From owner-freebsd-security@freebsd.org Sun Sep 4 01:44:10 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C469BB78747 for ; Sun, 4 Sep 2016 01:44:10 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 92A45810 for ; Sun, 4 Sep 2016 01:44:10 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-it0-x241.google.com with SMTP id g185so5703531ith.0 for ; Sat, 03 Sep 2016 18:44:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=92nF924YfEE93qKrLPu7i1HLJLeZUn5PcBfE+n+vo7A=; b=NV9WKIhODmd1KFrvPVG0X47Uhr8MDyyZM/y1gsWDKJMTT0osTb5KZMxSKnY3vBJzp+ ieOKpgGoXEfHuOWk8MyfodUO8Wrrb8cXmifPMXe4vPeDpt7cWX1AdE9gSFzJEkh6snx4 opqIM+4UI99vfciaWtONRqgWGpAelbpjw/ryWARHzMMTqf/87wOkzyscpWwWXgm/PN5k eIhVohvmp2vNQ9PfQ+Gow/mS9IjamCuacuWDZ3xfGuLJ9P3wCWW1aE9i5/CwfKx86ctk NpedqUIifSXT1N8hGWHSOVog8gYUKg4cBLsn+nmqgxwqGJeuzqcjTWDu1ixcoGBmFdmO XYZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=92nF924YfEE93qKrLPu7i1HLJLeZUn5PcBfE+n+vo7A=; b=Iq00IE2n2DH+owE+XJSy0sNtWQNsSuEtKJG7olEBPdmkk+TihVM+aNeVrwlkFF5RMz HCpmWs5dAnTsdY/IfdIVxI/CGKKkas734nWK+EMU/clyeA3S9yuVeyn0scIfPBcV3YLG 2UCyAde/MMKxQyWxG0bviQBM5A4sPtYbiIlbMm72KRuy1Bg59EEN4iYdy42D3TApS6GN 0eV+z0RJNcMM2B+YgXiqkBRU2N6ll2XKmxcC9QtAQC8mZl3r+BsA8jBZbj4cUni8slpl lfMk7FJIKWi+RSVpucLmE+ITiTVsh2jJ+ih2snHubUqZjA9UpN+rrv3eNk9GkOMENeye APPQ== X-Gm-Message-State: AE9vXwP/bVt2H0w0wxQE0AYXF68NqUMP8Ohf/02Om7rzeO6UsfORaTWv3XmDXZ+hXCQC2AX5XEGuKFsPOz6ihA== X-Received: by 10.36.129.193 with SMTP id q184mr13021287itd.35.1472953449987; Sat, 03 Sep 2016 18:44:09 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.138.28 with HTTP; Sat, 3 Sep 2016 18:43:49 -0700 (PDT) In-Reply-To: <22474.13802.335507.240401@hergotha.csail.mit.edu> References: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> <22474.13802.335507.240401@hergotha.csail.mit.edu> From: Ed Maste Date: Sun, 4 Sep 2016 01:43:49 +0000 X-Google-Sender-Auth: wJfI1T2yPGL93pGGI66ZK6l5Xb4 Message-ID: Subject: Re: edit others user crontab, security bug To: Garrett Wollman Cc: Damian Weber , freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Sep 2016 01:44:10 -0000 On 3 September 2016 at 02:31, Garrett Wollman wrote: > > I see now that this was fixed by emaste@ yesterday (r305269). I'm a > bit disappointed that it was done using MAXLOGNAME, but looking at the > way it's used in the code, fixing it to use the proper POSIX parameter > {LOGIN_NAME_MAX} would require significant restructuring, ... Yep, as I mentioned in the code review for my change I agree cron warrants a deeper investigation and refactoring, but I wanted to get the immediate issue fixed as soon as possible. -Ed From owner-freebsd-security@freebsd.org Wed Sep 7 01:35:52 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 116BCB967A2 for ; Wed, 7 Sep 2016 01:35:52 +0000 (UTC) (envelope-from jasoncwells@fastmail.com) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DA55D9BC for ; Wed, 7 Sep 2016 01:35:51 +0000 (UTC) (envelope-from jasoncwells@fastmail.com) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 3C4CA204FA for ; Tue, 6 Sep 2016 21:35:50 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Tue, 06 Sep 2016 21:35:50 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.com; h= content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=628 rC5BxdChiFHoNI9r2aJ0Vf10=; b=cEEMUmvytA16/4pF9Rxr8WASXu0ImSOnft/ h0ba6k9qhiSjErtQHiQAEtIax6WkHmHY0ViRgHHlBkS8gPYjXBGAaDYKsQke4LMx V+u+XCfrbbrz2sIlV6oCW4TuU+3qeRT/QTBWLenv5bmimVg50fA2wezSUGi46/jb wddcO6Uc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=628rC5BxdChiFHoNI9r2aJ0Vf10=; b=NEAeI RmvkHxt3pTyxpDRHTmKBRLKzI0CvIxE8GkRRZPGYLp01g8wMoXpoF4hNpJeTsIC3 +3xEMXezPHOBmmVwi2Iex7Rh32nb7sAxqdO6WeqkaFYkZV8Ed9BOoNOIaueCaso8 6GNcat9XQ6odtj1oLd6Y937emMjqPPNZuEmuEU= X-Sasl-enc: jwEqVE7Fyoy1VrRG3SEJWpfFZnwi+8oow+QQFwP5FjhA 1473212149 Received: from [192.168.1.195] (97-113-189-48.tukw.qwest.net [97.113.189.48]) by mail.messagingengine.com (Postfix) with ESMTPA id C7501F29CC for ; Tue, 6 Sep 2016 21:35:49 -0400 (EDT) To: freebsd-security@freebsd.org From: "Jason C. Wells" Subject: /etc/rc.d/ipropd_master overwrites /var/heimdal/slaves Message-ID: <9c676dad-8612-118c-89b0-f85d389caa00@fastmail.com> Date: Tue, 6 Sep 2016 18:35:42 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 07 Sep 2016 10:44:12 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 01:35:52 -0000 First off, thanks for updating heimdal. I've been eagerly awaiting that. (Although, I might be late to the party since I only recently updated to 10.3 from 9.3.) The FreeBSD provided /etc/rc.d/ipropd_master script always overwrites /var/heimdal/slaves within the precmd portion of the RC script. I find this to be extremely odd. Rather, please just check if /var/heimdal/slaves