:40:33:d2:1f:9d   = UHLW       =20 2  3201858    ed1    =20 17
192.168.1.255      = ff:ff:ff:ff:ff:ff =20 UHLWb       = 0     =20 791    ed1
216.164.28/23      = link#1           &= nbsp;=20 UC         =20 2        0   =20 rl0
216.164.28.1      =20 0:30:94:a8:eb:54   = UHLW       =20 3        0   =20 rl0    497
216.164.29.255    =20 ff:ff:ff:ff:ff:ff  UHLWb      =20 0     2363    rl0 
 
# firewall ruleset
 
#!/bin/sh
 
/sbin/ipfw add permit tcp from any = 21 to any=20 established in
/sbin/ipfw add permit tcp from any 21 to any setup=20 out
/sbin/ipfw add permit tcp from any 22 to any established = in
/sbin/ipfw=20 add permit tcp from any 22 to any setup out
/sbin/ipfw add permit = tcp from=20 any 25 to any established in
/sbin/ipfw add permit tcp from any 25 = to any=20 setup out
/sbin/ipfw add permit tcp from any 53 to any established=20 in
/sbin/ipfw add permit tcp from any 53 to any setup out =
/sbin/ipfw=20 add permit tcp from any 80 to any established in
/sbin/ipfw add = permit tcp=20 from any 80 to any setup out
/sbin/ipfw add permit tcp from any 110 = to any=20 established in
/sbin/ipfw add permit tcp from any 110 to any setup = out=20
/sbin/ipfw add permit tcp from any 113 to any established in =
/sbin/ipfw=20 add permit tcp from any 113 to any setup out
/sbin/ipfw add permit = tcp from=20 any 123 to any established in
/sbin/ipfw add permit tcp from any 123 = to any=20 setup out
/sbin/ipfw add permit tcp from any 143 to any established=20 in
/sbin/ipfw add permit tcp from any 143 to any setup = out
I tried all of these with outthe = 'established' and=20 'setup' - no change
 
# Stop RFC1918 nets on the outside=20 interface
/sbin/ipfw add 97 deny all from 10.0.0.0/8 to any in via=20 rl0
/sbin/ipfw add 97 deny all from any to 10.0.0.0/8 in via=20 rl0
/sbin/ipfw add 97 deny all from 172.16.0.0/12 to any in  via = rl0
/sbin/ipfw add 97 deny all from any to 172.16.0.0/12 in via=20 rl0
/sbin/ipfw add 97 deny all from 192.168.0.0/16 to any in via=20 rl0
/sbin/ipfw add 97 deny all from any to 192.168.0.0/16 in via=20 rl0
#nat line
/sbin/ipfw add divert natd all from any = to any via=20 rl0
 
/etc/rc.conf:
network_interfaces=3D"rl0 ed1=20 lo0"
ifconfig_rl0=3D"DHCP"
ifconfig_ed1=3D"inet 192.168.1.1 = netmask=20 255.255.255.0"
gateway_enable=3D"YES"
 
natd: flags:
-m: Allocate a socket(2) in order = to=20 establish an FTP data or IRC DCC=20 send connection.
-s: Try to keep the same port = number when=20 altering outgoing packets.
----- Original Message -----
From:=20 Klik
Sent: Sunday, July 08, 2001 = 10:55=20 PM
Subject: ipfw + natd woes

Hello,
 
I'm having trouble setting up my ipfw = firewall=20 with a default rule of deny while using natd.. My setup is as=20 follow:
 
Cablemodem--> nic1--| FreeBSD box=20 |--nic2--> HUB
 
natd flags:  -m -s -n nic1
 
If I remove the 'allow ip from any to = any' rule=20 and add bunch of permit statements for DNS, HTTP, IRC, = etc..  The=20 packets will only go to the FreeBSD machine. None of the machines on the local network are = able to access=20 the outside world.  I've read the past threads about ipfw and = natd,=20 the natd and ipfw man pages ...I'm about to pull my hair=20 out
 
Any help would be greatly appreciated
Greg
------=_NextPart_000_000E_01C10814.6FEDAD20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message