From owner-freebsd-security@FreeBSD.ORG Sun Oct 15 18:42:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 198E916A415 for ; Sun, 15 Oct 2006 18:42:47 +0000 (UTC) (envelope-from freebsd@bitfreak.org) Received: from mail.twinthornes.com (mail.twinthornes.com [65.75.198.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1CB343D49 for ; Sun, 15 Oct 2006 18:42:46 +0000 (GMT) (envelope-from freebsd@bitfreak.org) Received: from [10.242.169.23] (c-67-171-135-169.hsd1.or.comcast.net [67.171.135.169]) by mail.twinthornes.com (Postfix) with ESMTP id 644815C4 for ; Sun, 15 Oct 2006 11:42:46 -0700 (PDT) Message-ID: <45328127.7020702@bitfreak.org> Date: Sun, 15 Oct 2006 11:42:47 -0700 From: freebsd@bitfreak.org User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: sshd "bad protocol version identification" messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 18:42:47 -0000 I'm seeing lines like the following in my security logs: Oct 14 06:56:32 srv sshd[41370]: Bad protocol version identification '\200b\001\003\001' from 24.203.221.239 From what I've read, this is a buffer overflow attack on the sshd whereby the attacker triggers the overflow before the identification string is sent then attempts commands to see if elevated priveleges were obtained. The log message is produced by sshd trying to interpret the commands as the identification string. Is this related to SA-06:22 or SA-06:23, or is this another bug? From owner-freebsd-security@FreeBSD.ORG Tue Oct 17 19:42:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D984916A407 for ; Tue, 17 Oct 2006 19:42:13 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 085AD43D66 for ; Tue, 17 Oct 2006 19:42:10 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr6so.prod.shaw.ca (pd4mr6so-qfe3.prod.shaw.ca [10.0.141.69]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J7A004W1PCDD2E0@l-daemon> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:01 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd4mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J7A00A1GPCCTOU0@pd4mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:01 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J7A00BATPCBZWB0@l-daemon> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:00 -0600 (MDT) Received: (qmail 64920 invoked from network); Tue, 17 Oct 2006 19:40:57 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 17 Oct 2006 19:40:57 +0000 Date: Tue, 17 Oct 2006 12:40:57 -0700 From: FreeBSD Security Officer To: FreeBSD Stable , freebsd security Message-id: <453531C9.7080304@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Cc: Subject: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2006 19:42:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There has been a lot of discussion on these two mailing lists about the upcoming EoL of FreeBSD 4.x which I mentioned in my email entitled "HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon". Now that everybody (hopefully) has had their say, I'd like to offer some background and explanation. The concept of "security branches" in the FreeBSD CVS tree was introduced with FreeBSD 4.3, about five years ago. At the time, support was only guaranteed for the most recent FreeBSD release and one -STABLE branch (either the latest stable branch, if two or more releases were based on it, or the previous stable branch). Under this original policy, the only supported branches would now be the security branch for FreeBSD 6.1 and 6-STABLE. Three and a half years ago, the Security Officer decided to increase the length of time for which releases would be supported, and the policy was changed to promise that releases would be supported until 12 months after their release dates, and any stable branch containing a supported release would also be supported. Under this policy, the only supported branches would now be the security branches for FreeBSD 5.5, 6.0, and 6.1, and 5-STABLE and 6-STABLE. A year later, support was once again extended. Security branches became "Errata branches", open to both security fixes and critical stability fixes (as jointly defined by the security and release engineering teams); in addition, some releases were designated as "extended support" releases, to be supported for 24 months after their respective release dates. FreeBSD 4.8 was the first such release, and FreeBSD 4.10, 4.11, 5.3, 5.5, and 6.1 have also been designated as such. It was agreed that the last release from any stable branch (which, since FreeBSD 2.2.x, has always come after the first release from the next stable branch) would always be designated for extended support, in order to provide a minimum of two years for users to upgrade to the new stable branch before their systems became unsupported. When FreeBSD 4.11 was released on January 25th 2005, the release announcement stated that "this is expected to be the last release from the RELENG_4 branch. Most of the Developers are now focused on the RELENG_5 branch, or on the cutting edge development in HEAD", and on that same day the EoL date of January 31st 2007 was documented on the Security webpage at http://www.freebsd.org/security/. The upcoming end of support for FreeBSD 4.x should therefore not be a surprise. While it might be convenient for some if FreeBSD releases were supported for far longer, it must be remembered that FreeBSD is a volunteer project which issues new releases every 4-6 months. Whereas a company like Microsoft has funds to hire people to support Windows 200[03] and XP, the FreeBSD Security Team is now supporting six releases -- 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 -- as volunteers. Each supported release increases the workload on the Security Team, by adding to the number of releases on which patches must be tested, by increasing the time