is empty if you must check anything at all. If one happily follows along with the heimdal website and writes out /var/heimdal/slaves, one unhappily finds that /etc/rc.d/ipropd_master will unhappily overwrite your file. In other news, /etc/rc.d/apache needs a variable called httpd_conf that overwrites /usr/local/etc/httpd.conf upon every boot. That is, if we want to be consistent. ( <== a small joke ) Regards, Jason C. Wells From owner-freebsd-security@freebsd.org Wed Sep 7 12:00:42 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C1F4BD0803 for ; Wed, 7 Sep 2016 12:00:42 +0000 (UTC) (envelope-from tlw@interface.dk) Received: from web1.interface-hosting.dk (web1.interface-hosting.dk [IPv6:2a01:488:67:1000:523:fb3f:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 09733CFE for ; Wed, 7 Sep 2016 12:00:41 +0000 (UTC) (envelope-from tlw@interface.dk) Received: by web1.interface-hosting.dk (Postfix, from userid 110) id 16F3D19638; Wed, 7 Sep 2016 14:00:31 +0200 (CEST) From: tlw@interface.dk To: freebsd-security@freebsd.org MIME-Version: 1.0 Subject: =?utf-8?Q?Tim_Warberg_Ikke_til_stede:_freebsd=2Dsecurity_Digest, _Vol_590, _Issue_1?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <20160907120031.16F3D19638@web1.interface-hosting.dk> Date: Wed, 7 Sep 2016 14:00:31 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 12:00:42 -0000 Tak for din mail. Jeg er ikke til at træffe før den 12/09-2016. Kontakt en af mine kollegaer på kontakt@interface.dk, eller på vores hoved nr. 4242 7070. Ellers vender jeg tilbage til dig når jeg er tilbage. Med venlig hilsen / Best regards Tim Warberg ________________ interface ApS Lautruphøj 1-3 DK - 2750 Ballerup Tlf.: +45 2872 5383 Email: tlw@interface.dk Web: http://interface.dk From owner-freebsd-security@freebsd.org Wed Sep 7 21:25:17 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33675BD053E for ; Wed, 7 Sep 2016 21:25:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0F9A6908 for ; Wed, 7 Sep 2016 21:25:16 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id BB88120774; Wed, 7 Sep 2016 17:25:15 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute7.internal (MEProxy); Wed, 07 Sep 2016 17:25:15 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=imBqKS2iaEZBwIP 48IwvGR5DiKs=; b=QCa8UpNoI1ydWMSfTV8sXnCkXxys/s25NHuu6bRpXucX+Yh IkFGHfpqLJ3/kd2FAL2bepHnc2qoJu8xI/s+qwusYRDYk0gKkK1CmJEum1qOHCIL E1i5+6OvonD8RxBugRJXvp0n0iQeT89hoEdo6CoFWUixiOGvgDukR2SXaOIM= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 98CEACC752; Wed, 7 Sep 2016 17:25:15 -0400 (EDT) Message-Id: <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> X-Sasl-Enc: h94FRKGGQhn6u2R9BXTRJh4BvpmFACBYJWbernnKZyWQ 1473283515 From: Mark Felder To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fa733828 Subject: Re: using pkg audit to show base vulnerabilities Date: Wed, 07 Sep 2016 16:25:15 -0500 In-Reply-To: <57BEE965.8000903@quip.cz> References: <57BEE965.8000903@quip.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 21:25:17 -0000 On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote: > I am not sure if this is the right list or not. If not, please redirect > me to the right one. > > I noticed this post from Mark Felder > https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ > > Great work Mark, thank you! > > I found it very useful. I want this to be part of the nightly reports on > all our machines so I tried to write 405.base-audit. It is based on > original 410.pkg-audit > It can check kernel and world of a host or world in jail or chroot (if > freebsd-version is installed in jail or chroot) > > You can my find first attempt at > http://freebsd.quip.cz/script/405.base-audit.sh > I have been toying with the idea of creating a port that provides a script called "baseaudit" that can make it very easy to check your system for known vulns. With the majority of the logic in this script we could also include this periodic script in the package which would check nightly as well. Perhaps we should collaborate on this together? I will need to review your script in detail but at a glance it appears very thorough. Thanks! -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Wed Sep 7 23:23:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E034BD065B for ; Wed, 7 Sep 2016 23:23:45 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D7E1BA8A; Wed, 7 Sep 2016 23:23:44 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-it0-x22a.google.com with SMTP id c198so50625033ith.1; Wed, 07 Sep 2016 16:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hhVmR4VEdYUEBIA97h9wZlwwiXIkWOAWKX4JPJAwiUQ=; b=X6OV+C0SkoLY0RlSxKN4Wae4/TLTHyKaJfMsUdHYqrvdmKzcd/Cf66/bHUULPSfkd0 