From owner-freebsd-security Sun Jan 30 0:58:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta4.snfc21.pbi.net (mta4.snfc21.pbi.net [206.13.28.142]) by hub.freebsd.org (Postfix) with ESMTP id 6C42B15018 for ; Sun, 30 Jan 2000 00:58:34 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta4.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FP50007X4X6MU@mta4.snfc21.pbi.net> for freebsd-security@freebsd.org; Sun, 30 Jan 2000 00:58:18 -0800 (PST) Date: Sun, 30 Jan 2000 00:52:15 -0800 From: The Mad Scientist Subject: Re: Continual DNS requests from mysterious IP In-reply-to: <4.2.2.20000129173418.03dc4960@localhost> X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.20000130004931.00954ac0@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <200001290216.SAA34537@floozy.zytek.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:36 PM 1/29/00 -0700, you wrote: >My guess is that your machine is being used in a distributed DoS >attack against AOL. The perpetrator is probably querying many >servers throughout the Net, hoping that they in turn will >swamp AOL. By providing lots of bogus host names that do not >repeat, they're ensuring that a fresh request is generated every >time. > >I personally would block the buggers and then contact AOL. > >--Brett It could also be those nifty AOL Instant Messengers trying to do some email checking. -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 16: 5:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200]) by hub.freebsd.org (Postfix) with ESMTP id 8E4B014FDC for ; Sun, 30 Jan 2000 16:05:52 -0800 (PST) (envelope-from dv@dv.ru) Received: from localhost (dv@localhost) by xkis.kis.ru (8.9.3/8.9.3) with SMTP id DAA15783 for ; Mon, 31 Jan 2000 03:05:46 +0300 (MSK) Date: Mon, 31 Jan 2000 03:05:46 +0300 (MSK) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: security@freebsd.org Subject: jail.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! It is possible to take root on entire machine if someone has an account on it an root under jail. for example, we're running jail with chroot to /usr/jail. Someone have root in chroot'ed environment. So, he can create setuid shell in /usr/jail. But if he have normail account on machine, he can run it from /usr/jail and take root on entire machine. chmod /usr/jail doesn't help because chrooted / cannot be read by anyone :( I think that the right solution is to make directory for chroot under 700's directory. Should it be documented in jail man page? Dmitry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 16:18: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id DD811151B0 for ; Sun, 30 Jan 2000 16:18:00 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id SAA07833 for security@freebsd.org; Sun, 30 Jan 2000 18:18:00 -0600 (CST) From: Igor Roshchin Message-Id: <200001310018.SAA07833@alecto.physics.uiuc.edu> Subject: ntpd configuration and strange time "jumps" To: security@freebsd.org Date: Sun, 30 Jan 2000 18:17:59 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Two questions regarding xntpd: 1. I've noticed that there were a few rather strange time steps: (it's the first time I see it changing back and force without any visible reason) Jan 28 19:58:45 myhost xntpd[144]: time reset (step) -0.244614 s Jan 28 21:04:09 myhost xntpd[144]: time reset (step) 0.353294 s Jan 29 19:20:11 myhost xntpd[144]: time reset (step) -0.134634 s Jan 30 03:03:14 myhost xntpd[144]: time reset (step) -0.135647 s Jan 30 15:50:57 myhost xntpd[144]: time reset (step) -0.150918 s Jan 30 16:29:31 myhost xntpd[144]: time reset (step) 0.290430 s Jan 30 17:25:10 myhost xntpd[144]: time reset (step) -0.163771 s I did not see any problems with the network or with the servers, my xntpd is connecting to. The version of the xntpd used on a FreeBSD 3.4-STABLE box is reported below. Jan 30 18:57:27 myhost xntpd[75127]: xntpd version=3.4e (beta multicast); Thu Jan 6 20:53:51 EST 2000 (1) Jan 30 18:57:27 myhost xntpd[75127]: tickadj = 5, tick = 10000, tvu_maxslew = 495 Jan 30 18:57:27 myhost xntpd[75127]: using xntpd phase-lock loop Any idea, what might be the reason for such strange resets ? Is there any reason for worries ? 2. Can somebody give any pointers and/or sample xntpd configuration files which would provide reasonable security of the xntpd server , while allowing any host on the local network to connect to it ? Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 17:24: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [206.40.34.50]) by hub.freebsd.org (Postfix) with ESMTP id 61C9314D5A for ; Sun, 30 Jan 2000 17:24:02 -0800 (PST) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [206.40.34.52]) by roble.com (Roble1b) with SMTP id RAA16393 for ; Sun, 30 Jan 2000 17:24:04 -0800 (PST) Date: Sun, 30 Jan 2000 17:24:00 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Steinar Haug wrote: >"allow-recursion" is your friend. > >options { > allow-recursion { > localnets; > x.y.z/24; // Other addresses allowed > }; >}; > >Requires BIND 8.2.1 or newer. Thanks for the example Steinar. You'd think no recursion would be the default. It probably will be at some point, however if sendmail is any example, recursion abuse will become widespread first. One caveat, if you install bind822-P5 from the ports it will foolishly put everything under /usr/local. This will have no effect unless you manually edit the /etc/{default}/rc.conf and define the new location. A better solution is to: cd /usr/ports/net/bind8 rm patches/patch-aa patches/patch-ab before running `make`, `make install`, and `ndc restart`. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 19:37:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from queasy.outpost.co.nz (outpost2.inspire.net.nz [203.96.157.26]) by hub.freebsd.org (Postfix) with SMTP id 5F0AA14A0B for ; Sun, 30 Jan 2000 19:37:12 -0800 (PST) (envelope-from crh@outpost.co.nz) Received: (qmail 10484 invoked from network); 31 Jan 2000 03:37:06 -0000 Received: from erstumper.outpost.co.nz (HELO outpost.co.nz) (192.168.1.7) by outpost2.inspire.net.nz with SMTP; 31 Jan 2000 03:37:06 -0000 Message-ID: <38962E10.9951FD38@outpost.co.nz> Date: Mon, 31 Jan 2000 16:51:28 -0800 From: Craig Harding Organization: Outpost Digital Media Ltd X-Mailer: Mozilla 4.06 [en] (Win98; I) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Continual DNS requests from mysterious IP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > Which brings up a question I've had for a long time. When I set up a > system as a NAT router, I would like to assign names to the internal > machines (e.g. on 10.x.x.x) so that the POP server and other programs > that do DNS queries are happy. (It also makes the logs more readable.) > However, I don't want anyone OUTSIDE to be able to do forward or > reverse DNS for those machines. Is there an easy way to do this? I'm in exactly the same situation on our network. I originally planned to use two copies of BIND running on the one gateway machine, each listening on a different interface (1 internal, 1 external), but with the version of BIND I was using (8.1 I think) I found that this wasn't possible, contrary to the documentation. Instead I just use a second machine as the authoritative nameserver for all the internal machines. It knows about the local names for everything on our 192.168.x.x net, and forwards external queries to the real nameserver, which is visible to the outside world and has a real IP address. This works satisfactorily, although I would prefer a more elegant solution. -- C. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 20:25:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id EC3491533E for ; Sun, 30 Jan 2000 20:25:38 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id UAA21380; Sun, 30 Jan 2000 20:48:38 -0800 (PST) Date: Sun, 30 Jan 2000 20:48:38 -0800 From: Alfred Perlstein To: Craig Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: <20000130204837.M13027@fw.wintelcom.net> References: <38962E10.9951FD38@outpost.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <38962E10.9951FD38@outpost.co.nz>; from crh@outpost.co.nz on Mon, Jan 31, 2000 at 04:51:28PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Craig Harding [000130 20:03] wrote: > Brett Glass wrote: > > > Which brings up a question I've had for a long time. When I set up a > > system as a NAT router, I would like to assign names to the internal > > machines (e.g. on 10.x.x.x) so that the POP server and other programs > > that do DNS queries are happy. (It also makes the logs more readable.) > > However, I don't want anyone OUTSIDE to be able to do forward or > > reverse DNS for those machines. Is there an easy way to do this? > > I'm in exactly the same situation on our network. I originally > planned to use two copies of BIND running on the one gateway machine, > each listening on a different interface (1 internal, 1 external), but > with the version of BIND I was using (8.1 I think) I found that this > wasn't possible, contrary to the documentation. > > Instead I just use a second machine as the authoritative nameserver > for all the internal machines. It knows about the local names for > everything on our 192.168.x.x net, and forwards external queries to > the real nameserver, which is visible to the outside world and has > a real IP address. This works satisfactorily, although I would prefer > a more elegant solution. Do a search for my name and this subject and you'll see that I posted some tips on getting recent bind 8.2.2 working on multiple interfaces. The problem stems from the ndc named pipe it uses. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 20:38:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 34DA815288 for ; Sun, 30 Jan 2000 20:38:43 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <115231>; Mon, 31 Jan 2000 15:39:17 +1100 Content-return: prohibited From: Peter Jeremy Subject: Re: ntpd configuration and strange time "jumps" In-reply-to: <200001310018.SAA07833@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Jan 31, 2000 at 11:18:59AM +1100 To: Igor Roshchin Cc: security@FreeBSD.ORG Message-Id: <00Jan31.153917est.115231@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=us-ascii References: <200001310018.SAA07833@alecto.physics.uiuc.edu> Date: Mon, 31 Jan 2000 15:39:15 +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000-Jan-31 11:18:59 +1100, Igor Roshchin wrote: >1. I've noticed that there were a few rather strange time steps: >(it's the first time I see it changing back and force without any >visible reason) >Jan 28 19:58:45 myhost xntpd[144]: time reset (step) -0.244614 s >Jan 28 21:04:09 myhost xntpd[144]: time reset (step) 0.353294 s ... NTP assumes that the path delays between your daemon and it's peers (or servers) are symmetric - it halves the RTT to determine the peer delay. This is a flaw in the protocol, but I don't believe there's any way around it. If all your peers share a common bottleneck, which has a large traffic asymmetry, it is possible for NTP to see this asymmetry as a peer offset and adjust the local time to suit. When the traffic asymmetry goes away, xntpd will then skew the time the other way. Many years ago, I added a fudge to detect (or try to) and ignore this situation. At the time Dave Mills wasn't interested in the patches. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 30 23:37: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 9082114C90 for ; Sun, 30 Jan 2000 23:36:57 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id IAA21079; Mon, 31 Jan 2000 08:36:32 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Dmitry Valdov Cc: security@FreeBSD.ORG Subject: Re: jail.. In-reply-to: Your message of "Mon, 31 Jan 2000 03:05:46 +0300." Date: Mon, 31 Jan 2000 08:36:32 +0100 Message-ID: <21077.949304192@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dmitry Val dov writes: >Hello! > >It is possible to take root on entire machine if someone has an account on >it an root under jail. >for example, we're running jail with chroot to /usr/jail. Someone have root >in chroot'ed environment. >So, he can create setuid shell in /usr/jail. >But if he have normail account on machine, he can run it from /usr/jail and >take root on entire machine. >chmod /usr/jail doesn't help because chrooted / cannot be read by anyone :( > >I think that the right solution is to make directory for chroot under 700's >directory. Should it be documented in jail man page? The right solution is to not give any accouns outside the jails. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 1:18:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by hub.freebsd.org (Postfix) with ESMTP id 0412214DC9 for ; Mon, 31 Jan 2000 01:18:29 -0800 (PST) (envelope-from mw@theatre.sax.de) Received: (from uucp@localhost) by sax.sax.de (8.9.3/8.9.3) with UUCP id KAA05755; Mon, 31 Jan 2000 10:18:09 +0100 (CET) Received: (from mw@localhost) by theatre.lan (8.9.3/8.9.3) id JAA34753; Mon, 31 Jan 2000 09:59:00 +0100 (CET) (envelope-from mw) Date: Mon, 31 Jan 2000 09:59:00 +0100 From: Martin Welk To: Craig Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP Message-ID: <20000131095859.A34477@theatre.lan> References: <38962E10.9951FD38@outpost.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38962E10.9951FD38@outpost.co.nz>; from crh@outpost.co.nz on Mon, Jan 31, 2000 at 04:51:28PM -0800 Organization: Private UUCP/Usenet site. X-Operating-System: FreeBSD http://www.freebsd.