required to investigate security issues, and by often requiring that patches be "back-ported" to apply to older releases. Based on my experience as a member of the Security Team since early 2004, I simply do not think that it is practical to support more than six releases concurrently. FreeBSD 4.x also poses some challenges due to its age. FreeBSD 4.11 contains OpenSSH 3.5, Sendmail 8.13.1, and BIND 8.3.7; these all act as Internet-facing servers, and are consequently particularly likely to suffer from security issues, but they are all maintained by their respective projects. The FreeBSD Security Team is largely dependent upon receiving security advisories and patches from the "upstream" maintainers of this code and/or from other projects (e.g., Linux vendors) who use the same versions as we do; FreeBSD is now one of the last projects still supporting these versions, and as time passes it will become increasingly difficulty to continue to do so. Even with code written and maintained within the FreeBSD project it would be far from trivial to continue to support FreeBSD 4.x. FreeBSD 4.x has not been the target of new development in FreeBSD since March 2000; FreeBSD, like all free software projects, has constant turnover in its pool of developers, and it is often very difficult to find developers familiar with code in FreeBSD 4.x which has been replaced in newer FreeBSD releases. The FreeBSD project is reaching the point where it lacks the "institutional memory" needed to continue to support FreeBSD 4.x. In short: * FreeBSD is a volunteer project, and we don't want to volunteer to support FreeBSD 4.x beyond the scheduled EoL date of January 31st, 2007; * Even if we did want to support FreeBSD 4.x beyond that date, I'm not certain that we would be able to do so, given that both FreeBSD and the rest of the world has moved on; and * You've had lots of warning that this was going to happen, so it's a bit late to start complaining now. Colin Percival FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFNTHJFdaIBMps37IRAnPVAJ4yeeE+yFq8B2cJJJnMBHzInA7vtgCfXjOa x4J/fxk3XMgPrGw3In+mSAk= =no9w -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 17 23:07:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18D3216A47C; Tue, 17 Oct 2006 23:07:29 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3599243D6E; Tue, 17 Oct 2006 23:07:24 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 00EB62CF; Tue, 17 Oct 2006 19:07:22 -0400 (EDT) Date: Tue, 17 Oct 2006 19:07:22 -0400 From: "Michael W. Oliver" To: FreeBSD Security Officer Message-ID: <20061017230722.GH8866@gargantuan.com> Mail-Followup-To: FreeBSD Security Officer , FreeBSD Stable , freebsd security References: <453531C9.7080304@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1Ow488MNN9B9o/ov" Content-Disposition: inline In-Reply-To: <453531C9.7080304@freebsd.org> X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 0881 F6F6 F92B F8A4 A1AB B3C3 B29C 7277 AC60 0B0E X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL 33810-2172 X-Mailing-Address2: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2006 23:07:29 -0000 --1Ow488MNN9B9o/ov Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Colin, Thanks for the verbose and reasoned explanation. Since the email last week, I have taken the opportunity to upgrade two machines, one here and one remote (both with serial console) from 4.9->5.5->6.2PRE, and while I can't say that I did it blindfolded, it wasn't too painful. The upgrade instructions at... http://www.freebsd.org/releases/5.3R/migration-guide.html =2E..were as close to perfect as could be (and for those who might ask me for a step-by-step howto, look to the above URL). A few things that I should mention to others trying this are... 0. Backup, and then check your backups! 1. Be prepared to spend a lot of time in single-user mode, especially for the 4->5 step, because there is a LOT for mergemaster to do. The step from 5->6 is not nearly as painful. I didn't try to do the installworld and mergemaster in multiuser, and if you do then have a bigger set than I do. 2. Trust the migration guide when it says to use a default kernel configuration file unless you are 100% prepared to reap what you sow. 3. Be prepared to spend a lot of time (depending on the speed of your machines) rebuilding all of your ports. Don't skimp on this step. 4. On one of my machines (the local one, thank God!), I started getting weird pauses and bus errors when trying to rebuild my ports, and then noticed that the acpi.ko wasn't being loaded at boot. Turns out that I had disabled ACPI in the BIOS back when the machine was originally built for v4. Since switching on ACPI in the BIOS, those issues have totally cleared. All in all, it has been a good experience. I do sympathize with the folks who clamor for the death of v5 before v4, because v4 continues to be rock-solid stable for UP machines. Time will tell if v6 answers the shortcomings of v5 when compared to v4. Either way, the benefits of using FreeBSD far outweigh the costs, so I thank you and the rest of the development community. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] ------------------------------------------------------------------------ If your email to me is rejected, it is likely a problem with the MTA on your end, so please send the error report to me at mwoliver at gmail dot com and I will investigate the issue. Thanks. ------------------------------------------------------------------------ --1Ow488MNN9B9o/ov Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFFNWIqboLl4ADjAhARAgCZAKCvO9c+cuZbnp5xdJ3lJfgUyxTZ/ACeJJlc JGTXK6bKIAMfh/W65LM9W+A= =Gts7 -----END PGP SIGNATURE----- --1Ow488MNN9B9o/ov-- From owner-freebsd-security@FreeBSD.ORG Tue Oct 17 23:12:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA3216A415; Tue, 17 Oct 2006 23:12:00 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9443543D46; Tue, 17 Oct 2006 23:12:00 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 4D26C1A3C19; Tue, 17 Oct 2006 16:12:00 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BAD4351515; Tue, 17 Oct 2006 19:11:59 -0400 (EDT) Date: Tue, 17 Oct 2006 19:11:59 -0400 From: Kris Kennaway To: FreeBSD Security Officer , FreeBSD Stable , freebsd security Message-ID: <20061017231159.GA67830@xor.obsecurity.org> References: <453531C9.7080304@freebsd.org> <20061017230722.GH8866@gargantuan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline In-Reply-To: <20061017230722.GH8866@gargantuan.com> User-Agent: Mutt/1.4.2.2i Cc: Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2006 23:12:01 -0000 --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 17, 2006 at 07:07:22PM -0400, Michael W. Oliver wrote: > Colin, >=20 > Thanks for the verbose and reasoned explanation. Since the email last > week, I have taken the opportunity to upgrade two machines, one here and > one remote (both with serial console) from 4.9->5.5->6.2PRE, and while I > can't say that I did it blindfolded, it wasn't too painful. The upgrade > instructions at... >=20 > http://www.freebsd.org/releases/5.3R/migration-guide.html >=20 > ...were as close to perfect as could be (and for those who might ask me > for a step-by-step howto, look to the above URL). A few things that I > should mention to others trying this are... >=20 > 0. Backup, and then check your backups! >=20 > 1. Be prepared to spend a lot of time in single-user mode, especially > for the 4->5 step, because there is a LOT for mergemaster to do. The > step from 5->6 is not nearly as painful. I didn't try to do the > installworld and mergemaster in multiuser, and if you do then have a > bigger set than I do. >=20 > 2. Trust the migration guide when it says to use a default kernel > configuration file unless you are 100% prepared to reap what you sow. >=20 > 3. Be prepared to spend a lot of time (depending on the speed of your > machines) rebuilding all of your ports. Don't skimp on this step. >=20 > 4. On one of my machines (the local one, thank God!), I started getting > weird pauses and bus errors when trying to rebuild my ports, and then > noticed that the acpi.ko wasn't being loaded at boot. Turns out that I > had disabled ACPI in the BIOS back when the machine was originally built > for v4. Since switching on ACPI in the BIOS, those issues have totally > cleared. Good advice. You can make step 3 easier by using the precompiled packages where possible, e.g. "portupgrade -faP" Kris --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFNWM/Wry0BWjoQKURAoOVAJ4pdcyMNe9xo3e8tbAkPgzRxKVRIgCgvf97 XtDc7KPBbLrC71w8xrmTl2k= =lUes -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- From owner-freebsd-security@FreeBSD.ORG Tue Oct 17 22:43:24 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2F1A16A494 for ; Tue, 17 Oct 2006 22:43:24 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: from qsmtp2.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.FreeBSD.org (Postfix) with SMTP id 751E243D92 for ; Tue, 17 Oct 2006 22:42:59 +0000 (GMT) (envelope-from security@jim-liesl.org) Received: (qmail 14017 invoked from network); 17 Oct 2006 15:42:59 -0700 Received: by simscan 1.1.0 ppid: 13995, pid: 13996, t: 4.5641s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:40/d:2019 spam: 3.0.3 Received: from unknown (HELO daemon.jim-liesl.org) (66.60.173.44) by qsmtp2 with SMTP; 17 Oct 2006 15:42:54 -0700 Received: from daemon.jim-liesl.org (localhost [127.0.0.1]) by daemon.jim-liesl.org (Postfix) with ESMTP id 564D36504; Tue, 17 Oct 2006 15:43:05 -0700 (PDT) Received: from [127.0.0.1] (daemon.static.surewest.net [192.168.1.15]) by daemon.jim-liesl.org (Postfix) with ESMTP id 1163363D7; Tue, 17 Oct 2006 15:43:05 -0700 (PDT) Message-ID: <45355C6E.5030703@jim-liesl.org> Date: Tue, 17 Oct 2006 15:42:54 -0700 From: security User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org References: <453531C9.7080304@freebsd.org> In-Reply-To: <453531C9.7080304@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp2.surewest.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.3 X-Mailman-Approved-At: Tue, 17 Oct 2006 23:49:51 +0000 Cc: Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2006 22:43:24 -0000 FreeBSD Security Officer wrote: > In short: > * FreeBSD is a volunteer project, and we don't want to volunteer to support > FreeBSD 4.x beyond the scheduled EoL date of January 31st, 2007; > * Even if we did want to support FreeBSD 4.x beyond that date, I'm not certain > that we would be able to do so, given that both FreeBSD and the rest of the > world has moved on; and > * You've had lots of warning that this was going to happen, so it's a bit late > to start complaining now. > > Colin Percival > FreeBSD Security Officer > To no one in particular: "The hood's not welded on" (Eric Raymond?). You'll have the sources. If you're using 4.11 in a business, you need to decide if it's more cost effective to move on to 6 or hire someone to keep 4.11 running. There's compat_4 to keep most userland apps happy. I'm sure you could argue the various design issues to your hearts content on the news groups, but practically speaking, I don't have an issue with this. Nor is it all that different from your typical paid for support model for a proprietary OS. It's not like the poor folks that got stuck with a business app that was locked to win95 or 98 with bizarre undocumented API's jim From owner-freebsd-security@FreeBSD.ORG Thu Oct 19 23:51:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CCCF16A403; Thu, 19 Oct 2006 23:51:14 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7CCF43D46; Thu, 19 Oct 2006 23:51:13 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2B1C246E17; Thu, 19 Oct 2006 19:51:13 -0400 (EDT) Date: Fri, 20 Oct 2006 00:51:13 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: security In-Reply-To: <45355C6E.5030703@jim-liesl.org> Message-ID: <20061020004915.V32598@fledge.watson.org> References: <453531C9.7080304@freebsd.org> <45355C6E.5030703@jim-liesl.