uLU4G1vlp7fsyLn6/hfPIouoM1Jaq9uDSH7sUCGnmOTcvqrHKXKvzHztIYU++/RgJsbN N2LIw+tvATCgeBJZQk0e/naA1axDzCbs8cyeLBH7JOQ6MK2ZY5oqa3Yb4IrwWLgF7RbD Td75jtn9TU+1M9rsSTk75lr5Sj0YdyWtcUW7vfDy3Ulw76vgkxaDrrMBATbjPKm+ocQB BA+iqVFhkW7wUh2Y3lLmc192CJ8LoGsD8/znoeEYNf9WnQ6ftWFtCBeChO8tOdbSKV4l +1Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hhVmR4VEdYUEBIA97h9wZlwwiXIkWOAWKX4JPJAwiUQ=; b=FNDH0RR8UQF2jWN/zZsP+6Y1iRTMz99V23d2Get3UKFz6nQ/hHC2IYLDOeBrfWRihu BNYvB3t9pysEF4mPtXVMIrGKP6lMj/uvvQKMdEehmM7vQk6JxexHoJP3hMe9wRz7ab+M O2bWZeoyFGlNYGWhbZk4Z+YuWuPfHQaqHa8+1he6ngsJ2CbFi9lAxEYHVwETSknj67+7 bKoWb41r4Q9bzn1mZoiLyEiwOATC3Ub36lTf0bJEZdlyz3qB9+QVSOiDmdEVROjVlJt5 zA2uBHnQpLjK8HSBnVQZllDtGYmtdpEqIrffdJ4DrhgMuiccKvka5uuXAb7MiB8WTieI Y+xw== X-Gm-Message-State: AE9vXwOOd/8wcEfN/H7Ce9GXLdkmLcvU2YsshXiKiMqrt34fFhCJe2B2+EHpbMXir8IUL5mKzkXDtwkTJg7qQQ== X-Received: by 10.36.17.140 with SMTP id 134mr10234589itf.70.1473290624125; Wed, 07 Sep 2016 16:23:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.26.3 with HTTP; Wed, 7 Sep 2016 16:23:43 -0700 (PDT) In-Reply-To: <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> References: <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> From: Ben Woods Date: Thu, 8 Sep 2016 07:23:43 +0800 Message-ID: Subject: Re: using pkg audit to show base vulnerabilities To: Mark Felder Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 23:23:45 -0000 On 8 September 2016 at 05:25, Mark Felder wrote: > I have been toying with the idea of creating a port that provides a > script called "baseaudit" that can make it very easy to check your > system for known vulns. With the majority of the logic in this script we > could also include this periodic script in the package which would check > nightly as well. Perhaps we should collaborate on this together? I will > need to review your script in detail but at a glance it appears very > thorough. > > > Thanks! > > -- > Mark Felder > ports-secteam member > feld@FreeBSD.org > Just a thought, once we move to PkgBase, will this simply work work "pkg audit"? Are the new vuxml entries in the correct format to detect for individual base packages? E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development Are the new vuxml entries in a format that would support PkgBase for releases as well as for stable/current? E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939 Regards, Ben From owner-freebsd-security@freebsd.org Thu Sep 8 00:21:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A1E5BD08C4 for ; Thu, 8 Sep 2016 00:21:27 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 14A7CDE4 for ; Thu, 8 Sep 2016 00:21:26 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 6E6F020792; Wed, 7 Sep 2016 20:21:25 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute7.internal (MEProxy); Wed, 07 Sep 2016 20:21:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=8wrw7pfK7q8L6Cj fTdfuTcxkt2c=; b=PK/eAp3nV+ifUUSy2x7680lI7RSOWbAyEgJa/XnqZK+Dlkr 1sjTU78Q7kW+D3QdwPU8/8Cje4dRh7CEsIgpNmPQgPoarGGlaP2+FEkiZBzWe1G0 exf5xUyFVKKX/OyHskWuJoBO1E0W1DIpRV6nBqkZILyehsOCZrJthxzJJmdY= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 48E1DCC752; Wed, 7 Sep 2016 20:21:25 -0400 (EDT) Message-Id: <1473294085.1278493.719031513.171C64A2@webmail.messagingengine.com> X-Sasl-Enc: BSFutNJZ+qbordm0YyCB8kexgLpkoguN7/x7kT4CemYM 1473294085 From: Mark Felder To: Ben Woods Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fa733828 In-Reply-To: References: <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> Subject: Re: using pkg audit to show base vulnerabilities Date: Wed, 07 Sep 2016 19:21:25 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2016 00:21:27 -0000 On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote: > > Just a thought, once we move to PkgBase, will this simply work work "pkg > audit"? > Yes, that's the plan as I know it. > Are the new vuxml entries in the correct format to detect for individual > base packages? > E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development > The current format is irrelevant as the vulnerabilities will not apply to a FreeBSD release that has pkg base. This is just a stopgap that has been hacked up. I also do not know what the base package names will be yet as I haven't played around with it, but we will be ensuring that vuxml entries are correctly added once pkg base is finalized. It will be possible to add entries that match for both older FreeBSD releases and new pkg base releases. > Are the new vuxml entries in a format that would support PkgBase for > releases as well as for stable/current? > E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939 > I don't know if it will be possible to match for stable/current users. Depends on the versioning scheme. -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-security@freebsd.org Thu Sep 8 12:00:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B56F9BD1757 for ; Thu, 8 Sep 2016 12:00:31 +0000 (UTC) (envelope-from tlw@interface.dk) Received: from web1.interface-hosting.dk (web1.interface-hosting.dk [5.35.251.