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 31, 2000 at 04:51:28PM -0800, Craig Harding wrote: > I'm in exactly the same situation on our network. I originally > planned to use two copies of BIND running on the one gateway machine, > each listening on a different interface (1 internal, 1 external), but > with the version of BIND I was using (8.1 I think) I found that this > wasn't possible, contrary to the documentation. And why do you want to do so? How about using access lists from within bind? You allow access to the pseudo-domain you're using for you local network and the reverse lookup from your local network only, and every- body asking from the outside will get no answer. You need only one name-server doing all the work for the network. Regards, Martin -- ,,You know, there's a lot of opportunities, if you're knowing to take them, you know, there's a lot of opportunities, if there aren't you can make them, make or break them!'' (Tennant/Lowe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 4:24:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id B518B14FDF for ; Mon, 31 Jan 2000 04:24:13 -0800 (PST) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id HAA20316; Mon, 31 Jan 2000 07:21:19 -0500 (EST) Message-Id: <200001311221.HAA20316@easeway.com> Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: from Roger Marquis at "Jan 30, 0 05:24:00 pm" To: marquis@roble.com (Roger Marquis) Date: Mon, 31 Jan 100 07:21:18 -0500 (EST) Cc: security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > One caveat, if you install bind822-P5 from the ports it will foolishly > put everything under /usr/local. This will have no effect unless you > manually edit the /etc/{default}/rc.conf and define the new location. > A better solution is to: > > cd /usr/ports/net/bind8 > rm patches/patch-aa patches/patch-ab > > before running `make`, `make install`, and `ndc restart`. Actually, that's not foolish. The bind822-P5 port is installed in /usr/local because bind is part of "make world". You want to tell your system to not use the default BIND, but your custom one instead. That's why you use /etc/rc.conf to tell your system which BIND to use. Of course, if you don't make world, it's not a problem. ==ml To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 8:24:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C846E14BE2 for ; Mon, 31 Jan 2000 08:24:30 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA14739 for ; Mon, 31 Jan 2000 08:24:30 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14733; Mon Jan 31 08:24:12 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA18688 for ; Mon, 31 Jan 2000 08:24:12 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdn18677; Mon Jan 31 08:23:55 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id IAA01528 for ; Mon, 31 Jan 2000 08:23:55 -0800 (PST) Message-Id: <200001311623.IAA01528@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdUs1516; Mon Jan 31 08:23:02 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: IP-Filter w/FreeBSD-current Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 31 Jan 2000 08:23:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org With the impending release of FreeBSD-4.0, is anyone on this list using IP-Filter on FreeBSD-current? I'm planning to install -current w/IP-Filter on a testbed and would like to know of there are any gotchas or if it even runs on FreeBSD-current. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 8:36:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [206.40.34.50]) by hub.freebsd.org (Postfix) with ESMTP id E180114CFD for ; Mon, 31 Jan 2000 08:36:29 -0800 (PST) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [206.40.34.52]) by roble.com (Roble1b) with SMTP id IAA23231 for ; Mon, 31 Jan 2000 08:36:31 -0800 (PST) Date: Mon, 31 Jan 2000 08:36:28 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: <200001311221.HAA20316@easeway.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jan 100 mwlucas@exceptionet.com wrote: > You want to tell your system to not use the default BIND, but your custom > one instead. That's why you use /etc/rc.conf to tell your system which > BIND to use. I'd rather keep the system clean and free from old versions of software, it's easier to maintain that way and doesn't violate the KIS principle. Configuration files are good to keep backups of, which is why I have RCS directories under /etc, /usr/local/etc, /usr/local/apache, ... however I can't think of a good reason for keeping old, unused software on a system. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 9:35:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id F03DB14D1C for ; Mon, 31 Jan 2000 09:35:12 -0800 (PST) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id JAA14594; Mon, 31 Jan 2000 09:35:16 -0800 (PST) Date: Mon, 31 Jan 2000 09:35:16 -0800 (PST) From: "f.johan.beisser" To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: IP-Filter w/FreeBSD-current In-Reply-To: <200001311623.IAA01528@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i've been running it on freebsd-current for the last week or so (i installed it to log some traffic) with no problems or hitches. -- jan On Mon, 31 Jan 2000, Cy Schubert - ITSD Open Systems Group wrote: > With the impending release of FreeBSD-4.0, is anyone on this list using > IP-Filter on FreeBSD-current? I'm planning to install -current > w/IP-Filter on a testbed and would like to know of there are any > gotchas or if it even runs on FreeBSD-current. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD > Province of BC > "COBOL IS A WASTE OF CARDS." > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > +-----// f. johan beisser //------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan "knowledge is power. power corrupts. study hard, be evil." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 9:47:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id B50C814D1C for ; Mon, 31 Jan 2000 09:47:40 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id UAA69461; Mon, 31 Jan 2000 20:42:09 +0300 (MSK) Date: Mon, 31 Jan 2000 20:42:12 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.36) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <8862.000131@sandy.ru> To: Dmitry Valdov Cc: security@freebsd.org Subject: Re: jail.. In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Dmitry Valdov, 31.01.00 3:05, you wrote: jail..; D> Hello! D> It is possible to take root on entire machine if someone has an account on D> it an root under jail. D> for example, we're running jail with chroot to /usr/jail. Someone have root D> in chroot'ed environment. D> So, he can create setuid shell in /usr/jail. D> But if he have normail account on machine, he can run it from /usr/jail and D> take root on entire machine. D> chmod /usr/jail doesn't help because chrooted / cannot be read by anyone :( This problems appears only if local users should be allowed to access /usr/jail. Otherwise you can use group "jail" instead of user "jail" ang give 770 permissions for /usr/jail. Include jailed (and only jailed) users and root into this group. D> I think that the right solution is to make directory for chroot under 700's D> directory. Should it be documented in jail man page? D> Dmitry. +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 14:23:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id D1A0014F03 for ; Mon, 31 Jan 2000 14:23:41 -0800 (PST) (envelope-from nathan@kinsman.nu) Received: from [24.29.246.53] (HELO mentisworks.com) by mentisworks.com (CommuniGate Pro SMTP 3.2b9) with ESMTP id 654838 for freebsd-security@freebsd.org; Mon, 31 Jan 2000 16:23:39 -0600 Received: from [192.168.245.111] (HELO kinsman.nu) by mentisworks.com (CommuniGate Pro SMTP 3.2) with ESMTP id 2480260 for freebsd-security@freebsd.org; Mon, 31 Jan 2000 16:23:51 -0600 Message-ID: <38960B6B.B0E3BD9B@kinsman.nu> Date: Mon, 31 Jan 2000 16:23:39 -0600 From: Nathan Kinsman X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: IP-Filter w/FreeBSD-current References: <200001311623.IAA01528@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Works fine from a clean install, had problems with device number mismatches when upgrading from FreeBSD 3.2. Been using IPFilter 3.3.6 with 4.0 for about three weeks now, no problems other then choking on DEVFS, which once removed, there was no further problems. Cy Schubert - ITSD Open Systems Group wrote: > > With the impending release of FreeBSD-4.0, is anyone on this list using > IP-Filter on FreeBSD-current? I'm planning to install -current > w/IP-Filter on a testbed and would like to know of there are any > gotchas or if it even runs on FreeBSD-current. > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD > Province of BC > "COBOL IS A WASTE OF CARDS." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nathan Kinsman, | nathan@kinsman.nu | http://nathan.kinsman.nu Network Systems Architect | BSD/Linux/Solaris/Netware/MS Windows | Voice/Fax: | Chicago | +1 312 803-2220 | Sydney | + 61 2 9475 4500 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 14:50:23 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8784F14F20; Mon, 31 Jan 2000 14:50:20 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 748411CD6E0; Mon, 31 Jan 2000 14:50:20 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 31 Jan 2000 14:50:20 -0800 (PST) From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: IP-Filter w/FreeBSD-current In-Reply-To: <200001311623.IAA01528@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jan 2000, Cy Schubert - ITSD Open Systems Group wrote: > With the impending release of FreeBSD-4.0, is anyone on this list using > IP-Filter on FreeBSD-current? I'm planning to install -current > w/IP-Filter on a testbed and would like to know of there are any > gotchas or if it even runs on FreeBSD-current. Well, I did have problems with it (specifically, ipfstat refused to do anything except spit out an IOCTL error) - this could have been a mismatched binary, although I tried to recompile everything relevant manually. I've just done a make world, so perhaps it's fixed for me now - I'll let you know. Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 31 16:27:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from biggusdiskus.flyingfox.com (parker-T1-2-gw.sf3d.best.net [209.157.165.30]) by hub.freebsd.org (Postfix) with ESMTP id 958EC1525C for ; Mon, 31 Jan 2000 16:25:50 -0800 (PST) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id QAA04973; Mon, 31 Jan 2000 16:16:34 -0800 (PST) Date: Mon, 31 Jan 2000 16:16:34 -0800 (PST) From: Jim Shankland Message-Id: <200002010016.QAA04973@biggusdiskus.flyingfox.com> To: freebsd-security@FreeBSD.ORG, mccord@zytek.com Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: <200001290216.SAA34537@floozy.zytek.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Re: lots of queries for the MX server of aol.com:] Samara McCord writes: > This is not an attack, but somewhat irritating. Also it's something > that no one would normally notice. Well I was running tcpdump to check > on something else and noticed this. About once a second I'm getting > DNS requests for the mail relay of "aol.com". Actually, I'll bet this was an attack of sorts. A server we admninister was hacked a few months ago, and the attacker was trying to send out tons of queries like this one with spoofed source addresses (which we filter, which is how we found out). Looks like a simple-minded DoS attempt to me. Perhaps DNS relaying will go a way similar to SMTP relaying: allowed only from a specific set of IP addresses. Jim Shankland NLynx Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 7:43:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id A003C37B649 for ; Wed, 16 Feb 2000 07:43:49 -0800 (PST) (envelope-from v0rbiz@ab-bg.net) Received: from ab-bg.net (ab-bg.net [212.56.11.129]) by builder.freebsd.org (Postfix) with SMTP id 37638132E4 for ; Wed, 16 Feb 2000 07:42:31 -0800 (PST) Received: (qmail 1239 invoked by uid 1000); 16 Feb 2000 15:33:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Feb 2000 15:33:35 -0000 Date: Wed, 16 Feb 2000 17:33:35 +0200 (EET) From: Victor Ivanov To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW or something else In-Reply-To: <38AA7830.33F0C22F@apse.cc.rtu.lv> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IPFW *and* something else... I guess you need NAT. With Linux (with that thing 'ipchains' called 'firewall') you don't NAT, you masquerade. But it's NAT. ipfw does not change anything in the packets. It can divert them to another program (like natd) which can do the job. In any case, it is good and recommended to read the fine manual... I think there's an easy way to what you want from /etc/defaults/rc.conf look at the natd options (and maybe /stand/sysinstall can do this for you). Just enable natd and set the interface or address and next time you reboot it'll be ok. for ipf and ipnat there are manuals too To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8: 8:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id B07E037B519 for ; Wed, 16 Feb 2000 08:08:57 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by builder.freebsd.org (Postfix) with ESMTP id 74EE3132E1; Wed, 16 Feb 2000 08:08:22 -0800 (PST) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id IAA61786; Wed, 16 Feb 2000 08:08:57 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 16 Feb 2000 08:08:57 -0800 (PST) From: Kris Kennaway To: Dmitry Valdov Cc: Warner Losh , Brett Glass , Bill Fumerola , Kuzak , freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Feb 2000, Dmitry Valdov wrote: > Hi! > > Anyway, this should be fixed. Just because somebody might want to use it > with sudo. Patches accepted :) Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:22:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 8DD7D37B505 for ; Wed, 16 Feb 2000 08:22:35 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from rover.village.org (rover.village.org [204.144.255.49]) by builder.freebsd.org (Postfix) with ESMTP id 41380132E0 for ; Wed, 16 Feb 2000 08:21:52 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id JAA72267; Wed, 16 Feb 2000 09:22:20 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA11003; Wed, 16 Feb 2000 09:22:16 -0700 (MST) Message-Id: <200002161622.JAA11003@harmony.village.org> To: Dmitry Valdov Subject: Re: Doscmd Cc: Brett Glass , Bill Fumerola , Kuzak , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Feb 2000 15:40:09 +0300." References: Date: Wed, 16 Feb 2000 09:22:16 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Dmitry Valdov writes: : Anyway, this should be fixed. Just because somebody might want to use it : with sudo. That doesn't make sense. If you have sudo, you have root. Doesn't mean we shouldn't fix it, but not for that reason. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:31:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id B428E37B50F for ; Wed, 16 Feb 2000 08:31:19 -0800 (PST) (envelope-from brett@lariat.org) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by builder.freebsd.org (Postfix) with ESMTP id B536D132E5 for ; Wed, 16 Feb 2000 08:30:43 -0800 (PST) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA09479; Wed, 16 Feb 2000 09:31:08 -0700 (MST) Message-Id: <4.2.2.20000216092918.044d9300@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 Feb 2000 09:31:04 -0700 To: Richard Wackerbarth , Warner Losh From: Brett Glass Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <00021604155000.08535@nomad.dataplex.net> References: <200002160926.CAA09916@harmony.village.org> <200002160926.CAA09916@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:41 AM 2/16/2000 , Richard Wackerbarth wrote: >Perhaps there needs to be a more emphatic public posting to the effect that >2.2.x is "moldy" and supported only to the extent that the few remaining users >of this system contribute patches. Unless they have COMPELLING reasons to remain >with 2.2.x, all users SHOULD UPGRADE to 3.4. Ah, but which 3.4? Shortly after 3.4-RELEASE shipped, I recall a few security- and stability-related patches. Unfortunately, picking a daily snapshot can be a bad idea. Is there a "known good" snapshot? (I assume that it'll be at least another month before 3.5.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:35:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 036D437B50F for ; Wed, 16 Feb 2000 08:35:54 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from mail2.uunet.ca (mail2.uunet.ca [142.77.1.15]) by builder.freebsd.org (Postfix) with ESMTP id DAC07132D9 for ; Wed, 16 Feb 2000 08:35:04 -0800 (PST) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail2.uunet.ca with ESMTP id <600600-20899>; Wed, 16 Feb 2000 11:32:15 -0500 Date: Wed, 16 Feb 2000 11:35:35 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: <200002161622.JAA11003@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe he meant that someone might want to run it setuid under certain circumstances, that would make for a better reason, other than the priciple of the matter =) Matt -- Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] On Wed, 16 Feb 2000, Warner Losh wrote: : Date: Wed, 16 Feb 2000 11:22:16 -0500 : From: Warner Losh : To: Dmitry Valdov : Cc: Brett Glass , Bill Fumerola , : Kuzak , freebsd-security@FreeBSD.ORG : Subject: Re: Doscmd : : In message Dmitry Valdov writes: : : Anyway, this should be fixed. Just because somebody might want to use it : : with sudo. : : That doesn't make sense. If you have sudo, you have root. : : Doesn't mean we shouldn't fix it, but not for that reason. : : Warner : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:38:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 92EA637B50B for ; Wed, 16 Feb 2000 08:38:13 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from mail6.uunet.ca (mail6.uunet.ca [142.77.1.27]) by builder.freebsd.org (Postfix) with ESMTP id 3B585132E7 for ; Wed, 16 Feb 2000 08:37:36 -0800 (PST) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail6.uunet.ca with ESMTP id <232705-15944>; Wed, 16 Feb 2000 11:36:36 -0500 Date: Wed, 16 Feb 2000 11:37:55 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-Reply-To: <4.2.2.20000216092918.044d9300@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Feb 2000, Brett Glass wrote: : Date: Wed, 16 Feb 2000 11:31:04 -0500 : From: Brett Glass : To: Richard Wackerbarth , Warner Losh : Cc: freebsd-security@FreeBSD.ORG : Subject: Re: Why should I upgrade from 2.2.8 to 3.4 [...] : Ah, but which 3.4? Shortly after 3.4-RELEASE shipped, I recall a few security- : and stability-related patches. Unfortunately, picking a daily snapshot can be : a bad idea. Is there a "known good" snapshot? (I assume that it'll be at least : another month before 3.5.) Personally, I had my best luck with 3.3, I've had a few problems with 3.4, though I'm not sure I can attribute them solely the to the OS. Regarding 3.5 though, is there even going to be a 3.5? I'm under the impression that 4.0 will be the next release, is this incorrect? : --Brett -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:42:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 494C437B50B for ; Wed, 16 Feb 2000 08:42:55 -0800 (PST) (envelope-from hart@iserver.com) Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by builder.freebsd.org (Postfix) with ESMTP id CA933132E0 for ; Wed, 16 Feb 2000 08:42:18 -0800 (PST) Received: by gatekeeper.veriohosting.com; Wed, 16 Feb 2000 09:42:52 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma001693; Wed, 16 Feb 00 09:42:24 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id JAA66909; Wed, 16 Feb 2000 09:41:39 -0700 (MST) Date: Wed, 16 Feb 2000 09:41:39 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: <4.2.2.20000215235704.043169d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Feb 2000, Brett Glass wrote: > If it relies on doscmd being suid, then it would fail. But > I have wondered whether control of your descriptor tables would > let you hack the system. What's in that machine language? Nothing interesting. Just the standard exec-a-shell code: (gdb) x/19i 0x80487d7 0x80487d7 <_fini+7>: jmp 0x80487fc <_fini+44> 0x80487d9 <_fini+9>: popl %esi 0x80487da <_fini+10>: leal (%esi),%ebx 0x80487dc <_fini+12>: movl %ebx,0xb(%esi) 0x80487df <_fini+15>: xorl %edx,%edx 0x80487e1 <_fini+17>: movl %edx,0x7(%esi) 0x80487e4 <_fini+20>: movl %edx,0xf(%esi) 0x80487e7 <_fini+23>: movl %edx,0x14(%esi) 0x80487ea <_fini+26>: movb %dl,0x19(%esi) 0x80487ed <_fini+29>: xorl %eax,%eax 0x80487ef <_fini+31>: movb $0x3b,%al 0x80487f1 <_fini+33>: leal 0xb(%esi),%ecx 0x80487f4 <_fini+36>: movl %ecx,%edx 0x80487f6 <_fini+38>: pushl %edx 0x80487f7 <_fini+39>: pushl %ecx 0x80487f8 <_fini+40>: pushl %ebx 0x80487f9 <_fini+41>: pushl %eax 0x80487fa <_fini+42>: jmp 0x8048814 <_fini+68> 0x80487fc <_fini+44>: call 0x80487d9 <_fini+9> (gdb) x/1i 0x8048814 0x8048814 <_fini+68>: lcall 0x407,0x4040404 (gdb) x/19xb 0x8048801 0x8048801 <_fini+49>: 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x01 0x8048809 <_fini+57>: 0x01 0x01 0x01 0x02 0x02 0x02 0x02 0x03 0x8048811 <_fini+65>: 0x03 0x03 0x03 (gdb) For what it's worth, there is another so-called "exploit" for FreeBSD on Packetstorm Security: http://packetstorm.securify.com/0002-exploits/umount.c I don't know about you, but my /sbin/umount isn't SUID either. ;-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 8:43:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id D566C37B50B for ; Wed, 16 Feb 2000 08:43:26 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from rover.village.org (rover.village.org [204.144.255.49]) by builder.freebsd.org (Postfix) with ESMTP id 69CFA132E3 for ; Wed, 16 Feb 2000 08:42:40 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id JAA72348; Wed, 16 Feb 2000 09:43:05 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA11128; Wed, 16 Feb 2000 09:43:02 -0700 (MST) Message-Id: <200002161643.JAA11128@harmony.village.org> To: Matt Heckaman Subject: Re: Doscmd Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Feb 2000 11:35:35 EST." References: Date: Wed, 16 Feb 2000 09:43:02 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Matt Heckaman writes: : Maybe he meant that someone might want to run it setuid under certain : circumstances, that would make for a better reason, other than the : priciple of the matter =) Yes. I agree completely. The whole reason that it isn't set*id anything is that it is unsafe and insecure to do that. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 9: 5:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 1B2ED37B50D for ; Wed, 16 Feb 2000 09:05:18 -0800 (PST) (envelope-from brett@lariat.org) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by builder.freebsd.org (Postfix) with ESMTP id 238F5132E0 for ; Wed, 16 Feb 2000 09:04:41 -0800 (PST) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA10037; Wed, 16 Feb 2000 10:05:02 -0700 (MST) Message-Id: <4.2.2.20000216095354.04315900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 Feb 2000 10:04:59 -0700 To: Matt Heckaman From: Brett Glass Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.2.2.20000216092918.044d9300@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:37 AM 2/16/2000 , Matt Heckaman wrote: >Personally, I had my best luck with 3.3, I've had a few problems with 3.4, >though I'm not sure I can attribute them solely the to the OS. Regarding >3.5 though, is there even going to be a 3.5? I'm under the impression that >4.0 will be the next release, is this incorrect? 4.0 will be next, but since it won't be well tested in production applications many users will stay with the 3.x-STABLE branch until 4.2 or later. We have a policy: we never install a point release of FreeBSD less than .2 on a production system. This isn't because earlier releases on a branch are NECESSARILY bad, but because releases after .1 tend to be more stable and have fewer surprises. We waited until 3.3 before moving our first servers to 3.x because of a rash of fixes that were made shortly after 3.2 came out. Once 4.0-RELEASE comes out, I'm hoping that folks will take the time to polish up 3.5 and make it a "golden" release. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 9:26:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id E5BEC37B54B for ; Wed, 16 Feb 2000 09:26:45 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by builder.freebsd.org (Postfix) with ESMTP id 1FB60132DD for ; Wed, 16 Feb 2000 09:26:10 -0800 (PST) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id JAA25197; Wed, 16 Feb 2000 09:26:33 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Warner Losh Cc: Richard Wackerbarth , freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-reply-to: Your message of "Wed, 16 Feb 2000 03:33:05 MST." <200002161033.DAA10121@harmony.village.org> Date: Wed, 16 Feb 2000 09:26:33 -0800 Message-ID: <25194.950721993@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org And I just removed all traces of 2.2.8 from ftp.freebsd.org - that ought to drive the right behavior. :) - Jordan > In message <00021604155000.08535@nomad.dataplex.net> Richard Wackerbarth writ es: > : Perhaps there needs to be a more emphatic public posting to the > : effect that 2.2.x is "moldy" and supported only to the extent that > : the few remaining users of this system contribute patches. Unless > : they have COMPELLING reasons to remain with 2.2.x, all users SHOULD > : UPGRADE to 3.4. > > I've been saying that 2.2.x isn't supported since about the 3.3 > timeframe, which was at least six months ago. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 9:49:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 37A1437B50C for ; Wed, 16 Feb 2000 09:49:30 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by builder.freebsd.org (Postfix) with ESMTP id 14F0B132DD for ; Wed, 16 Feb 2000 09:48:54 -0800 (PST) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id JAA25344; Wed, 16 Feb 2000 09:48:14 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Matt Heckaman Cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-reply-to: Your message of "Wed, 16 Feb 2000 11:37:55 EST." Date: Wed, 16 Feb 2000 09:48:14 -0800 Message-ID: <25341.950723294@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Personally, I had my best luck with 3.3, I've had a few problems with 3.4, > though I'm not sure I can attribute them solely the to the OS. Regarding > 3.5 though, is there even going to be a 3.5? I'm under the impression that > 4.0 will be the next release, is this incorrect? There will certainly be a 3.5 and probably a 3.6. These releases do not come off the same branch, there is a branch called 3.x-stable and a branch called -current. The 3.x branch is still "running" and will for at least another 6 months. 4.x-stable hasn't even been created yet and won't until sometime before 4.1. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 10: 6:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id D8C9B37B51E for ; Wed, 16 Feb 2000 10:06:14 -0800 (PST) (envelope-from wes@softweyr.com) Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by builder.freebsd.org (Postfix) with ESMTP id 20DDE132DE for ; Wed, 16 Feb 2000 10:05:38 -0800 (PST) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id KAA18144; Wed, 16 Feb 2000 10:05:34 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id KAA29600; Wed, 16 Feb 2000 10:05:33 -0800 Received: from softweyr.com (dyn2.utah.xylan.com [198.206.184.238]) by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id KAA24581; Wed, 16 Feb 2000 10:05:31 -0800 (PST) Message-ID: <38AAE878.C26E278F@softweyr.com> Date: Wed, 16 Feb 2000 11:12:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Richard Wackerbarth Cc: Warner Losh , freebsd-security@freebsd.org Subject: Re: Why should I upgrade from 2.2.8 to 3.4 References: <200002160926.CAA09916@harmony.village.org> <00021604155000.08535@nomad.dataplex.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard Wackerbarth wrote: > > On Wed, 16 Feb 2000, Warner Losh wrote: > > Kris Kennaway writes: > > : Security problems still get fixed, but you're unlikely to be able to get > > > > Security problems still *SOMETIMES* get fixed in 2.2.x. They don't always. > > Perhaps there needs to be a more emphatic public posting to the effect that > 2.2.x is "moldy" and supported only to the extent that the few remaining users > of this system contribute patches. Unless they have COMPELLING reasons to remain > with 2.2.x, all users SHOULD UPGRADE to 3.4. And this coming from the 2.x "keeper of the flame." Yes, 2.2.8 should carry a warning label of some sort. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 10: 8: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 0775F37B50B for ; Wed, 16 Feb 2000 10:08:03 -0800 (PST) (envelope-from ryu@ryu.net) Received: from mail.webjapan.com (mail.webjapan.com [209.155.65.195]) by builder.freebsd.org (Postfix) with ESMTP id 2B102132E4 for ; Wed, 16 Feb 2000 10:07:26 -0800 (PST) Received: from ryu ([12.7.195.241]) by mail.webjapan.com (Post.Office MTA v3.5 release 215 ID# 0-59801U3600L300S0V35) with ESMTP id com for ; Wed, 16 Feb 2000 10:06:02 -0800 Message-Id: <4.2.0.58.J.20000216100126.00a5b210@mail.webjapan.com> X-Sender: ryu@green.ryu.net Reply-To: ryu@ryu.