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 23:51:14 -0000 On Tue, 17 Oct 2006, security wrote: > You'll have the sources. If you're using 4.11 in a business, you need to > decide if it's more cost effective to move on to 6 or hire someone to keep > 4.11 running. There's compat_4 to keep most userland apps happy. I'm sure > you could argue the various design issues to your hearts content on the news > groups, but practically speaking, I don't have an issue with this. Nor is > it all that different from your typical paid for support model for a > proprietary OS. > > It's not like the poor folks that got stuck with a business app that was > locked to win95 or 98 with bizarre undocumented API's While possibly not advisable in the long term, I ran a 4.x postfix and cyrus server install on 6.x using compat4 for about six months without problems. The place where it gets tricky is updating the 4.x binaries, which requires a 4.x chroot, since I was running a native 6.x userland for everything else. I've now gotten over that, but it worked quite well and was extremely useful that I could avoid doing the upgrade all at once -- upgrade the OS first, let it settle, then upgrade the applications. The only issue I ran into was actually that the location of the Cyrus sasl unix domain socket had moved, and once I tracked that down, all was well (so not a FreeBSD nit, an application nit). Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 01:15:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1F1816A403; Fri, 20 Oct 2006 01:15:50 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: from riyal.ugcs.caltech.edu (riyal.ugcs.caltech.edu [131.215.176.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494E443D55; Fri, 20 Oct 2006 01:15:50 +0000 (GMT) (envelope-from jd@ugcs.caltech.edu) Received: by riyal.ugcs.caltech.edu (Postfix, from userid 3640) id 37F5245806; Thu, 19 Oct 2006 18:15:49 -0700 (PDT) Date: Thu, 19 Oct 2006 18:15:49 -0700 From: Paul Allen To: Robert Watson Message-ID: <20061020011549.GD30707@riyal.ugcs.caltech.edu> References: <453531C9.7080304@freebsd.org> <45355C6E.5030703@jim-liesl.org> <20061020004915.V32598@fledge.watson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061020004915.V32598@fledge.watson.org> Sender: jd@ugcs.caltech.edu X-Mailman-Approved-At: Fri, 20 Oct 2006 02:24:33 +0000 Cc: freebsd-security@freebsd.org, security , freebsd-stable@freebsd.org Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 01:15:51 -0000 >From Robert Watson , Fri, Oct 20, 2006 at 12:51:13AM +0100: > > On Tue, 17 Oct 2006, security wrote: > > > You'll have the sources. If you're using 4.11 in a business, you need > > to decide if it's more cost effective to move on to 6 or hire someone to > >keep 4.11 running. There's compat_4 to keep most userland apps happy. > >I'm sure you could argue the various design issues to your hearts content > >on the news groups, but practically speaking, I don't have an issue with > >this. Nor is it all that different from your typical paid for support > >model for a proprietary OS. > > > >It's not like the poor folks that got stuck with a business app that was > >locked to win95 or 98 with bizarre undocumented API's > > While possibly not advisable in the long term, I ran a 4.x postfix and > cyrus server install on 6.x using compat4 for about six months without > problems. The place where it gets tricky is updating the 4.x binaries, > which requires a 4.x chroot, since I was running a native 6.x userland for > everything else. I've now gotten over that, but it worked quite well and > was extremely useful that I could avoid doing the upgrade all at once -- > upgrade the OS first, let it settle, then upgrade the applications. The > only issue I ran into was actually that the location of the Cyrus sasl unix > domain socket had moved, and once I tracked that down, all was well (so not > a FreeBSD nit, an application nit). Let me toss a bit of caution from experience regarding this: I too ran such 6.x system. It had a jailed FreeBSD 4.x userland (restored and modified from the original FreeBSD 4.x backups). Almost everything worked properly--but there were some strange vm related inconsistencies (exposed by a program rolling its own gc implementation and using mprotect and SEGV). Obviously this was an unusual case but it's unfortuantely proof that some things escape having the necessary compat lines in your kernel conf. Still I counted myself lucky. Paul From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 07:41:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50BB816A403; Fri, 20 Oct 2006 07:41:17 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3E2B43D45; Fri, 20 Oct 2006 07:41:16 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 944CD46B90; Fri, 20 Oct 2006 03:41:16 -0400 (EDT) Date: Fri, 20 Oct 2006 08:41:16 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Paul Allen In-Reply-To: <20061020011549.GD30707@riyal.ugcs.caltech.edu> Message-ID: <20061020083937.E32598@fledge.watson.org> References: <453531C9.7080304@freebsd.org> <45355C6E.5030703@jim-liesl.org> <20061020004915.V32598@fledge.watson.org> <20061020011549.GD30707@riyal.ugcs.caltech.