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 81F6578A for ; Thu, 8 Sep 2016 12:00:31 +0000 (UTC) (envelope-from tlw@interface.dk) Received: by web1.interface-hosting.dk (Postfix, from userid 110) id 3D15219681; Thu, 8 Sep 2016 14:00:28 +0200 (CEST) From: tlw@interface.dk To: freebsd-security@freebsd.org MIME-Version: 1.0 Subject: =?utf-8?Q?Tim_Warberg_Ikke_til_stede:_freebsd=2Dsecurity_Digest, _Vol_590, _Issue_2?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <20160908120028.3D15219681@web1.interface-hosting.dk> Date: Thu, 8 Sep 2016 14:00:28 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2016 12:00:31 -0000 Tak for din mail. Jeg er ikke til at træffe før den 12/09-2016. Kontakt en af mine kollegaer på kontakt@interface.dk, eller på vores hoved nr. 4242 7070. Ellers vender jeg tilbage til dig når jeg er tilbage. Med venlig hilsen / Best regards Tim Warberg ________________ interface ApS Lautruphøj 1-3 DK - 2750 Ballerup Tlf.: +45 2872 5383 Email: tlw@interface.dk Web: http://interface.dk From owner-freebsd-security@freebsd.org Fri Sep 9 12:00:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF939BD1492 for ; Fri, 9 Sep 2016 12:00:21 +0000 (UTC) (envelope-from tlw@interface.dk) Received: from web1.interface-hosting.dk (web1.interface-hosting.dk [IPv6:2a01:488:67:1000:523:fb3f:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A024E1E9 for ; Fri, 9 Sep 2016 12:00:21 +0000 (UTC) (envelope-from tlw@interface.dk) Received: by web1.interface-hosting.dk (Postfix, from userid 110) id 7614C19671; Fri, 9 Sep 2016 14:00:18 +0200 (CEST) From: tlw@interface.dk To: freebsd-security@freebsd.org MIME-Version: 1.0 Subject: =?utf-8?Q?Tim_Warberg_Ikke_til_stede:_freebsd=2Dsecurity_Digest, _Vol_590, _Issue_3?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <20160909120018.7614C19671@web1.interface-hosting.dk> Date: Fri, 9 Sep 2016 14:00:18 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 12:00:21 -0000 Tak for din mail. Jeg er ikke til at træffe før den 12/09-2016. Kontakt en af mine kollegaer på kontakt@interface.dk, eller på vores hoved nr. 4242 7070. Ellers vender jeg tilbage til dig når jeg er tilbage. Med venlig hilsen / Best regards Tim Warberg ________________ interface ApS Lautruphøj 1-3 DK - 2750 Ballerup Tlf.: +45 2872 5383 Email: tlw@interface.dk Web: http://interface.dk From owner-freebsd-security@freebsd.org Fri Sep 9 12:16:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E531FBD1DB3 for ; Fri, 9 Sep 2016 12:16:04 +0000 (UTC) (envelope-from olisek@gmail.com) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AD9B9DCD for ; Fri, 9 Sep 2016 12:16:04 +0000 (UTC) (envelope-from olisek@gmail.com) Received: by mail-it0-x22f.google.com with SMTP id i184so11072237itf.0 for ; Fri, 09 Sep 2016 05:16:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KBA7lD8TEKm+iT/sRrpfJLbZpM96gSmQoOmGU139bsg=; b=YjG1lYe32cGzYBoQ9Rg0T8reMXqvm75Aixh1qa+PO+VFuIFTEbxUaLfX5Z5ydkBRc7 T7wO/iIPiWPYLhHt26lxIXB6OwLXcKBbtuUvHP7FK/BI7i0Q1ObWeMLBbMqZGC1gTYzU UHmnNBs7nQi19yR6Tva55iOwqUF5/yVt8D9ZCfmccws+eZcWujszvcmwq1wNKQdOg8vV ZC0vfdNG+dES4gplwxRUD2JT0CvJqou5oB+LcSpHCU6W/nmUlRGHDXevD9G5neQtOIFb 394L0TVTgz5Ixn8cWHpZ1gg+KOMsUQlzurSkn4Qdmx/q4TQ51RE5V6hvopVvZyP3SYAs unTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KBA7lD8TEKm+iT/sRrpfJLbZpM96gSmQoOmGU139bsg=; b=TUUuQMXJyK4RhuRrLS0KVU1H45n5R/mjLAxeJRMwOR3gtK0y5XgffwvyL1j3iWDn0d HV1AdBeof9qi8ImvX/PBvDzjOXF9BzGhDBkXYV98EnqXesQAXfGT3mwH43lmItBjQcqy YIJa80lLRdP/NEdTD1dWAEvgPKfOM+Z1rfsERE//T4inyECfYTkAW/tqsT6LKOARdoMz a4x+CDlSwfjAVKSChVeFWCgu3rwWkH08Iv8tp+bFZKTXdqD3oJ5Qxrjqwfe+jWck2kT5 d8RMCIfmSFcgXwpA9R5clcO/wn56bI/Wp2t5z6iZNbhQiK22em+ra7UJghOY2/s89YDU imiw== X-Gm-Message-State: AE9vXwPQ+oLG85yyZEtOPXHw55cGRHxQNLOHx2bxce7YOm2foAvSu7Hn6SqXJEbNfcG2H73UzRG9CoB1DoyQGg== X-Received: by 10.157.6.197 with SMTP id 63mr5064815otx.190.1473423364066; Fri, 09 Sep 2016 05:16:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.67.130 with HTTP; Fri, 9 Sep 2016 05:16:03 -0700 (PDT) Received: by 10.79.67.130 with HTTP; Fri, 9 Sep 2016 05:16:03 -0700 (PDT) In-Reply-To: <20160909120018.7614C19671@web1.interface-hosting.dk> References: <20160909120018.7614C19671@web1.interface-hosting.dk> From: xs Date: Fri, 9 Sep 2016 14:16:03 +0200 Message-ID: Subject: Re: Tim Warberg Ikke til stede: freebsd-security Digest, Vol 590, Issue 3 To: tlw@interface.dk Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 12:16:05 -0000 Chuj mnie to obchodzi =C5=BCe jeste=C5=9B na urlopie. 