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58.J Date: Wed, 16 Feb 2000 10:05:20 -0800 To: freebsd-security@FreeBSD.ORG From: Ryuhei Tanabe Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-Reply-To: References: <20000216072546.RDPI28348.mta04.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all I'm currently running freebsd 2.2.8-stable on my machine. Well of course, I ve been thinking of upgrading my server to 3.x-stable. But I'm sort of scared of that I might just screw my server when I upgrade it. Is there any specific things, I should be very careful when upgrading Freebsd from 2.2.8 to 3.x ? Thanks in advance. Ryuhei Tanabe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 12:15:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id B138437B616 for ; Wed, 16 Feb 2000 12:15:33 -0800 (PST) (envelope-from brett@lariat.org) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by builder.freebsd.org (Postfix) with ESMTP id 8876A132D9 for ; Wed, 16 Feb 2000 12:14:56 -0800 (PST) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id NAA12562; Wed, 16 Feb 2000 13:15:17 -0700 (MST) Message-Id: <4.2.2.20000216131102.04308c80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 Feb 2000 13:12:53 -0700 To: Wes Peters , Richard Wackerbarth From: Brett Glass Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Cc: Warner Losh , freebsd-security@FreeBSD.ORG In-Reply-To: <38AAE878.C26E278F@softweyr.com> References: <200002160926.CAA09916@harmony.village.org> <00021604155000.08535@nomad.dataplex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:12 AM 2/16/2000 , Wes Peters wrote: >And this coming from the 2.x "keeper of the flame." Yes, 2.2.8 should carry >a warning label of some sort. On the other hand, some things in 2.2.8 were actually more secure than later versions. When the ADMROCKS exploit got out, I discovered that the BIND that shipped with 2.2.8 wasn't susceptible. Systems with newer versions of BIND were. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 12:15:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 382B937B54F for ; Wed, 16 Feb 2000 12:15:32 -0800 (PST) (envelope-from brett@lariat.org) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by builder.freebsd.org (Postfix) with ESMTP id 55AD2132F0 for ; Wed, 16 Feb 2000 12:14:54 -0800 (PST) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id NAA12565; Wed, 16 Feb 2000 13:15:20 -0700 (MST) Message-Id: <4.2.2.20000216131306.04465300@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 Feb 2000 13:15:14 -0700 To: ryu@ryu.net, freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-Reply-To: <4.2.0.58.J.20000216100126.00a5b210@mail.webjapan.com> References: <20000216072546.RDPI28348.mta04.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:05 AM 2/16/2000 , Ryuhei Tanabe wrote: >Hello all > >I'm currently running freebsd 2.2.8-stable on my machine. Well of course, I ve been thinking of upgrading my server to 3.x-stable. >But I'm sort of scared of that I might just screw my server when I upgrade it. >Is there any specific things, I should be very careful when upgrading Freebsd from 2.2.8 to 3.x ? One thing that got me was the change in the format of wtmp and utmp. The record formats are different, and since there wasn't a Perl module to hide this a lot of our management scripts broke. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 12:22:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 62BB937B53D for ; Wed, 16 Feb 2000 12:22:37 -0800 (PST) (envelope-from sthen@naiad.eclipse.net.uk) Received: from naiad.eclipse.net.uk (naiad.eclipse.net.uk [195.188.32.29]) by builder.freebsd.org (Postfix) with ESMTP id C768A132E6 for ; Wed, 16 Feb 2000 12:21:52 -0800 (PST) Received: by naiad.eclipse.net.uk (Postfix, from userid 475) id C8A36146EF; Wed, 16 Feb 2000 20:22:15 +0000 (GMT) Date: Wed, 16 Feb 2000 20:22:15 +0000 From: Stuart Henderson To: Brett Glass Cc: ryu@ryu.net, freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Message-ID: <20000216202215.C77186@naiad.eclipse.net.uk> References: <4.2.0.58.J.20000216100126.00a5b210@mail.webjapan.com> <4.2.2.20000216131306.04465300@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.2i In-Reply-To: <4.2.2.20000216131306.04465300@localhost>; from brett@lariat.org on Wed, Feb 16, 2000 at 01:15:14PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 16, 2000 at 01:15:14PM -0700, Brett Glass wrote: > At 11:05 AM 2/16/2000 , Ryuhei Tanabe wrote: > > >Hello all > > > >I'm currently running freebsd 2.2.8-stable on my machine. Well of course, I ve been thinking of upgrading my server to 3.x-stable. > >But I'm sort of scared of that I might just screw my server when I upgrade it. > >Is there any specific things, I should be very careful when upgrading Freebsd from 2.2.8 to 3.x ? > > One thing that got me was the change in the format of wtmp and utmp. The record formats > are different, and since there wasn't a Perl module to hide this a lot of our > management scripts broke. Bootblocks, don't forget to make sure you have updated your bootblocks :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 17: 6:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id EE2FD37B598 for ; Wed, 16 Feb 2000 17:06:08 -0800 (PST) (envelope-from dalcocer@home.com) Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by builder.freebsd.org (Postfix) with ESMTP id 68EE2132E2 for ; Wed, 16 Feb 2000 17:05:29 -0800 (PST) Received: from pino.localdomain.home.com ([24.0.45.247]) by mail.rdc1.sdca.home.com (InterMail v4.01.01.00 201-229-111) with SMTP id <20000217010606.BJJI25101.mail.rdc1.sdca.home.com@pino.localdomain.home.com> for ; Wed, 16 Feb 2000 17:06:06 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit In-Reply-To: <00021604155000.08535@nomad.dataplex.net> References: <200002160926.CAA09916@harmony.village.org> <00021604155000.08535@nomad.dataplex.net> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14507.4115.743232.801540@pino.localdomain> From: Dario Alcocer To: Richard Wackerbarth Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Date: Wed, 16 Feb 2000 13:14:41 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Richard" == Richard Wackerbarth writes: Richard> Perhaps there needs to be a more emphatic public posting Richard> to the effect that 2.2.x is "moldy" and supported only to Richard> the extent that the few remaining users of this system Richard> contribute patches. Unless they have COMPELLING reasons Richard> to remain with 2.2.x, all users SHOULD UPGRADE to 3.4. One problem I've seen with upgrading to 3.4 is installing on low-memory machines. The 2.2.8 install boot floppy works on an 8MB machine, but 3.x does not; it needs at least 12MB to install. (I wonder if it's just a problem with too many drivers in the boot floppy. Maybe this problem could be addressed by having a smaller kernel on the install boot floppy.) Anyway, I found this problem when I tried upgrading an existing 2.2.8 firewall/router machine to 3.1, and the install failed due to this 8MB problem. Others have run into this problem as well: http://www.deja.com/=dnc/[ST_rn=ps]/getdoc.xp?AN=515625181 http://www.deja.com/=dnc/[ST_rn=ps]/getdoc.xp?AN=516009396 -- Dario Alcocer // dalcocer@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 18:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id F3F2437B505; Wed, 16 Feb 2000 18:11:40 -0800 (PST) (envelope-from andrew@networkcomputerz.com) Received: from smtp.america.net (smtp.america.net [199.170.121.14]) by builder.freebsd.org (Postfix) with ESMTP id 9B62D132D6; Wed, 16 Feb 2000 18:10:52 -0800 (PST) Received: from networkcomputerz.com (tnt1-131.america.net [206.67.248.131]) by smtp.america.net (8.9.1/8.9.1) with ESMTP id VAA25263; Wed, 16 Feb 2000 21:11:11 -0500 (EST) Message-ID: <38AB5833.89A2F51A@networkcomputerz.com> Date: Wed, 16 Feb 2000 21:08:51 -0500 From: Andrew Otwell Organization: Network Computerz X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" , "freebsd-questions@FreeBSD.ORG" Subject: kerberosIV Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where is the official installation->manual for kerberosIV on FreeBSD???? The handbook shows a picture perfect step by step that does not work for me. Looked in www.freebsddiary.org, www.freebsddiary.org, www.freebsd.org/tutorials - faq - handbook We have /etc/auth.conf, /etc/kerberosIV/...., /usr/lib/pam_kerberosIV.so, /etc/inetd.conf (much less /etc/hosts.allow), and there's probably many more config files involved. I swear on the holy grail that I'll publish a complete how-to if someone would point me in the right direction. -- _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Andrew T. Otwell, Network Administrator andrew@networkcomputerz.com, 678.363.8491 http://www.NetworkComputerz.com yank GnuPG DSS key from hkp://pgpkeys.mit.edu _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 19:27:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id C44C937B5A5 for ; Wed, 16 Feb 2000 19:27:39 -0800 (PST) (envelope-from brad@testbed.baileylink.net) Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by builder.freebsd.org (Postfix) with ESMTP id 9F1EE132DD for ; Wed, 16 Feb 2000 19:26:59 -0800 (PST) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id VAA47962 for freebsd-security@FreeBSD.ORG; Wed, 16 Feb 2000 21:28:41 -0600 (CST) (envelope-from brad) Date: Wed, 16 Feb 2000 21:28:41 -0600 From: Brad Guillory To: "freebsd-security@FreeBSD.ORG" Subject: Re: kerberosIV Message-ID: <20000216212840.A47599@baileylink.net> References: <38AB5833.89A2F51A@networkcomputerz.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38AB5833.89A2F51A@networkcomputerz.com>; from andrew@networkcomputerz.com on Wed, Feb 16, 2000 at 09:08:51PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What type of problems are you having? I am sure that several here would be happy to help. BMG On Wed, Feb 16, 2000 at 09:08:51PM -0500, Andrew Otwell wrote: > Where is the official installation->manual for kerberosIV on FreeBSD???? > The handbook shows a picture perfect step by step that does not work for > me. > > Looked in www.freebsddiary.org, www.freebsddiary.org, > www.freebsd.org/tutorials - faq - handbook > > We have /etc/auth.conf, /etc/kerberosIV/...., > /usr/lib/pam_kerberosIV.so, /etc/inetd.conf (much less > /etc/hosts.allow), and there's probably many more config files involved. > > I swear on the holy grail that I'll publish a complete how-to if someone > would point me in the right direction. > > -- > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > Andrew T. Otwell, Network Administrator > andrew@networkcomputerz.com, 678.363.8491 > http://www.NetworkComputerz.com > yank GnuPG DSS key from hkp://pgpkeys.mit.edu > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 19:31: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id CC2CE37B57B; Wed, 16 Feb 2000 19:30:56 -0800 (PST) (envelope-from andrew@networkcomputerz.com) Received: from smtp.america.net (smtp.america.net [199.170.121.14]) by builder.freebsd.org (Postfix) with ESMTP id CF49F132DD; Wed, 16 Feb 2000 19:30:06 -0800 (PST) Received: from networkcomputerz.com (tnt1-214.america.net [206.67.248.214]) by smtp.america.net (8.9.1/8.9.1) with ESMTP id WAA17701; Wed, 16 Feb 2000 22:30:42 -0500 (EST) Message-ID: <38AB6AD5.405F26DB@networkcomputerz.com> Date: Wed, 16 Feb 2000 22:28:21 -0500 From: Andrew Otwell Organization: Network Computerz X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" , "freebsd-questions@FreeBSD.ORG" Subject: Re: kerberosIV References: <38AB5833.89A2F51A@networkcomputerz.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also read www.freebsdzine.org and many man pages. Andrew Otwell wrote: > > Where is the official installation->manual for kerberosIV on FreeBSD???? > The handbook shows a picture perfect step by step that does not work for > me. > > Looked in www.freebsddiary.org, www.freebsddiary.org, > www.freebsd.org/tutorials - faq - handbook > > We have /etc/auth.conf, /etc/kerberosIV/...., > /usr/lib/pam_kerberosIV.so, /etc/inetd.conf (much less > /etc/hosts.allow), and there's probably many more config files involved. > > I swear on the holy grail that I'll publish a complete how-to if someone > would point me in the right direction. > > -- > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > Andrew T. Otwell, Network Administrator > andrew@networkcomputerz.com, 678.363.8491 > http://www.NetworkComputerz.com > yank GnuPG DSS key from hkp://pgpkeys.mit.edu > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 16 22:30: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 76DC137B602 for ; Wed, 16 Feb 2000 22:30:02 -0800 (PST) (envelope-from novikov@webclub.ru) Received: from gate.webclub.ru (gate.web2000.ru [195.58.61.2]) by builder.freebsd.org (Postfix) with ESMTP id CF70A132EE for ; Wed, 16 Feb 2000 22:29:18 -0800 (PST) Received: from newbee.web2000.ru ([195.58.61.40]) by gate.webclub.ru with smtp (Exim 3.02 #1) id 12LKQz-0007gQ-00 for freebsd-security@freebsd.org; Thu, 17 Feb 2000 09:29:05 +0300 From: Andrey Novikov Organization: WebClub To: freebsd-security@freebsd.org Subject: SSH2 to SSH1 compatibility problem Date: Thu, 17 Feb 2000 09:26:22 +0300 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00021709282400.22904@newbee.web2000.ru> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, in sshd1 there was a nice feature called AllowGroups which was wery helpfull to me. How can I obtain the same functionality with sshd2? Andrey Novikov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 5:28:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 51C9937B723 for ; Thu, 17 Feb 2000 05:28:16 -0800 (PST) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id OAA27547 for freebsd-security@freebsd.org; Thu, 17 Feb 2000 14:28:04 +0100 (MET) Received: (from zgabor@localhost) by CoDe.hu (8.9.3/8.8.8) id LAA00428 for freebsd-security@freebsd.org; Thu, 17 Feb 2000 11:45:28 +0100 (CET) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <200002171045.LAA00428@CoDe.hu> Subject: Re: ipfw - ipf In-Reply-To: from Andrew Kopeyko at "Feb 15, 0 09:44:29 am" To: freebsd-security@freebsd.org Date: Thu, 17 Feb 2000 11:44:13 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! > > a) if I have both ipf and ipfw in my kernel, which is the flow of a packet? > > in -> ipf -> ipfw -> kernel | kernel -> ipfw -> ipf -> out > > or the other? (I used to use ipfw, and I'd like to switch - or learn - ipf.) > > It depends on the order you modload their lkm's - earlier loaded will be "closer" to kernel. Hm. Can I load ipf dinamically? Btw on 3.x, lkms are switched to klds, and I didn't find a way to generate kld from ipf. Every time, I compiled them into the kernel. > But why do you use such strange thing? I had to used this for a week when i was switching from ipfw to ipf without interrupting clients services For example, I like DUMMYNET and the bandwidth limiting with it. But if I know well, it's only available from ipfw's pipe commands. Or is it possible from ipf, or are there any other mechanism like dummynet? > > b) Are there any ipfw to ipf converter? I'd like to use (or write) it. > > There is an addition to ipf - 'flc', 'filter language compiler'. It can compile some ruleset written in his own simple language to various firewalls rulesets: ipf, ipfw, CISCO, fwadmin, etc. See http://coombs.anu.edu.au/ipfilter/ for details. Yes, I know it. But I'd like to _convert_ my actual rules, and not to rewrite them in another language. (Of course, I can rewrite them in ipf's own language :-) By, ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 6: 6:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5A92837B734 for ; Thu, 17 Feb 2000 06:06:26 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA18222; Thu, 17 Feb 2000 06:04:34 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda18218; Thu Feb 17 06:04:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA67599; Thu, 17 Feb 2000 06:04:14 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdN67597; Thu Feb 17 06:03:42 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id GAA81839; Thu, 17 Feb 2000 06:03:41 -0800 (PST) Message-Id: <200002171403.GAA81839@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdX81834; Thu Feb 17 06:02:53 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Brett Glass Cc: Wes Peters , Richard Wackerbarth , Warner Losh , freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 In-reply-to: Your message of "Wed, 16 Feb 2000 13:12:53 MST." <4.2.2.20000216131102.04308c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Feb 2000 06:02:53 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.2.20000216131102.04308c80@localhost>, Brett Glass writes: > At 11:12 AM 2/16/2000 , Wes Peters wrote: > > >And this coming from the 2.x "keeper of the flame." Yes, 2.2.8 should carry > >a warning label of some sort. > > On the other hand, some things in 2.2.8 were actually more secure than > later versions. When the ADMROCKS exploit got out, I discovered that the > BIND that shipped with 2.2.8 wasn't susceptible. Systems with newer versions > of BIND were. Yes but BIND 4 has even more security holes than BIND 8. If I had to run 2.2.8 and BIND, I'd install BIND 8 and run it in a jail under a non-privileged account. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 7:21: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by hub.freebsd.org (Postfix) with ESMTP id 9E5C237B735 for ; Thu, 17 Feb 2000 07:21:02 -0800 (PST) (envelope-from andrew@networkcomputerz.com) Received: from networkcomputerz.com (aotwell.iss.net [208.21.3.106]) by loki.iss.net (8.9.3/8.9.3) with ESMTP id KAA13407; Thu, 17 Feb 2000 10:20:52 -0500 Message-ID: <38AC1225.C887F835@networkcomputerz.com> Date: Thu, 17 Feb 2000 10:22:13 -0500 From: Andrew Otwell X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn , freebsd-security@freebsd.org Subject: Re: kerberosIV References: <69821.950777061@axl.noc.iafrica.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for your reponse. I'll continue my thread on the freebsd-questions list. Sheldon Hearn wrote: > > On Wed, 16 Feb 2000 22:28:21 EST, Andrew Otwell wrote: > > > Where is the official installation->manual for kerberosIV on FreeBSD???? > > The handbook shows a picture perfect step by step that does not work for > > me. > > First off, you cross-posted to two mailing lists, which is bad. :-) > Secondly, you don't tell us _what_ went wrong. Telling us it didn't > work is useless. > > I urge you to post a follow-up message to the freebsd-security list > (using the same subject line) apologizing for the cross-post and > mentioning that you'll post more details in follow-up on the > freebsd-questions mailing list. > > Then, send follow-up to the freebsd-questions mailing list showing the > point of failure when you follow the Handbook instructions. Either > you're making a mistake or the Handbook needs to be corrected. Looking > for alternative instructions isn't going to help either way. > > Hope this helps. > > Ciao, > Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 7:31:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 8878737B77F for ; Thu, 17 Feb 2000 07:31:54 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 91945 invoked from network); 17 Feb 2000 15:30:48 -0000 Received: from localhost (oogali@127.0.0.1) by hydrant.intranova.net with SMTP; 17 Feb 2000 15:30:48 -0000 Date: Thu, 17 Feb 2000 10:30:47 -0500 (EST) From: Omachonu Ogali To: Dmitry Valdov Cc: Warner Losh , Brett Glass , Bill Fumerola , Kuzak , freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, If you're su'ing to get to use it, what's the purpose of the exploit? Another nifty shell? On Wed, 16 Feb 2000, Dmitry Valdov wrote: > Hi! > > Anyway, this should be fixed. Just because somebody might want to use it > with sudo. > > Dmitry. > > On Wed, 16 Feb 2000, Warner Losh wrote: > > > Date: Wed, 16 Feb 2000 02:24:39 -0700 > > From: Warner Losh > > To: Brett Glass > > Cc: Bill Fumerola , Kuzak , > > freebsd-security@FreeBSD.ORG > > Subject: Re: Doscmd > > > > In message <4.2.2.20000215235704.043169d0@localhost> Brett Glass writes: > > : If it relies on doscmd being suid, then it would fail. But > > : I have wondered whether control of your descriptor tables would > > : let you hack the system. What's in that machine language? > > > > Doesn't matter. In order to use doscmd, one must be root anyway. It > > is useless for normal users iirc (the last dos program I needed to run > > has been exized from my machine, so I can't test it right now). > > > > Warner > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 8:31:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id E5FF937B734; Thu, 17 Feb 2000 08:31:42 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id IAA37423; Thu, 17 Feb 2000 08:31:42 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 17 Feb 2000 08:31:42 -0800 (PST) From: Kris Kennaway To: Omachonu Ogali Cc: Dmitry Valdov , Warner Losh , Brett Glass , Bill Fumerola , Kuzak , freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Feb 2000, Omachonu Ogali wrote: > Well, If you're su'ing to get to use it, what's the purpose of the > exploit? Another nifty shell? I talked to the packetstorm guy and he said this exploit was intended for pre-3.2 versions of FreeBSD which has doscmd setgid kmem (prior to rev 1.13.2.2 of the makefile). If you're still running an old version you should remove the setgid bit. The umount "exploit" was in case the admin had made umount setugid so users can mount volumes (instead of the correct way, sysctl -w vfs.usermount = 1). I haven't verified whether this exploit actually does anything. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 9:54:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from gate.webclub.ru (gate.web2000.ru [195.58.61.2]) by hub.freebsd.org (Postfix) with ESMTP id 9B48437B803 for ; Thu, 17 Feb 2000 09:54:14 -0800 (PST) (envelope-from novikov@webclub.ru) Received: from newbee.web2000.ru ([195.58.61.40]) by gate.webclub.ru with smtp (Exim 3.02 #1) id 12LV7A-0001fM-00 for freebsd-security@freebsd.org; Thu, 17 Feb 2000 20:53:20 +0300 From: Andrey Novikov Organization: WebClub To: freebsd-security@freebsd.org Subject: Nonpriveleged daemons and pid files Date: Thu, 17 Feb 2000 20:47:26 +0300 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00021720524101.23691@newbee.web2000.ru> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, now more and more daemons can be run from non-priveleged account - BIND, MTAs, DBMS'es and so on, but it sometimes leads to two minor problems - either this daemon can't create pid file in /var/run or it can't update it on restart. What is the common way to overcome that problem - it's very convinient to store them in one place. Andrey Novikov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 10:20:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 685D837B6F8 for ; Thu, 17 Feb 2000 10:20:38 -0800 (PST) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id MAA15728 for freebsd-security@freebsd.org; Thu, 17 Feb 2000 12:21:40 -0600 (CST) (envelope-from brad) Date: Thu, 17 Feb 2000 12:21:40 -0600 From: Brad Guillory To: freebsd-security@freebsd.org Subject: Re: Nonpriveleged daemons and pid files Message-ID: <20000217122140.D11118@baileylink.net> References: <00021720524101.23691@newbee.web2000.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <00021720524101.23691@newbee.web2000.ru>; from novikov@webclub.ru on Thu, Feb 17, 2000 at 08:47:26PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Write a startup script for the application that "touch"es the pid file then "chown"s it to the appriopriate user. Or make a daemon group and put all the daemons in it, then chgrp the /var/run directory to daemon group and chmod it to 775. (Sorry neither are tested.) BMG On Thu, Feb 17, 2000 at 08:47:26PM +0300, Andrey Novikov wrote: > Hello, > > now more and more daemons can be run from non-priveleged > account - BIND, MTAs, DBMS'es and so on, but it > sometimes leads to two minor problems - either this daemon > can't create pid file in /var/run or it can't update it on > restart. What is the common way to overcome that problem - > it's very convinient to store them in one place. > > Andrey Novikov > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 10:22:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from intel.outsi.de (intel.outsi.de [195.247.6.181]) by hub.freebsd.org (Postfix) with ESMTP id EF96E37B806 for ; Thu, 17 Feb 2000 10:22:18 -0800 (PST) (envelope-from philipp@buehler.de) Received: by intel.outsi.de (Postfix, from userid 102) id 2347F62AE; Thu, 17 Feb 2000 19:26:14 +0100 (MET) Date: Thu, 17 Feb 2000 19:26:13 +0100 From: Philipp Buehler To: Andrey Novikov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nonpriveleged daemons and pid files Message-ID: <20000217192613.A25807@pohl.fips.de> Reply-To: Philipp Buehler References: <00021720524101.23691@newbee.web2000.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Matt Do you really care? No. In-Reply-To: <00021720524101.23691@newbee.web2000.ru>; "Andrey Novikov" on 17.02.2000 @ 18:47:26 MET X-Project: Can we please found ClueNet? X-Not-Needed: M$ Windows. X-RIPE: FIPS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrey Novikov wrote To freebsd-security@FreeBSD.ORG: > restart. What is the common way to overcome that problem - > it's very convinient to store them in one place. Put them in a group and give g+w on /var/run. Or create/touch the pidfile at startup and give writepermissions to the group in which the daemons runs. Just put that in the startup script. --- End of mail from Andrey Novikov --- ciao -- Philipp Buehler, aka fIpS | BOfH | NUCH | double-p on IRC When the horse dies, get off. Artificial Intelligence stands no chance against Natural Stupidity. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 15:30:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 876E537B85B for ; Thu, 17 Feb 2000 15:30:52 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id SAA37424; Thu, 17 Feb 2000 18:30:39 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Thu, 17 Feb 2000 18:30:39 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Philipp Buehler Cc: Andrey Novikov , freebsd-security@FreeBSD.ORG Subject: Re: Nonpriveleged daemons and pid files In-Reply-To: <20000217192613.A25807@pohl.fips.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Feb 2000, Philipp Buehler wrote: > Andrey Novikov wrote To freebsd-security@FreeBSD.ORG: > > restart. What is the common way to overcome that problem - > > it's very convinient to store them in one place. > > Put them in a group and give g+w on /var/run. This would allow a compromised daemon to allow arbitrary signal delivery to other processes, or to shut down the machine. This is because many tools for managing processes take advantage of the PID file to direct the behavior of kill (sometimes in unsafe ways that might result in arbitrary shell commands being executed). Any user able to write to a PID file could direct signals elsewhere, including to the init process. > Or create/touch the pidfile at startup and give writepermissions > to the group in which the daemons runs. Just put that in the > startup script. This is a better idea. That said, you need to be careful to avoid the situation where the follow is run as an inappropriate uid: kill -HUP `cat /var/run/untrustedfile.pid` For the obvious reason. I have suspected for a while that a better way to do most process management would be via a management unix domain socket, per-daemon, stored in /var/run/daemonname with appropriate permissions on the directory. This would allow the daemon to provide a more controlled management mechanism than signals (a big plus given the current overloading of signals and differences between signal interpretations with different daemons), and also allow for more fine-grained authentication of requests by the daemon, optionally using ancillary data to carry uid/gid information. For example, the daemon could make its own decisions about who could deliver management requests based on strong kernel-provided authentication infomration (pid, uids + gids + whatever). Local procedure calls of various sorts could be employed, simple control messages, etc. These messages would also be queued, and so on. This is harder to manage without a multi-threaded daemon, but with Bind and friends becoming more complicated (BIND9 does pthreads, I believe) anyway, this seems like a useful direction. This doesn't help you with run-away processes which still require signals, but most processes don't need to be nastily terminated, it's quite sufficient to tell them to reload a config file/etc. Having a directory per-daemon would also work for even the signalling approach, although I think one does have to be careful about scripts employing untrusted data from daemon-writable files, when running as root. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 18:58: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id D0AFA37B913 for ; Thu, 17 Feb 2000 18:58:03 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA53700; Thu, 17 Feb 2000 22:02:32 -0500 (EST) (envelope-from cjc) Date: Thu, 17 Feb 2000 22:02:32 -0500 From: "Crist J. Clark" To: Brad Guillory Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nonpriveleged daemons and pid files Message-ID: <20000217220232.A53575@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <00021720524101.23691@newbee.web2000.ru> <20000217122140.D11118@baileylink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000217122140.D11118@baileylink.net>; from round@baileylink.net on Thu, Feb 17, 2000 at 12:21:40PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 17, 2000 at 12:21:40PM -0600, Brad Guillory wrote: > Write a startup script for the application that "touch"es the pid > file then "chown"s it to the appriopriate user. Or make a daemon > group and put all the daemons in it, then chgrp the /var/run directory > to daemon group and chmod it to 775. (Sorry neither are tested.) ^^^ Don't you mean, 1775? That prevents a compromised daemon from removing a file and putting a new, dangerous one in its place, but it does open up the potential for a DOS if a compromised daemon takes up filenames before the others can use them. Having root touch and chown files at startup (with the directory still 755), seems the best option... Unless the daemons think that the existence of the file means they are already running and they refuse to start. =) > On Thu, Feb 17, 2000 at 08:47:26PM +0300, Andrey Novikov wrote: > > Hello, > > > > now more and more daemons can be run from non-priveleged > > account - BIND, MTAs, DBMS'es and so on, but it > > sometimes leads to two minor problems - either this daemon > > can't create pid file in /var/run or it can't update it on > > restart. What is the common way to overcome that problem - > > it's very convinient to store them in one place. > > > > Andrey Novikov > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 17 19: 2:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 5607237B68A; Thu, 17 Feb 2000 19:02:07 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA53728; Thu, 17 Feb 2000 22:06:42 -0500 (EST) (envelope-from cjc) Date: Thu, 17 Feb 2000 22:06:42 -0500 From: "Crist J. Clark" To: Ryuhei Tanabe Cc: freebsd-questions@freebsd.org Subject: Re: Why should I upgrade from 2.2.8 to 3.4 Message-ID: <20000217220642.B53575@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000216072546.RDPI28348.mta04.onebox.com@onebox.com> <4.2.0.58.J.20000216100126.00a5b210@mail.webjapan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.2.0.58.J.20000216100126.00a5b210@mail.webjapan.com>; from ryu@ryu.net on Wed, Feb 16, 2000 at 10:05:20AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 16, 2000 at 10:05:20AM -0800, Ryuhei Tanabe wrote: > Hello all > > I'm currently running freebsd 2.2.8-stable on my machine. Well of course, > I ve been thinking of upgrading my server to 3.x-stable. > But I'm sort of scared of that I might just screw my server when I upgrade it. > Is there any specific things, I should be very careful when upgrading > Freebsd from 2.2.8 to 3.x ? > > Thanks in advance. To start with, 1) New boot blocks. 2) Incompatible wtmp and utmp between versions. 3) Rebuild shared-lib hints. Also, this thread no longer belongs on -security. Redirecting... -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 0:20:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 8DE5E37B7DB for ; Fri, 18 Feb 2000 00:20:49 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.13 #1) id 12Lie7-0000A4-00; Fri, 18 Feb 2000 10:20:15 +0200 From: Sheldon Hearn To: Andrey Novikov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nonpriveleged daemons and pid files In-reply-to: Your message of "Thu, 17 Feb 2000 22:02:32 EST." <20000217220232.A53575@cc942873-a.ewndsr1.nj.home.com> Date: Fri, 18 Feb 2000 10:20:14 +0200 Message-ID: <623.950862014@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since nobody else seems to have mentioned the solution I use, I'll describe it here. Quite simple really; I use /var/run// for each non-priveledged daemon. I still haven't run into a daemon that could be configured to run non-priveledged but could not be configured to use an arbitrary run state directory. I suppose I'd run into more of them if I installed pre-compiled binaries. However, many fine daemons allow for run-time specification of the pid_file location. The drawback is that you don't have all your pid_files in one directory. However, if the daemon_name directory names are carefully chosen, it's not hard to find the pid_files with an ls command or even... kill -HUP `find /var/run -name exim.pid -exec cat {} \;` Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 0:33:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E5B9037B6F7 for ; Fri, 18 Feb 2000 00:33:11 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id BAA06030; Fri, 18 Feb 2000 01:01:04 -0800 (PST) Date: Fri, 18 Feb 2000 01:01:04 -0800 From: Alfred Perlstein To: Sheldon Hearn Cc: Andrey Novikov , freebsd-security@FreeBSD.ORG Subject: Re: Nonpriveleged daemons and pid files Message-ID: <20000218010104.L21720@fw.wintelcom.net> References: <20000217220232.A53575@cc942873-a.ewndsr1.nj.home.com> <623.950862014@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <623.950862014@axl.noc.iafrica.com>; from sheldonh@uunet.co.za on Fri, Feb 18, 2000 at 10:20:14AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Sheldon Hearn [000218 00:51] wrote: > > Since nobody else seems to have mentioned the solution I use, I'll > describe it here. > > Quite simple really; I use /var/run// for each > non-priveledged daemon. I still haven't run into a daemon that could be > configured to run non-priveledged but could not be configured to use an > arbitrary run state directory. I suppose I'd run into more of them if I > installed pre-compiled binaries. However, many fine daemons allow for > run-time specification of the pid_file location. > > The drawback is that you don't have all your pid_files in one directory. > However, if the daemon_name directory names are carefully chosen, it's > not hard to find the pid_files with an ls command or even... > > kill -HUP `find /var/run -name exim.pid -exec cat {} \;` You could have symlinks in /var/run/ point to pidfiles in /var/run//.pid that way accesses will sorta fail with file not found if the pid isn't there. :) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 7:22:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id A598B37B957 for ; Fri, 18 Feb 2000 07:22:15 -0800 (PST) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id KAA08579; Fri, 18 Feb 2000 10:22:13 -0500 (EST) (envelope-from mwlucas) From: Michael Lucas Message-Id: <200002181522.KAA08579@blackhelicopters.org> Subject: Request for Article Review To: advocacy@freesd.org, security@freebsd.org Date: Fri, 18 Feb 2000 10:22:12 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [apologies for cross-posting, but -advocacy has the interest and -security has the expertise... followups to me, please.] I've written another article for Sys Admin on "Building a FreeBSD firewall." I would appreciate any technical review people would care to give before I submit it. The disclaimer: This article is about twice as long as my usual, and I had half the usual time to write it in. While I don't *think* I've missed anything, increasing writing speed 400% can't be good. The article covers: Hardening your FreeBSD install IPFilter (ipfw changed to be stateful in 4.0, so I chose ipf; it's basically identical across 3.x and 4.x) service redirection and transparent proxies application proxies Thanks, Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 7:26: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 93CC737B971 for ; Fri, 18 Feb 2000 07:25:57 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA08496 for freebsd-security@freebsd.org; Fri, 18 Feb 2000 12:26:16 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200002181526.MAA08496@ns1.via-net-works.net.ar> Subject: To: freebsd-security@freebsd.org Date: Fri, 18 Feb 2000 12:25:03 -0300 (GMT) Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sirs, I'd like to use db-based authentication for my ftp-only users. I'm using wu-ftpd, which, as I understand from the man page, supports authentication via the method defined in login.conf. Can I use db-based (be it .bdm or SQL) auth. via PAM for such purpose? Thanks and regards! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 7:50:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 1FB8237B926; Fri, 18 Feb 2000 07:50:30 -0800 (PST) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id KAA08744; Fri, 18 Feb 2000 10:50:29 -0500 (EST) (envelope-from mwlucas) From: Michael Lucas Message-Id: <200002181550.KAA08744@blackhelicopters.org> Subject: followup to article review request To: advocacy@freebsd.org, security@freebsd.org Date: Fri, 18 Feb 2000 10:50:29 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay, I forgot to mention this: If you'd like a copy to review, please email me. Magazine publishers frown on distributing pre-publication articles on the Net. ==ml To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 16:54:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id 7320537BAA0; Fri, 18 Feb 2000 16:54:20 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id BAA00647; Sat, 19 Feb 2000 01:48:56 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id AAA03216; Sat, 19 Feb 2000 00:33:35 +0100 (CET) From: Juergen Lock Date: Sat, 19 Feb 2000 00:33:34 +0100 To: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: `higer level' packet filter rules language/editor to ease maintainance? Message-ID: <20000219003334.A1117@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Is there such a thing as in the subject? Something that lets me, say, put rules in groups, easily move around or clone groups, apply global changes to groups like search/replace addresses/netmasks? sure i can hack something up with a bit of perl/whatever for my specific problem, but maybe there is something more general out there... I currently need something for ipfw but even if what you use only knows ipfilter (or something else?) i'd like to hear about it, i may happen to like it so much that i'd just add ipfw support... :) (as long as source is available, obviously.) I have seen `flc' that was linked on (i think) the ipfilter homepage but decided to ask here first as it seems no longer maintained and would need to be updated (its from 1995!) to at least add all the ipfw features that are new since then. The idea to be able to generate rules for several different packet filters from the same input file certainly looked interesting tho and it would seem a bit strange to assume that really noone uses it anymore... (or is there a successor maybe?) Regards, -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 18 17: 3:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 153B037BB46; Fri, 18 Feb 2000 17:03:02 -0800 (PST) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id MAA17185; Sat, 19 Feb 2000 12:03:28 +1100 (EST) From: Darren Reed Message-Id: <200002190103.MAA17185@cairo.anu.edu.au> Subject: Re: `higer level' packet filter rules language/editor to ease maintainance? To: nox@jelal.kn-bremen.de (Juergen Lock) Date: Sat, 19 Feb 2000 12:03:28 +1100 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG In-Reply-To: <20000219003334.A1117@saturn.kn-bremen.de> from "Juergen Lock" at Feb 19, 2000 12:33:34 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Juergen Lock, sie said: > > Hi! > > Is there such a thing as in the subject? Something that lets me, > say, put rules in groups, easily move around or clone groups, apply > global changes to groups like search/replace addresses/netmasks? > sure i can hack something up with a bit of perl/whatever for my > specific problem, but maybe there is something more general out > there... > > I currently need something for ipfw but even if what you use only > knows ipfilter (or something else?) i'd like to hear about it, > i may happen to like it so much that i'd just add ipfw > support... :) (as long as source is available, obviously.) > > I have seen `flc' that was linked on (i think) the ipfilter homepage > but decided to ask here first as it seems no longer maintained and > would need to be updated (its from 1995!) to at least add all the > ipfw features that are new since then. The idea to be able to > generate rules for several different packet filters from the same > input file certainly looked interesting tho and it would seem a > bit strange to assume that really noone uses it anymore... > (or is there a successor maybe?) I don't know if anyone else has done anything similar, I did it more as a "proof of concept" thing and haven't really gone back to it since then. Too many things to do and not enough time :) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 6:52: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id 9937437BC5A; Sat, 19 Feb 2000 06:51:47 -0800 (PST) (envelope-from Alain.Thivillon@hsc.fr) Received: by itesec.hsc.fr (Postfix) id 8BB3A10EAE; Sat, 19 Feb 2000 13:09:32 +0100 (CET) Received: by itesec.hsc.fr (Postfix) id 8BB3A10EAE; Sat, 