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, security , freebsd-stable@freebsd.org Subject: Re: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 07:41:17 -0000 On Thu, 19 Oct 2006, Paul Allen wrote: >> While possibly not advisable in the long term, I ran a 4.x postfix and >> cyrus server install on 6.x using compat4 for about six months without >> problems. The place where it gets tricky is updating the 4.x binaries, >> which requires a 4.x chroot, since I was running a native 6.x userland for >> everything else. I've now gotten over that, but it worked quite well and >> was extremely useful that I could avoid doing the upgrade all at once -- >> upgrade the OS first, let it settle, then upgrade the applications. The >> only issue I ran into was actually that the location of the Cyrus sasl unix >> domain socket had moved, and once I tracked that down, all was well (so not >> a FreeBSD nit, an application nit). > > Let me toss a bit of caution from experience regarding this: > > I too ran such 6.x system. It had a jailed FreeBSD 4.x userland (restored > and modified from the original FreeBSD 4.x backups). Almost everything > worked properly--but there were some strange vm related inconsistencies > (exposed by a program rolling its own gc implementation and using mprotect > and SEGV). > > Obviously this was an unusual case but it's unfortuantely proof that some > things escape having the necessary compat lines in your kernel conf. > > Still I counted myself lucky. When you recompiled the application for 6.x, did the problem go away? I guess I wouldn't entirely preclude an application bug, a 4.x library bug, or a 6.x compat/non-compat bug being responsible. Since 6.x is a fairly major upgrade, there are significant changes in VM (which might well affect, for example, memory layout), etc, so it could well be that it triggered a bug in the GC. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 14:05:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EF6016A412 for ; Fri, 20 Oct 2006 14:05:27 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 9AAA343D4C for ; Fri, 20 Oct 2006 14:05:26 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 20 Oct 2006 14:05:25 -0000 Date: Fri, 20 Oct 2006 17:04:56 +0300 From: Nikolay Pavlov To: freebsd-security@freebsd.org Message-ID: <20061020140456.GA25717@zone3000.net> Mail-Followup-To: Nikolay Pavlov , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Subject: mac_portacl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 14:05:27 -0000 Hi, folks. I am trying to implement reverse proxy using squid with mac_portacl, but i have problem while binding squid to port 80. Am i missed something? Here is my mac_portacl variables: # sysctl security.mac.portacl. security.mac.portacl.enabled: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.port_high: 1023 security.mac.portacl.rules: uid:100:tcp:80 And squid user info: # grep squid /etc/passwd squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin Also here is cache.log: 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for i386-portbld-freebsd6.1... 2006/10/20 09:55:59| Process ID 6584 2006/10/20 09:55:59| With 11072 file descriptors available 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from /etc/resolv.conf 2006/10/20 09:55:59| User-Agent logging is disabled. 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 objects 2006/10/20 09:55:59| Target number of buckets: 393846 2006/10/20 09:55:59| Using 524288 Store buckets 2006/10/20 09:55:59| Max Mem size: 1048576 KB 2006/10/20 09:55:59| Max Swap size: 102400000 KB 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) 2006/10/20 09:55:59| Using Least Load store dir selection 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache 2006/10/20 09:55:59| Loaded Icons. 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) Permission denied FATAL: Cannot open HTTP Port Squid Cache (Version 2.5.STABLE14): Terminated abnormally. CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys Maximum Resident Size: 9528 KB Page faults with physical i/o: 0 -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ====================================================================== From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 14:57:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48A9E16A412 for ; Fri, 20 Oct 2006 14:57:39 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.18.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3749D43D67 for ; Fri, 20 Oct 2006 14:57:20 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 29844 invoked from network); 20 Oct 2006 14:57:18 -0000 Received: from unknown (HELO localhost) (775067@[217.50.140.20]) (envelope-sender ) by smtprelay06.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 20 Oct 2006 14:57:18 -0000 Date: Fri, 20 Oct 2006 16:57:06 +0200 From: Fabian Keil To: Nikolay Pavlov Message-ID: <20061020165706.367b0302@localhost> In-Reply-To: <20061020140456.GA25717@zone3000.net> References: <20061020140456.GA25717@zone3000.net> Followup-To: freebsd-questions@freebsd.org X-Mailer: Sylpheed-Claws 2.4.0 (GTK+ 2.8.19; i386-portbld-freebsd6.2) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_WmVHc9lIpWONUSGCyejokcC; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: freebsd-security@freebsd.org Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 14:57:39 -0000 --Sig_WmVHc9lIpWONUSGCyejokcC Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Nikolay Pavlov wrote: > I am trying to implement reverse proxy using squid with mac_portacl,=20 > but i have problem while binding squid to port 80. > Am i missed something? >=20 > Here is my mac_portacl variables: >=20 > # sysctl security.mac.portacl. > security.mac.portacl.enabled: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.port_high: 1023 > security.mac.portacl.rules: uid:100:tcp:80 >=20 > And squid user info: >=20 > # grep squid /etc/passwd > squid:*:100:100:squid caching-proxy pseudo > user:/usr/local/squid:/usr/sbin/nologin >=20 > Also here is cache.log: >=20 > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > i386-portbld-freebsd6.1... > 2006/10/20 09:55:59| Process ID 6584 > 2006/10/20 09:55:59| With 11072 file descriptors available > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > /etc/resolv.conf > 2006/10/20 09:55:59| User-Agent logging is disabled. > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > objects > 2006/10/20 09:55:59| Target number of buckets: 393846 > 2006/10/20 09:55:59| Using 524288 Store buckets > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > 2006/10/20 09:55:59| Using Least Load store dir selection > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > 2006/10/20 09:55:59| Loaded Icons. > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > Permission denied > FATAL: Cannot open HTTP Port > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > CPU Usage: 0.035 seconds =3D 0.000 user + 0.035 sys > Maximum Resident Size: 9528 KB > Page faults with physical i/o: 0 I assume you aren't starting Squid with root privileges? If you aren't, you'll have to lower: net.inet.ip.portrange.reservedhigh if you want it to bind to port 80. I don't use mac_portacl, but from the name I assume security.mac.portacl.port_high does something similar. Port redirection with your packet filter of choice would be another option. Followup-To: freebsd-questions@freebsd.org set. Fabian --=20 http://www.fabiankeil.de/ --Sig_WmVHc9lIpWONUSGCyejokcC Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFOOPJBYqIVf93VJ0RAmz+AKC0iPj/Q8QAoU/RXDuYp5YA4TH0/QCgl22Z 0E1PET2k3oTrQ/X6phmjEiY= =4q2H -----END PGP SIGNATURE----- --Sig_WmVHc9lIpWONUSGCyejokcC-- From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 16:24:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32CFF16A407 for ; Fri, 20 Oct 2006 16:24:14 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id C0E3B43D46 for ; Fri, 20 Oct 2006 16:24:13 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 20 Oct 2006 16:24:12 -0000 Date: Fri, 20 Oct 2006 19:23:43 +0300 From: Nikolay Pavlov To: Fabian Keil Message-ID: <20061020162343.GA27287@zone3000.net> Mail-Followup-To: Nikolay Pavlov , Fabian Keil , freebsd-security@freebsd.org References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061020165706.367b0302@localhost> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Cc: freebsd-security@freebsd.org Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 16:24:14 -0000 On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > Nikolay Pavlov wrote: > > > I am trying to implement reverse proxy using squid with mac_portacl, > > but i have problem while binding squid to port 80. > > Am i missed something? > > > > Here is my mac_portacl variables: > > > > # sysctl security.mac.portacl. > > security.mac.portacl.enabled: 1 > > security.mac.portacl.suser_exempt: 1 > > security.mac.portacl.autoport_exempt: 1 > > security.mac.portacl.port_high: 1023 > > security.mac.portacl.rules: uid:100:tcp:80 > > > > And squid user info: > > > > # grep squid /etc/passwd > > squid:*:100:100:squid caching-proxy pseudo > > user:/usr/local/squid:/usr/sbin/nologin > > > > Also here is cache.log: > > > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > > i386-portbld-freebsd6.1... > > 2006/10/20 09:55:59| Process ID 6584 > > 2006/10/20 09:55:59| With 11072 file descriptors available > > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > > /etc/resolv.conf > > 2006/10/20 09:55:59| User-Agent logging is disabled. > > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > > objects > > 2006/10/20 09:55:59| Target number of buckets: 393846 > > 2006/10/20 09:55:59| Using 524288 Store buckets > > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > > 2006/10/20 09:55:59| Using Least Load store dir selection > > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > > 2006/10/20 09:55:59| Loaded Icons. > > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > > Permission denied > > FATAL: Cannot open HTTP Port > > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > > Maximum Resident Size: 9528 KB > > Page faults with physical i/o: 0 > > I assume you aren't starting Squid with root privileges? > > If you aren't, you'll have to lower: > net.inet.ip.portrange.reservedhigh if you want > it to bind to port 80. > > I don't use mac_portacl, but from the name I assume > security.mac.portacl.port_high does something similar. > > Port redirection with your packet filter of choice > would be another option. Yes. I am aware of this, but want something simple, as portacl. I am configuring it like described in handbook, and curious why it's not working. According to man security.mac.portacl.port_high is: "The highest port number mac_portacl will enforce rules for." So my mac rules should work, but not working :) > > Followup-To: freebsd-questions@freebsd.org set. > > Fabian > -- > http://www.fabiankeil.de/ -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ====================================================================== From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 16:39:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 897F616A40F for ; Fri, 20 Oct 2006 16:39:07 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD49F43D6E for ; Fri, 20 Oct 2006 16:39:01 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by ug-out-1314.google.com with SMTP id k3so338118ugf for ; Fri, 20 Oct 2006 09:39:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gIcvEOB89mXTz5lauugbr3MN4SFBLUi96rOOXf1z4ALca0iAV/DwH1n5eyTWCZ9q46NCviJzvhDcC7pifHUrChR19qfpqKm5fAl3b2aakBYEnK5Jmz5Os1zGsKh3qtdxpLCexX+QTORzUHnknSMW2/Wev0TloFlKDfG75rUBvAw= Received: by 10.82.106.14 with SMTP id e14mr751796buc; Fri, 20 Oct 2006 09:38:59 -0700 (PDT) Received: by 10.82.130.8 with HTTP; Fri, 20 Oct 2006 09:38:59 -0700 (PDT) Message-ID: <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> Date: Fri, 20 Oct 2006 17:38:59 +0100 From: "mal content" To: "Nikolay Pavlov" , "Fabian Keil" , freebsd-security@freebsd.org In-Reply-To: <20061020162343.GA27287@zone3000.