9 wrz 2016 14:00 napisa=C5=82(a): > Tak for din mail. > > Jeg er ikke til at tr=C3=A6ffe f=C3=B8r den 12/09-2016. Kontakt en af min= e kollegaer > p=C3=A5 kontakt@interface.dk, eller p=C3=A5 vores hoved nr. 4242 7070. El= lers > vender jeg tilbage til dig n=C3=A5r jeg er tilbage. > > Med venlig hilsen / Best regards > > Tim Warberg > ________________ > interface ApS > Lautruph=C3=B8j 1-3 > DK - 2750 Ballerup > > Tlf.: +45 2872 5383 > Email: tlw@interface.dk > Web: http://interface.dk > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " From owner-freebsd-security@freebsd.org Fri Sep 9 20:04:43 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37ABABD4FBA; Fri, 9 Sep 2016 20:04:43 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DC23DC86; Fri, 9 Sep 2016 20:04:42 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id u89K4e1H048508; Fri, 9 Sep 2016 16:04:40 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id u89K4eDu048507; Fri, 9 Sep 2016 16:04:40 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22483.5592.653250.726711@hergotha.csail.mit.edu> Date: Fri, 9 Sep 2016 16:04:40 -0400 From: Garrett Wollman To: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Subject: Trying to think out a hack for NSS and pw(8) X-Mailer: VM 8.2.0b under 24.5.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Fri, 09 Sep 2016 16:04:40 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Fri, 09 Sep 2016 20:11:21 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 20:04:43 -0000 Presently, we have a bunch of machines under configuration management (using Puppet, but that's not really relevant here). I'm hoping to implement LDAP via nsswitch on these machines, but I've run into an issue: the standard getpw*(3) mechanisms can't tell the difference between users or groups in the local databases and those in the remote LDAP database. We need Puppet to manage entries for users and groups in the local database, without respect to what entries might be imported from LDAP (because they are supposed to override the data returned by LDAP). Puppet invokes pw(8) to actually perform the modifications, but I suspect it also uses native code from the Ruby standard library to actually do pre-modification lookups. Looking at the code in both nss-pam-ldapd and libc, it seems like the only plausible way to fix this is to add functionality to nsswitch which would allow it to use different configurations depending on the identity of the process invoking getpwnam(3) or getgrnam(3). Does anyone have opinions on how this ought to be implemented, or indeed how it could be implemented securely? (As a side issue, the net/nss-pam-ldapd port completely ignores account expiration dates. This bug is due to the fact that Linux has this ships-in-the-night "shadow" mechanism, getspent(3), rather than having it integrated in getpwent(3) like it should be, but the ultimate upshot is that if you're using nss-pam-ldapd you can't rely on shadowExpire attributes in the directory actually have an effect on FreeBSD. I'll open a bugzilla issue about this.) -GAWollman From owner-freebsd-security@freebsd.org Fri Sep 9 20:18:30 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54522BD2476; Fri, 9 Sep 2016 20:18:30 +0000 (UTC) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 21141399; Fri, 9 Sep 2016 20:18:29 +0000 (UTC) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id DDD80273D6; Fri, 9 Sep 2016 20:13:04 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTP id u89KD2bK067594; Fri, 9 Sep 2016 20:13:03 GMT (envelope-from phk@phk.freebsd.dk) To: Garrett Wollman cc: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Subject: Re: Trying to think out a hack for NSS and pw(8) In-reply-to: <22483.5592.653250.726711@hergotha.csail.mit.edu> From: "Poul-Henning Kamp" References: <22483.5592.653250.726711@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <67592.1473451982.