19 Feb 2000 13:09:32 +0100 (CET) Date: Sat, 19 Feb 2000 13:09:14 +0100 From: Alain Thivillon To: Juergen Lock Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: `higer level' packet filter rules language/editor to ease maintainance? Message-ID: <20000219130914.H720@yoko.hsc.fr> References: <20000219003334.A1117@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.1.3i In-Reply-To: <20000219003334.A1117@saturn.kn-bremen.de>; from nox@jelal.kn-bremen.de on Sat, Feb 19, 2000 at 12:33:34AM +0100 X-Organization: Herve Schauer Consultants Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Juergen Lock écrivait (wrote) : > Hi! > > Is there such a thing as in the subject? Something that lets me, > say, put rules in groups, easily move around or clone groups, apply > global changes to groups like search/replace addresses/netmasks? > sure i can hack something up with a bit of perl/whatever for my > specific problem, but maybe there is something more general out > there... See NetPartitionner : http://www.solsoft.com/ generates Acls for Cisco,ipfw,ipf,ipchains,NetSentry,ACC, from an ascii higl level language (can be wrttten using a nice Java interface). Bit it's not free .. -- Alain Thivillon -+- Alain.Thivillon@hsc.fr -+- Hervé Schauer Consultants To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 9: 2: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 4C5D637BCCA for ; Sat, 19 Feb 2000 09:01:56 -0800 (PST) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id 6F6B5198C03 for ; Sat, 19 Feb 2000 20:01:48 +0300 (MSK) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id UAA00624; Sat, 19 Feb 2000 20:01:42 +0300 (MSK) Date: Sat, 19 Feb 2000 20:01:42 +0300 From: Igor Vinokurov To: freebsd-security@freebsd.org Subject: pw && umask Message-ID: <20000219200142.A605@shogun.rtsnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. We use pw for automatic registration of new users in the system. For security reasons we use 072 as umask for all users. Unfortunately, pw creates a user home directory with the umask which was for the one who has started pw. How to solve this problem? May be it is necessary to add support umask? It is possible to be oriented on umask which is indicated in login class (which it is passed to pw by -L option). -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 9:31:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 013C137BC8D for ; Sat, 19 Feb 2000 09:31:09 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.13 #1) id 12MDib-000NYx-00; Sat, 19 Feb 2000 19:30:57 +0200 From: Sheldon Hearn To: Igor Vinokurov Cc: freebsd-security@FreeBSD.ORG Subject: Re: pw && umask In-reply-to: Your message of "Sat, 19 Feb 2000 20:01:42 +0300." <20000219200142.A605@shogun.rtsnet.ru> Date: Sat, 19 Feb 2000 19:30:57 +0200 Message-ID: <90578.950981457@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000 20:01:42 +0300, Igor Vinokurov wrote: > We use pw for automatic registration of new users in the system. > For security reasons we use 072 as umask for all users. Unfortunately, > pw creates a user home directory with the umask which was for the one > who has started pw. > > How to solve this problem? How about setting the umask(2) before running pw(8) by using the umask(1) builtin command of the shell? Both the csh(1) and sh(1) shells supplied with FreeBSD provide a umask(1) builtin command. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 9:39:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 08B8137BC01 for ; Sat, 19 Feb 2000 09:39:51 -0800 (PST) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id DAEBE198C03; Sat, 19 Feb 2000 20:39:52 +0300 (MSK) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id UAA00933; Sat, 19 Feb 2000 20:39:50 +0300 (MSK) Date: Sat, 19 Feb 2000 20:39:50 +0300 From: Igor Vinokurov To: Sheldon Hearn Cc: freebsd-security@FreeBSD.ORG Subject: Re: pw && umask Message-ID: <20000219203950.A884@shogun.rtsnet.ru> References: <20000219200142.A605@shogun.rtsnet.ru> <90578.950981457@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <90578.950981457@axl.noc.iafrica.com>; from Sheldon Hearn on Sat, Feb 19, 2000 at 07:30:57PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 19, 2000 at 19:30 +0200, Sheldon Hearn wrote: > > On Sat, 19 Feb 2000 20:01:42 +0300, Igor Vinokurov wrote: > > > We use pw for automatic registration of new users in the system. > > For security reasons we use 072 as umask for all users. Unfortunately, > > pw creates a user home directory with the umask which was for the one > > who has started pw. > > > > How to solve this problem? > > How about setting the umask(2) before running pw(8) by using the umask(1) > builtin command of the shell? Both the csh(1) and sh(1) shells supplied > with FreeBSD provide a umask(1) builtin command. I have tried this way before asking :) [shell:~]:1015# umask 072 [shell:~]:1016# pw user add -n test -m [shell:~]:1017# ls -lad ~test drwxr-xr-x 3 test user 512 Feb 19 20:34 /usr/home/test [shell:~]:1018# umask 072 [shell:~]:1019# As you can see mode of the new directory 0755, should be 0705. -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 10: 3:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 4B53837BC1A for ; Sat, 19 Feb 2000 10:03:18 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.13 #1) id 12MEDg-000Nnm-00; Sat, 19 Feb 2000 20:03:04 +0200 From: Sheldon Hearn To: Igor Vinokurov Cc: freebsd-security@FreeBSD.ORG Subject: Re: pw && umask In-reply-to: Your message of "Sat, 19 Feb 2000 20:39:50 +0300." <20000219203950.A884@shogun.rtsnet.ru> Date: Sat, 19 Feb 2000 20:03:04 +0200 Message-ID: <91497.950983384@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000 20:39:50 +0300, Igor Vinokurov wrote: > I have tried this way before asking :) Your proof indicates that pw ignores the umask(2). Unfortunately, I got confused by what you said originally: > > > Unfortunately, pw creates a user home directory with the umask > > > which was for the one who has started pw. Given that what you said originally isn't true, you're probably better off teaching whatever script calls pw to chmod the directories afterwards. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 10:19: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 0E17137BC10 for ; Sat, 19 Feb 2000 10:18:55 -0800 (PST) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id 234F5198C03; Sat, 19 Feb 2000 21:18:54 +0300 (MSK) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id VAA01241; Sat, 19 Feb 2000 21:18:52 +0300 (MSK) Date: Sat, 19 Feb 2000 21:18:52 +0300 From: Igor Vinokurov To: Sheldon Hearn Cc: freebsd-security@FreeBSD.ORG Subject: Re: pw && umask Message-ID: <20000219211852.A1201@shogun.rtsnet.ru> References: <20000219203950.A884@shogun.rtsnet.ru> <91497.950983384@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <91497.950983384@axl.noc.iafrica.com>; from Sheldon Hearn on Sat, Feb 19, 2000 at 08:03:04PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 19, 2000 at 20:03 +0200, Sheldon Hearn wrote: > Given that what you said originally isn't true, you're probably > better off teaching whatever script calls pw to chmod the directories > afterwards. It is easy to guess necessity to update script but I want to find beautiful solution ;) > > > > May be it is necessary to add support umask? > > > > > > > > It is possible to be oriented on umask which is indicated in login > > > > class (which it is passed to pw by -L option). But thank you anyway. -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 15: 1:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 4324B37BC8A; Sat, 19 Feb 2000 15:01:47 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA83017; Sat, 19 Feb 2000 15:01:46 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 19 Feb 2000 15:01:46 -0800 (PST) From: Kris Kennaway To: Igor Vinokurov Cc: freebsd-security@freebsd.org Subject: Re: pw && umask In-Reply-To: <20000219200142.A605@shogun.rtsnet.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Igor Vinokurov wrote: > May be it is necessary to add support umask? This should be a trivial amount of hacking (i.e. add another option to specify the umask and then use it instead of the hardcoded 0755). Anyone up for it? Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 16:10: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from duval.se.mediaone.net (duval.se.mediaone.net [24.129.0.67]) by hub.freebsd.org (Postfix) with ESMTP id 940B237BC1D for ; Sat, 19 Feb 2000 16:10:01 -0800 (PST) (envelope-from unixwiz@mediaone.net) Received: from [172.16.1.3] (surf108-50-149.jacksonville.net [24.129.50.149]) by duval.se.mediaone.net (8.8.7/8.8.7) with ESMTP id TAA24866 for ; Sat, 19 Feb 2000 19:09:59 -0500 (EST) Message-Id: <200002200009.TAA24866@duval.se.mediaone.net> X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Sat, 19 Feb 2000 19:04:46 -0500 Subject: Controlled Network Access From: "Tom Marchand" To: freebsd-security@freebsd.org Mime-version: 1.0 X-Priority: 3 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to control which users can access tcpip utilities(ftp,telnet, etc) by using groups. I realize that this can be accomplished via the proper file permissions on each utility. This works but it will not prevent somebody from compiling their own ftp, telnet etc. My thought was to perform the authorization at the socket level. This would entail modifaction of the kernel to only allow root or a member of the tcpip group to open a socket. Does anybody know if this has been done or if it would even work? I originally had this requirement at work to lock down external vendors. Since we are an AIX shop it was quite easy. On AIX you must be a member of the system group to access network utilities. -- Think Different! Think Apple!! (YES I DO use macs on the desktop and FreeBSD on the servers!) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 16:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id E4D9837BC87 for ; Sat, 19 Feb 2000 16:15:44 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by pawn.primelocation.net (Postfix, from userid 1016) id B2F7E9B17; Sat, 19 Feb 2000 19:15:43 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id A6745BA1D; Sat, 19 Feb 2000 19:15:43 -0500 (EST) Date: Sat, 19 Feb 2000 19:15:43 -0500 (EST) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Tom Marchand Cc: freebsd-security@freebsd.org Subject: Re: Controlled Network Access In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. > Although not at the socket() level, you may want to look into uid/gid filtering via ipfw. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 18:21:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 60BAB37BDD0; Sat, 19 Feb 2000 18:21:31 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id VAA55032; Sat, 19 Feb 2000 21:22:29 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Sat, 19 Feb 2000 21:22:29 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Brian Fundakowski Feldman Cc: freebsd-security@FreeBSD.org Subject: Re: ssh client options In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Brian Fundakowski Feldman wrote: > On Sat, 19 Feb 2000, Robert Watson wrote: > > > Before we cut 4.0, could we please change the ssh_config default options > > from CheckHostIP yes to CheckHostIP no? I work in an environment with > > dynamic IP addresses and DNS, and this option makes a big mess of things. > > The key used by SSH should be the key asked for by the user, and found in > > the keys file (or other key discovery system, such as DNSsec, etc). > > Right now, if two hosts swap IP addresses (perfectly legitimate) then > > incorrect security warnings will be displayed. It should not be up to the > > client/user to track IP address accuracy, especially with the advent of > > IPv6. This is why we have DNS! > > This part needs to be brought up on freebsd-security. We're but two people, > and undoubtedly there are more factors here than either of us sees alone > or combined. I'm not passing the buck, tho :) Ok, I've CC'd -security in the hopes that people will comment yay/nay on the following change: Right now OpenSSH defaults to having ``CheckIP yes'' in ssh_config. The result is that every time a user connects to a host, it stamps that host IP in the user's keyfile. If the host changes IP addresses, such as in a dynamic key environment, and a new host takes up this IP, you'll get spurious security warnings. Dynamic IP addresses and DNS are only going to become more common (they are already quite common) and this is an anti-feature. > > And while we're stomping incorrect security features--why is X11 > > forwarding turned off in the server by default? The server risks nothing, > > it's the client who accepts risk by using X11 forwarding, and so it should > > be the clients policy to disable X11 if we're to gain security through > > this. If we must disable X11 by default, it should be disabled in the > > client, and enabled using ``-x'' or a config file option. > > Warner Losh will tell you more about that. Basically, it's a security > hole on either side. If everything's our OpenSSH, it's not open at all > by default; if we don't have X11 disabled in the server, it's open in > the client and server both, but if we have it disabled in the client, > it's open in the server, but that's only half of it... I see a clear risk to the client connecting to an untrusted server results in yielding access to your display by default, for screen captures, keyboard captures, remote key insertion, etc. Could you further document the risk to the server? > > Also, would it be possible to change the OpenSSH port so that it installed > > ssh_config.dist and sshd_config.dist instead? Right now, despite the > > anti-tromping efforts, my config files seem to get squished during an > > upgrade (delete followed by install). Apache uses this technique to make > > upgrades far easier (and safer). > > The best way to anti-tromp something is to add the schg flag to it, or > possibly just uchg. I suppose I'll add something which checks if the > install(1) fails because of schg/uchg and copies to a .dist. Encouraging the use of schg as an option to preevnt new ports from squashing config files seems to me to be an abuse of file flags. If you already have all the settings in ssh_config and sshd_config as the defaults, installing to the .dist names makes sense in all situations. When an admin wants to change a setting, they copy the .dist file to the normal filename, or just rename the .dist filename. In this manner, pkg_delete never zaps custom config files, pkg_add never squishes them, etc. Admins are also explicitely aware of when they move away from a default setting, etc. I've found this behavior in Apache (and others) to be extremely useful. It also means that even with a safe port/package install, you have easy access to the new distributed config files so can merge changes easily. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 18:51:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 3A8B037BDF5; Sat, 19 Feb 2000 18:51:11 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 6D9E324D15; Sat, 19 Feb 2000 21:51:10 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id 96E0B18605; Sat, 19 Feb 2000 21:51:09 -0500 (EST) Date: Sat, 19 Feb 2000 21:51:09 -0500 From: Keith Stevenson To: Kris Kennaway Cc: Igor Vinokurov , freebsd-security@freebsd.org Subject: Re: pw && umask Message-ID: <20000219215109.A46191@osaka.louisville.edu> References: <20000219200142.A605@shogun.rtsnet.ru> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="uAKRQypu60I7Lcqm" X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii On Sat, Feb 19, 2000 at 03:01:46PM -0800, Kris Kennaway wrote: > On Sat, 19 Feb 2000, Igor Vinokurov wrote: > > > May be it is necessary to add support umask? > > This should be a trivial amount of hacking (i.e. add another option to > specify the umask and then use it instead of the hardcoded 0755). Anyone > up for it? Patch attached. I used -U as the umask option and tried to follow the style of the original code as closely as possible. It's a bit, um, interesting. Umask code stolen from /bin/sh. Patch has been moderately tested. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pw.patch" Index: pw.8 =================================================================== RCS file: /opt/ncvs/src/usr.sbin/pw/pw.8,v retrieving revision 1.17 diff -u -r1.17 pw.8 --- pw.8 1999/08/28 01:19:18 1.17 +++ pw.8 2000/02/20 02:41:11 @@ -41,6 +41,7 @@ .Op Fl u Ar uid .Op Fl c Ar comment .Op Fl d Ar dir +.Op Fl U Ar umask .Op Fl e Ar date .Op Fl p Ar date .Op Fl g Ar group @@ -346,6 +347,8 @@ - normally .Pa /home with the account name as a subdirectory. +.It Fl U Ar umask +Set the umask to be used when creating the account's home directory and skeleton files. Default is parent process umask. .It Fl e Ar date Set the account's expiration date. Format of the date is either a UNIX time in decimal, or a date in Index: pw.c =================================================================== RCS file: /opt/ncvs/src/usr.sbin/pw/pw.c,v retrieving revision 1.18 diff -u -r1.18 pw.c --- pw.c 2000/01/15 00:20:20 1.18 +++ pw.c 2000/02/20 02:41:12 @@ -29,6 +29,7 @@ "$FreeBSD: src/usr.sbin/pw/pw.c,v 1.18 2000/01/15 00:20:20 davidn Exp $"; #endif /* not lint */ +#include #include #include #include @@ -89,6 +90,8 @@ static struct cargs arglist; +static int mask; + static int getindex(const char *words[], const char *word); static void cmdhelp(int mode, int which); @@ -105,13 +108,13 @@ static const char *opts[W_NUM][M_NUM] = { { /* user */ - "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", - "V:C:qn:u:rY", - "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", - "V:C:qn:u:FPa7", - "V:C:q", - "V:C:q", - "V:C:q" + "V:C:U:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", + "V:C:U:qn:u:rY", + "V:C:U:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", + "V:C:U:qn:u:FPa7", + "V:C:U:q", + "V:C:U:q", + "V:C:U:q" }, { /* grp */ "V:C:qn:g:h:M:pNPY", @@ -128,7 +131,6 @@ pw_group }; - umask(0); /* We wish to handle this manually */ LIST_INIT(&arglist); /* @@ -221,6 +223,30 @@ setgrdir(etcpath); } } + + /* + * Set the umask if specified on the command line + */ + + if (getarg(&arglist, 'U') != NULL) { + char * um = getarg(&arglist, 'U')-> val; + if (um != NULL) { + if (isdigit(*um)) { + mask = 0; + do { + if (*um >= '8' || *um < '0') { + fprintf(stderr, "Illegal umask: %s\n", um); + exit(EX_USAGE); + } + mask = (mask << 3) + (*um - '0'); + } while (*++um != '\0'); + umask(mask); + } else { + fprintf(stderr, "Illegal umask: %s\n", um); + exit(EX_USAGE); + } + } + } /* * Now, let's do the common initialisation @@ -301,6 +327,7 @@ "\t-u uid user id\n" "\t-c comment user name/comment\n" "\t-d directory home directory\n" + "\t-U umask Directory/file creation mask\n" "\t-e date account expiry date\n" "\t-p date password expiry date\n" "\t-g grp initial group\n" Index: pw_user.c =================================================================== RCS file: /opt/ncvs/src/usr.sbin/pw/pw_user.c,v retrieving revision 1.34 diff -u -r1.34 pw_user.c --- pw_user.c 2000/01/15 00:20:21 1.34 +++ pw_user.c 2000/02/20 02:41:16 @@ -179,7 +179,7 @@ if (strchr(cnf->home+1, '/') == NULL) { strcpy(dbuf, "/usr"); strncat(dbuf, cnf->home, MAXPATHLEN-5); - if (mkdir(dbuf, 0755) != -1 || errno == EEXIST) { + if (mkdir(dbuf, 0777) != -1 || errno == EEXIST) { chown(dbuf, 0, 0); symlink(dbuf, cnf->home); } @@ -191,7 +191,7 @@ while ((p = strchr(++p, '/')) != NULL) { *p = '\0'; if (stat(dbuf, &st) == -1) { - if (mkdir(dbuf, 0755) == -1) + if (mkdir(dbuf, 0777) == -1) goto direrr; chown(dbuf, 0, 0); } else if (!S_ISDIR(st.st_mode)) @@ -200,7 +200,7 @@ } } if (stat(dbuf, &st) == -1) { - if (mkdir(dbuf, 0755) == -1) { + if (mkdir(dbuf, 0777) == -1) { direrr: err(EX_OSFILE, "mkdir '%s'", dbuf); } chown(dbuf, 0, 0); @@ -734,7 +734,7 @@ * existing files will *not* be overwritten. */ if (!PWALTDIR() && getarg(args, 'm') != NULL && pwd->pw_dir && *pwd->pw_dir == '/' && pwd->pw_dir[1]) { - copymkdir(pwd->pw_dir, cnf->dotdir, 0755, pwd->pw_uid, pwd->pw_gid); + copymkdir(pwd->pw_dir, cnf->dotdir, 0777, pwd->pw_uid, pwd->pw_gid); pw_log(cnf, mode, W_USER, "%s(%ld) home %s made", pwd->pw_name, (long) pwd->pw_uid, pwd->pw_dir); } --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 22:42:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5426437BE84; Sat, 19 Feb 2000 22:42:28 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA10401; Sat, 19 Feb 2000 22:42:28 -0800 (PST) (envelope-from security-officer@freebsd.org) Date: Sat, 19 Feb 2000 22:42:28 -0800 (PST) Message-Id: <200002200642.WAA10401@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-officer@freebsd.org using -f From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:03 Security Advisory FreeBSD, Inc. Topic: Asmon/Ascpu ports fail to drop privileges Category: ports Module: asmon/ascpu Announced: 2000-02-19 Affects: Ports collection before the correction date. Corrected: 2000-01-29 FreeBSD only: yes I. Background Two optional third-party ports distributed with FreeBSD can be used to execute commands with elevated privileges, specifically setgid kmem privileges. This may lead to a local root compromise. II. Problem Description Asmon and ascpu allow users to execute arbitrary commands as part of a user configuration file. Both applications are Linux-centric as distributed by the vendor and require patching to run under FreeBSD (specifically, using the kvm interface and setgid kmem privileges to obtain system statistics); this patching was the source of the present security problem. This is a similar flaw to one found in the wmmon port, which was corrected on 1999/12/31. Note that neither utility is installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If you have not chosen to install the asmon or ascpu ports/packages, then your system is not vulnerable. If you have, then local users can obtain setgid kmem rights, which allows them to manipulate kernel memory, and thereby compromise root. IV. Workaround Remove the asmon and ascpu ports/packages, if you have installed them. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the asmon and/or ascpu ports. 2) Reinstall a new package obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/asmon-0.60.tgz ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ascpu-1.8.tgz after the correction date. At the time of advisory release, the asmon package was not available - you may need to use one of the other methods to update the software. 3) download a new port skeleton for the asmon and/or ascpu ports from: http://www.freebsd.org/ports/ and use it to rebuild one or both ports. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOK+LsFUuHi5z0oilAQHRZAP+MC3e3NhGNTDhiL/GAQjewUS8c16ClPhj WruCd5Tu1WJA2Em8Q19Ui7vrLRLQ9aXzTocUOBd6x6/zqpM3lS1aJMwvV9BkZ59G ONh6aiM7FbWPKukW1YThKDn0Vjtc5JaDHsbJ4dVHQh/IMqZD8hqocLG4AjJDxnLj qlRyhiCr/lA= =l1gj -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 22:45:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 1FF6437BDF9; Sat, 19 Feb 2000 22:45:46 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA10607; Sat, 19 Feb 2000 22:45:45 -0800 (PST) (envelope-from security-officer@freebsd.org) Date: Sat, 19 Feb 2000 22:45:45 -0800 (PST) Message-Id: <200002200645.WAA10607@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-officer@freebsd.org using -f From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:04.delegate Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:04 Security Advisory FreeBSD, Inc. Topic: Delegate port contains numerous buffer overflows Category: ports Module: delegate Announced: 2000-02-19 Affects: Ports collection before the correction date. Corrected: 2000-02-02 FreeBSD only: NO I. Background An optional third-party port distributed with FreeBSD contains numerous remotely-exploitable buffer overflows which allow an attacker to execute arbitrary commands on the local system, typically as the 'nobody' user. II. Problem Description Delegate is a versatile application-level proxy. Unfortunately it is written in a very insecure style, with potentially dozens of different exploitable buffer overflows (including several demonstrated ones), each of which could allow an attacker to execute arbitrary code on the delegate server. This code will run as the user ID of the 'delegated' process, typically 'nobody' in the recommended configuration, but this still represents a security risk as the attacker may be able to mount a local attack to further upgrade his or her access privileges. Note that the delegate utility is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If you have not chosen to install the delegate port/package, then your system is not vulnerable. If you have, then local or remote users who can connect to the delegate port(s), or malicious servers which a user accesses using the delegate proxy, can potentially execute arbitrary code on your system in any number of ways. IV. Workaround Remove the delegate port/package, if you have installed it. V. Solution Unfortunately no simple fix is available - the problems with the delegate software are too endemic to be fixed by a simple patch. It is hoped the software authors will take security to heart and correct the security problems in a future version, although user caution is advised given the current state of the code. Depending on your local setup and your security threat model, using a firewall/packet filter such as ipfw(8) or ipf(8) to prevent remote users from connecting to the delegate port(s) may be enough to meet your security needs. Note that this will not prevent legitimate proxy users from attacking the delegate server, although this may not be an issue if they have a shell account on the machine anyway. Note also that this does not prevent "passive" exploits in which a user is convinced through other means into visiting a malicious server using the proxy, which may be able to compromise it by sending back invalid data. Several flaws of this type have been discovered during a brief survey of the code. If you are running FreeBSD 4.0, a possible solution might be to confine the delegate process inside a "jail" (see the jail(8) manpage). A properly configured jail will isolate the contents in their own separate "virtual machine", which can be suitably secured so that an attacker who gains control of a process running inside the jail cannot escape and gain access to the rest of the machine. Note that this is different from a traditional chroot(8), since it does not just attempt to isolate processes inside portions of the filesystem. This solution is not possible under standard FreeBSD 3.x or earlier. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOK+NTVUuHi5z0oilAQGGnAP+NOxAOVpEUpyR0iQwNjA1Je7B4M5gOxzc NwqQKp7WBm/IzzIW23KvyPcbTld83+m2tnhdNW3srh8ESSYDaa/hhmG2AtR0LYEL H2EWTIBcPBhidquX+ihKGTSaMnMjYpmp6GVGSsBqcNFXAPGHiJ6BbsEg2k6rJSLz wgL0NJ+qkCI= =ZhXO -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 19 23:40:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 7B76537BD80 for ; Sat, 19 Feb 2000 23:40:55 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id XAA05897; Sat, 19 Feb 2000 23:46:34 -0800 (PST) Date: Sat, 19 Feb 2000 23:46:34 -0800 From: Andre Gironda To: Tom Marchand Cc: freebsd-security@freebsd.org Subject: Re: Controlled Network Access Message-ID: <20000219234633.G3647@toaster.sun4c.net> References: <200002200009.TAA24866@duval.se.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>; from Tom Marchand on Sat, Feb 19, 2000 at 07:04:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This was implemented on upt.org and similar source code was made available in various issues of Phrack magazine (for say, Linux and OpenBSD). Access control at the socket layer is a great idea and when combined with techniques like TPE (trusted path execution) and access control or monitoring of system calls, and finally sandbox (i.e. chrooted) environments, one can create a very secure userland environment. dre -- This program has been brought to you by the language C and the number F. On Sat, Feb 19, 2000 at 07:04:46PM -0500, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. > > -- > Think Different! > Think Apple!! > (YES I DO use macs on the desktop and FreeBSD on the servers!) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message