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost> <20061020162343.GA27287@zone3000.net> Cc: Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 16:39:07 -0000 On 20/10/06, Nikolay Pavlov wrote: > On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > > Nikolay Pavlov wrote: > > > > > I am trying to implement reverse proxy using squid with mac_portacl, > > > but i have problem while binding squid to port 80. > > > Am i missed something? > > > > > > Here is my mac_portacl variables: > > > > > > # sysctl security.mac.portacl. > > > security.mac.portacl.enabled: 1 > > > security.mac.portacl.suser_exempt: 1 > > > security.mac.portacl.autoport_exempt: 1 > > > security.mac.portacl.port_high: 1023 > > > security.mac.portacl.rules: uid:100:tcp:80 > > > The mac_portacl page in the handbook says that you need to disable normal UNIX bind restrictions on ports. Have you tried this: # sysctl net.inet.ip.portrange.reservedlow=0 # sysctl net.inet.ip.portrange.reservedhigh=0 MC From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 17:10:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13A3616A4D8 for ; Fri, 20 Oct 2006 17:10:25 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 2BCDD43DBA for ; Fri, 20 Oct 2006 17:10:11 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 20 Oct 2006 17:10:01 -0000 Date: Fri, 20 Oct 2006 20:09:32 +0300 From: Nikolay Pavlov To: mal content Message-ID: <20061020170932.GA28347@zone3000.net> Mail-Followup-To: Nikolay Pavlov , mal content , Fabian Keil , freebsd-security@freebsd.org References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost> <20061020162343.GA27287@zone3000.net> <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Cc: freebsd-security@freebsd.org, Fabian Keil Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 17:10:25 -0000 On Friday, 20 October 2006 at 17:38:59 +0100, mal content wrote: > On 20/10/06, Nikolay Pavlov wrote: > >On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > >> Nikolay Pavlov wrote: > >> > >> > I am trying to implement reverse proxy using squid with mac_portacl, > >> > but i have problem while binding squid to port 80. > >> > Am i missed something? > >> > > >> > Here is my mac_portacl variables: > >> > > >> > # sysctl security.mac.portacl. > >> > security.mac.portacl.enabled: 1 > >> > security.mac.portacl.suser_exempt: 1 > >> > security.mac.portacl.autoport_exempt: 1 > >> > security.mac.portacl.port_high: 1023 > >> > security.mac.portacl.rules: uid:100:tcp:80 > >> > > > The mac_portacl page in the handbook says that you need to disable normal > UNIX bind restrictions on ports. Have you tried this: > > # sysctl net.inet.ip.portrange.reservedlow=0 > # sysctl net.inet.ip.portrange.reservedhigh=0 > > MC Oh.. Man sure it works. Thank you. How i've missed this in man: In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs. -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ====================================================================== From owner-freebsd-security@FreeBSD.ORG Sat Oct 21 00:08:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3053716A407 for ; Sat, 21 Oct 2006 00:08:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8582D43D5C for ; Sat, 21 Oct 2006 00:08:22 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1663C46DC2; Fri, 20 Oct 2006 20:08:22 -0400 (EDT) Date: Sat, 21 Oct 2006 01:08:21 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Nikolay Pavlov In-Reply-To: <20061020140456.GA25717@zone3000.net> Message-ID: <20061021010729.A2879@fledge.watson.org> References: <20061020140456.GA25717@zone3000.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: mac_portacl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 00:08:23 -0000 On Fri, 20 Oct 2006, Nikolay Pavlov wrote: > I am trying to implement reverse proxy using squid with mac_portacl, but i > have problem while binding squid to port 80. Am i missed something? Did you set the IP stack's definition of reserved such that there are no reserved ports, per the mac_portacl(4) man page? In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs. Basically, you need to set those sysctls to 0. That should probably be explicit in the man page, rather than implicit as it is now. Robert N M Watson Computer Laboratory University of Cambridge > > Here is my mac_portacl variables: > > # sysctl security.mac.portacl. > security.mac.portacl.enabled: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.port_high: 1023 > security.mac.portacl.rules: uid:100:tcp:80 > > And squid user info: > > # grep squid /etc/passwd > squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin > > Also here is cache.log: > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > i386-portbld-freebsd6.1... > 2006/10/20 09:55:59| Process ID 6584 > 2006/10/20 09:55:59| With 11072 file descriptors available > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > /etc/resolv.conf > 2006/10/20 09:55:59| User-Agent logging is disabled. > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > objects > 2006/10/20 09:55:59| Target number of buckets: 393846 > 2006/10/20 09:55:59| Using 524288 Store buckets > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > 2006/10/20 09:55:59| Using Least Load store dir selection > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > 2006/10/20 09:55:59| Loaded Icons. > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > Permission denied > FATAL: Cannot open HTTP Port > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > Maximum Resident Size: 9528 KB > Page faults with physical i/o: 0 > > > -- > ====================================================================== > - Best regards, Nikolay Pavlov. <<<----------------------------------- > ====================================================================== > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Oct 21 00:29:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 044BB16A40F for ; Sat, 21 Oct 2006 00:29:49 +0000 (UTC) (envelope-from pbhooma@panasas.com) Received: from cassoulet.panasas.com (gw-e.panasas.com [65.194.124.