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Fri, 09 Sep 2016 20:13:02 +0000 Message-ID: <67593.1473451982@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 20:18:30 -0000 -------- In message <22483.5592.653250.726711@hergotha.csail.mit.edu>, Garrett Woll= man w rites: > Puppet invokes pw(8) to actually perform the >modifications, but I suspect it also uses native code from the Ruby >standard library to actually do pre-modification lookups. >[...] >Looking at the code in both nss-pam-ldapd and libc, it seems like the >only plausible way to fix this is to add functionality to nsswitch >which would allow it to use different configurations depending on the >identity of the process invoking getpwnam(3) or getgrnam(3). You want to add a futher layer of complications to the the already far too complicated user/group/authentication code in FreeBSD, just because you don't want to look at Puppets Ruby code ? Really ? -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Fri Sep 9 21:07:21 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7B0BBD40D9 for ; Fri, 9 Sep 2016 21:07:21 +0000 (UTC) (envelope-from pioto@pioto.org) Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C88B9A for ; Fri, 9 Sep 2016 21:07:21 +0000 (UTC) (envelope-from pioto@pioto.org) Received: by mail-ua0-x229.google.com with SMTP id 95so54042943uaz.2 for ; Fri, 09 Sep 2016 14:07:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pioto-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=DlX2UyuyLpPEyQVThK+KU3EAR7e4hjv3As8/IxqclHM=; b=WdsJhLGfs/LkJQr5qFfWq9kJMeh0uvQsarA4JYM7ehnSPvrSwWcKNZ3/DluYbnxqJn kYfkYRTvLohc9G6lwHdz2lAjb1rh72Gcr5ZJ1/8F1VwosbQlkGOrmoKsZWmvhn2Un++U IOTTj1jpEYgn2OBAqWDx5fpjqnlQzCyoQvklt03seqxXes8eUfrn7jCYEuPxUvHBA3fJ KnWa+KXQ/5yRzqDghsaX9UiX0GXAEJ4HowkyL2KGdJctqzsB1zPLJYkFD+qH4MIa9jU+ ZXS8V5DwdUePWX3K/wf7iqgEHuJ7Z4gNKeA+V3PXCBdKJLa6CNrEVrcl2ED8VOVndM2T uEPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=DlX2UyuyLpPEyQVThK+KU3EAR7e4hjv3As8/IxqclHM=; b=i+jASWIYbBj7WkbLXQQNv56Gy3sC2H6NXkxD4OdlyE0nGLuxVNlaVHjSmVef/xy22G c1acshtJRrgREqx9oy3WYCPMzF93+GCKJhnkF9jnMggQisiJpyaJcYfq6ZFgAA7yi5VY xMpOXOEOLVs5MyxmXi42eMz96xUzfSCg0nrDUGekrGUNJwIQdbXAsu+I8UNBPH9RDc1N bQj6nsJhQxviGYjsmH6Dxpb3As7IFkBSoi5b4jjjZ4RY2cvyjbw+kCiXkjH7ZWZnPZlL ee5qGlDhM27C5bSnpFxumuLCeFpba0YjnulJb81YMzt2AXyCXToMK0bzSKFAswYPRK2x 5Zwg== X-Gm-Message-State: AE9vXwMif1HnYNRgYxfhrKQXUYxDWWq2gkNSliJvHKybx4+YbT4Yatvq4a8ouqKvFUWVq2u3GABt4xtXexHMww== X-Received: by 10.176.65.34 with SMTP id j31mr3505623uad.139.1473455240448; Fri, 09 Sep 2016 14:07:20 -0700 (PDT) MIME-Version: 1.0 References: <22483.5592.653250.726711@hergotha.csail.mit.edu> In-Reply-To: <22483.5592.653250.726711@hergotha.csail.mit.edu> From: Mike Kelly Date: Fri, 09 Sep 2016 21:07:10 +0000 Message-ID: Subject: Re: Trying to think out a hack for NSS and pw(8) To: Garrett Wollman , freebsd-arch@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2016 21:07:21 -0000 You may find that the best way to handle this is to disable enumeration of your LDAP users in NSS. For example, if you're using sssd for your LDAP NSS & PAM provider, it is, in fact, disabled by default. This means that calls to getpwent(3) will only end up enumerating the users in your local files, and not those in LDAP. But, calls to getpwnam(3), getpwuid(3), etc will return the details of a specific username or user id, even if it's only present in LDAP. On Fri, Sep 9, 2016 at 4:11 PM Garrett Wollman wrote: > Presently, we have a bunch of machines under configuration management > (using Puppet, but that's not really relevant here). I'm hoping to > implement LDAP via nsswitch on these machines, but I've run into an > issue: the standard getpw*(3) mechanisms can't tell the difference > between users or groups in the local databases and those in the remote > LDAP database. We need Puppet to manage entries for users and groups > in the local database, without respect to what entries might be > imported from LDAP (because they are supposed to override the data > returned by LDAP). Puppet invokes pw(8) to actually perform the > modifications, but I suspect it also uses native code from the Ruby > standard library to actually do pre-modification lookups. > > Looking at the code in both nss-pam-ldapd and libc, it seems like the > only plausible way to fix this is to add functionality to nsswitch > which would allow it to use different configurations depending on the > identity of the process invoking getpwnam(3) or getgrnam(3). Does > anyone have opinions on how this ought to be implemented, or indeed > how it could be implemented securely? > > (As a side issue, the net/nss-pam-ldapd port completely ignores > account expiration dates. This bug is due to the fact that Linux has > this ships-in-the-night "shadow" mechanism, getspent(3), rather than > having it integrated in getpwent(3) like it should be, but the > ultimate upshot is that if you're using nss-pam-ldapd you can't rely > on shadowExpire attributes in the directory actually have an effect on > FreeBSD. I'll open a bugzilla issue about this.) > > -GAWollman > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- Mike Kelly From owner-freebsd-security@freebsd.org Sat Sep 10 06:01:49 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19711BD2A38; Sat, 10 Sep 2016 06:01:49 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A5EA0C68; Sat, 10 Sep 2016 06:01:47 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190f-f0fff70000003e0f-39-57d3a096e235 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id B3.68.15887.690A3D75; Sat, 10 Sep 2016 01:56:38 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u8A5ub3B004390; Sat, 10 Sep 2016 01:56:37 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8A5uYdh005897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 10 Sep 2016 01:56:36 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u8A5uXrW029071; Sat, 10 Sep 2016 01:56:33 -0400 (EDT) Date: Sat, 10 Sep 2016 01:56:33 -0400 (EDT) From: Benjamin Kaduk To: Garrett Wollman cc: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Subject: Re: Trying to think out a hack for NSS and pw(8) In-Reply-To: <22483.5592.653250.726711@hergotha.csail.mit.edu> Message-ID: References: <22483.5592.653250.726711@hergotha.csail.mit.edu> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrCIsWRmVeSWpSXmKPExsUixG6nrjttweVwgxMHJC1mT5/GZNGz6Qmb xY5Pd9kdmD0uTb3N6jHj03yWAKYoLpuU1JzMstQifbsErowJ+04zFqzjqVi1rZ+pgfEfZxcj J4eEgInEurVtbF2MXBxCAm1MEt2HbzJBOBsZJRo6l7NDOIeYJI51nGcBaRESaGCUeP8tFMRm EdCW2LbnNDOIzSagIjHzzUagURwcIgI6EkuX8YCEmQWsJE6+WMYKYgsLWEq0/rzBBmJzCthJ /JzwgB3E5hVwkHi66TYLSKuQgK3EtA0mIGFRoCmr909hgSgRlDg58wkLxEgtieXTt7FMYBSY hSQ1C0lqASPTKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl0TvdzMEr3UlNJNjKDA5JTk38E4p8H7 EKMAB6MSD++G3ZfChVgTy4orcw8xSnIwKYnyXtO7HC7El5SfUpmRWJwRX1Sak1p8iFGCg1lJ hHfuDKAcb0piZVVqUT5MSpqDRUmct2vGgXAhgfTEktTs1NSC1CKYrAwHh5IE77n5QI2CRanp qRVpmTklCGkmDk6Q4TxAw3tAaniLCxJzizPTIfKnGBWlxHkZQBICIImM0jy4XnDi2M2k+opR HOgVYd6lIFU8wKQD1/0KaDAT0GChU+dBBpckIqSkGhhbf8zKuui8yslsl2Xr1tl7mZa5v1ub KW+aY3E50vvwM4t3sUkzrqRIXlO1bGh9sIF9nuCciF/hbzNXCaXxKPKEp7Du45F7UbIs/Zd+ nqfI0hsXJi/q1zcWCTG3dyyTEfl0X5Xh0VzZ2Gsb1dtN2HoFbu9qlD6wQ2h/7DqGZcLBwXru Ihe2P1FiKc5INNRiLipOBAAGbO9I9wIAAA== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2016 06:01:49 -0000 On Fri, 9 Sep 2016, Garrett Wollman wrote: > Presently, we have a bunch of machines under configuration management > (using Puppet, but that's not really relevant here). I'm hoping to > implement LDAP via nsswitch on these machines, but I've run into an > issue: the standard getpw*(3) mechanisms can't tell the difference > between users or groups in the local databases and those in the remote > LDAP database. We need Puppet to manage entries for users and groups > in the local database, without respect to what entries might be > imported from LDAP (because they are supposed to override the data > returned by LDAP). Puppet invokes pw(8) to actually perform the > modifications, but I suspect it also uses native code from the Ruby > standard library to actually do pre-modification lookups. > > Looking at the code in both nss-pam-ldapd and libc, it seems like the > only plausible way to fix this is to add functionality to nsswitch > which would allow it to use different configurations depending on the > identity of the process invoking getpwnam(3) or getgrnam(3). Does > anyone have opinions on how this ought to be implemented, or indeed > how it could be implemented securely? It's a bit late here, but it sounds kind of like you want to be able to set NSS_NONLOCAL_IGNORE [and have it do something useful]? (https://debathena.mit.edu/nss_nonlocal/) Unfortunately, I never got far enough in trying to port Athena to FreeBSD to have looked at how portable nss_nonlocal is. But it is probably worth looking at, for your case. -Ben From owner-freebsd-security@freebsd.org Sat Sep 10 03:28:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17418BD4CE5; Sat, 10 Sep 2016 03:28:46 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C1E25637; Sat, 10 Sep 2016 03:28:45 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id u8A3ShIM053044; Fri, 9 Sep 2016 23:28:43 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id u8A3Sgc7053042; Fri, 9 Sep 2016 23:28:42 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22483.32234.747577.586530@hergotha.csail.mit.edu> Date: Fri, 9 Sep 2016 23:28:42 -0400 From: Garrett Wollman To: "Poul-Henning Kamp" Cc: freebsd-security@freebsd.org, freebsd-arch@freebsd.org Subject: Re: Trying to think out a hack for NSS and pw(8) In-Reply-To: <67593.1473451982@critter.freebsd.dk> References: <22483.5592.653250.726711@hergotha.csail.mit.edu> <67593.1473451982@critter.freebsd.dk> X-Mailer: VM 8.2.0b under 24.5.