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 558F043D78 for ; Sat, 21 Oct 2006 00:29:02 +0000 (GMT) (envelope-from pbhooma@panasas.com) Received: from laguna.int.panasas.com (localhost.localdomain [127.0.0.1]) by cassoulet.panasas.com (8.12.10/8.12.10) with ESMTP id k9L0T1aT011660 for ; Fri, 20 Oct 2006 20:29:01 -0400 Received: from 172.17.132.41 ([172.17.132.41] helo=laguna.int.panasas.com) by ASSP-nospam; 20 Oct 2006 20:29:01 -0400 Received: from panasas.com ([172.17.132.167]) by laguna.int.panasas.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 20 Oct 2006 17:29:00 -0700 Message-ID: <453969CC.6060809@panasas.com> Date: Fri, 20 Oct 2006 17:29:00 -0700 From: Padma Bhooma User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Oct 2006 00:29:00.0922 (UTC) FILETIME=[E79D9DA0:01C6F4A7] X-Mailman-Approved-At: Sat, 21 Oct 2006 01:34:49 +0000 Subject: [patch] Memory leak from namei_zone in an error path in nfsrv_rename X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 00:29:49 -0000 Description: ------------ Memory leak in nfsrv_rename: In nfsrv_rename, every time a VOP_RENAME operation fails FreeBSD leaks 2 items from the namei_zone which is equal to 2K of kernel memory. Filing this as a security issue because a FreeBSD NFS server (versions 4.6.2 to 6.1) can be compromised by exhausting kernel memory if a user touches this error path many times. I have tried a simple test case against Freebsd nfs server versions 4.6.2, 5.3 and 6.1. How to reproduce: ---------------- From an NFS client running the following cmds against a 4.6.2 FreeBSD NFS server mount will cause the memory leak: $ mkdir a/b $ while (true) do > mv -f a a/b/ > done Again running the following cmds against 5.3 or 6.1 FreeBSD NFS server will cause the leak: $ mkdir -p a/b $ cd a $ whie (true) do > mv . ../a/b/ > done There are many other ways to reproduce it, but these are trivial test cases I could come up with. Patch to fix the problem : ________________________ --- nfs_serv.c 2005-11-25 06:32:38.000000000 -0800 +++ /tmp/nfs_serv.c 2006-09-22 14:41:39.000000000 -0700 @@ -2514,26 +2514,26 @@ /* * The VOP_RENAME function releases all vnode references & * locks prior to returning so we need to clear the pointers * to bypass cleanup code later on. */ error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd, tond.ni_dvp, tond.ni_vp, &tond.ni_cnd); fromnd.ni_dvp = NULL; fromnd.ni_vp = NULL; tond.ni_dvp = NULL; tond.ni_vp = NULL; if (error) { - fromnd.ni_cnd.cn_flags &= ~HASBUF; - tond.ni_cnd.cn_flags &= ~HASBUF; + NDFREE(&fromnd, NDF_ONLY_PNBUF); + NDFREE(&tond, NDF_ONLY_PNBUF); } } else { if (error == -1) error = 0; } /* fall through */ I will be happy to answer any questions wrt this. Please provide me some feedback on this fix. Thanks, Padma Bhooma From owner-freebsd-security@FreeBSD.ORG Sat Oct 21 08:18:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC00016A417 for ; Sat, 21 Oct 2006 08:18:23 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1-3.pacific.net.au [61.8.2.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB37843D6E for ; Sat, 21 Oct 2006 08:18:17 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.2.163]) by mailout1.pacific.net.au (Postfix) with ESMTP id 1800861FFB7; Sat, 21 Oct 2006 18:18:16 +1000 (EST) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (Postfix) with ESMTP id 269742740C; Sat, 21 Oct 2006 18:18:15 +1000 (EST) Date: Sat, 21 Oct 2006 18:18:14 +1000 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Padma Bhooma In-Reply-To: <453969CC.6060809@panasas.com> Message-ID: <20061021175029.J84514@delplex.bde.org> References: <453969CC.6060809@panasas.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: [patch] Memory leak from namei_zone in an error path in nfsrv_rename X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 08:18:23 -0000 > --- nfs_serv.c 2005-11-25 06:32:38.000000000 -0800 > +++ /tmp/nfs_serv.c 2006-09-22 14:41:39.000000000 -0700 > @@ -2514,26 +2514,26 @@ > /* > * The VOP_RENAME function releases all vnode references & > * locks prior to returning so we need to clear the pointers > * to bypass cleanup code later on. > */ > error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd, > tond.ni_dvp, tond.ni_vp, &tond.ni_cnd); > fromnd.ni_dvp = NULL; > fromnd.ni_vp = NULL; > tond.ni_dvp = NULL; > tond.ni_vp = NULL; > if (error) { > - fromnd.ni_cnd.cn_flags &= ~HASBUF; > - tond.ni_cnd.cn_flags &= ~HASBUF; > + NDFREE(&fromnd, NDF_ONLY_PNBUF); > + NDFREE(&tond, NDF_ONLY_PNBUF); > } > } else { > if (error == -1) > error = 0; > } > /* fall through */ > > > I will be happy to answer any questions wrt this. Please provide me some > feedback on this fix. Seems about right, but why does it clear HASBUF at all? Rev.1.79 added a lot of similar clearings of HASBUF, but rev.1.91 converted all instances of HASBUF except the above 2 above and 1 in a comment into NDFREE(). I think associated changes also moved the VOP_ABORTUP() calls into the vfs layer and out of the HASBUF conditionals. It looks like the leak was in rev.1.90 and rev.1.91 tried too hard not to change the logic by leaving the 2 buggy HASBUF clearings untouched. The comment about HASBUF is now bogus -- _we_ now mostly don't use HASBUF to track the clearing of the name buffer -- now namei iinternals do that and we only (?) use it to implement the leak :-). Bruce