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Fri, 09 Sep 2016 23:28:43 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sat, 10 Sep 2016 11:14:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2016 03:28:46 -0000 < said: > You want to add a futher layer of complications to the the already > far too complicated user/group/authentication code in FreeBSD, > just because you don't want to look at Puppets Ruby code ? Um, no, that's not remotely what I wrote. I've spent far more time than is useful looking at Puppet's Ruby code, TYVM. What I don't want to do is rewrite pw(8) *and* the Ruby standard library to have their own passwd(5) implementations to be used just for managing the sysadmin accounts on a server. I could tolerate changing pw(8) to give it a "local" flag that means only look at/manipulate the local files -- except that the C library doesn't provide any sort of hook for that (yet). I'm proposing to implement that hook. That would at least get me 70% of the way there. -GAWollman From owner-freebsd-security@freebsd.org Sat Sep 10 07:37:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F6EABD4F9A for ; Sat, 10 Sep 2016 07:37:46 +0000 (UTC) (envelope-from janm@transactionware.com) Received: from mail3.transactionware.com (mail.transactionware.com [203.14.245.7]) by mx1.freebsd.org (Postfix) with SMTP id DD5FF83B for ; Sat, 10 Sep 2016 07:37:44 +0000 (UTC) (envelope-from janm@transactionware.com) Received: (qmail 36997 invoked by uid 907); 10 Sep 2016 07:31:01 -0000 Received: from eth222.nsw.adsl.internode.on.net (HELO [192.168.1.101]) (150.101.196.221) (smtp-auth username janm, mechanism plain) by mail3.transactionware.com (qpsmtpd/0.84) with (ECDHE-RSA-AES256-SHA encrypted) ESMTPSA; Sat, 10 Sep 2016 17:31:01 +1000 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Trying to think out a hack for NSS and pw(8) From: Jan Mikkelsen In-Reply-To: <22483.5592.653250.726711@hergotha.csail.mit.edu> Date: Sat, 10 Sep 2016 17:31:02 +1000 Cc: freebsd-arch@freebsd.org, freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <22483.5592.653250.726711@hergotha.csail.mit.edu> To: Garrett Wollman X-Mailer: Apple Mail (2.3124) X-Mailman-Approved-At: Sat, 10 Sep 2016 11:22:35 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2016 07:37:46 -0000 Hi, We have system images under version control with password databases as = part of the system image which get merged with system-specific password = databases. Not exactly the same requirement but similar. We manage the two separate databases using the -V option to pw, and then = have a script to merge the two databases into the standard local = database. This runs on boot to bring in changes from the system image = build, and after a local system change to apply the change. The problem = with your environment is probably that you=E2=80=99re calling getpwnam, = etc., where you can=E2=80=99t specify which password database you want = to use. If you changed the code that should only view local changes to use =E2=80=9C= pw -V /path/to/local usershow=E2=80=9D instead of calling getpw*(), a = similar approach might be possible. Regards, Jan. > On 10 Sep 2016, at 06:04, Garrett Wollman = wrote: >=20 > Presently, we have a bunch of machines under configuration management > (using Puppet, but that's not really relevant here). I'm hoping to > implement LDAP via nsswitch on these machines, but I've run into an > issue: the standard getpw*(3) mechanisms can't tell the difference > between users or groups in the local databases and those in the remote > LDAP database. We need Puppet to manage entries for users and groups > in the local database, without respect to what entries might be > imported from LDAP (because they are supposed to override the data > returned by LDAP). Puppet invokes pw(8) to actually perform the > modifications, but I suspect it also uses native code from the Ruby > standard library to actually do pre-modification lookups. >=20 > Looking at the code in both nss-pam-ldapd and libc, it seems like the > only plausible way to fix this is to add functionality to nsswitch > which would allow it to use different configurations depending on the > identity of the process invoking getpwnam(3) or getgrnam(3). Does > anyone have opinions on how this ought to be implemented, or indeed > how it could be implemented securely? >=20 > (As a side issue, the net/nss-pam-ldapd port completely ignores > account expiration dates. This bug is due to the fact that Linux has > this ships-in-the-night "shadow" mechanism, getspent(3), rather than > having it integrated in getpwent(3) like it should be, but the > ultimate upshot is that if you're using nss-pam-ldapd you can't rely > on shadowExpire attributes in the directory actually have an effect on > FreeBSD. I'll open a bugzilla issue about this.) >=20 > -GAWollman >=20 > _______________________________________________ > freebsd-arch@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to = "freebsd-arch-unsubscribe@freebsd.org"