From owner-freebsd-stable@freebsd.org Thu Jan 14 12:01:56 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 248FBA82DD5 for ; Thu, 14 Jan 2016 12:01:56 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from benzedrina.milano.schema31.it (151-0-205-186.ip282.fastwebnet.it [151.0.205.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "benzedrina.milano.schema31.it", Issuer "benzedrina.milano.schema31.it" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B758B1E5B for ; Thu, 14 Jan 2016 12:01:54 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from smtp.schema31.it (localhost [127.0.0.1]) by benzedrina.milano.schema31.it (8.14.9/8.14.9) with ESMTP id u0EBe5AF086346 for ; Thu, 14 Jan 2016 12:40:06 +0100 (CET) (envelope-from abrancatelli@schema31.it) MIME-Version: 1.0 Date: Thu, 14 Jan 2016 12:40:05 +0100 From: Andrea Brancatelli To: freebsd-stable@freebsd.org Subject: Insecure default bsnmpd.conf permissions (CVE-2015-5677) Organization: Schema31 s.r.l. Message-ID: <2610214c27a073ba95d275f46e40dda6@schema31.it> X-Sender: abrancatelli@schema31.it User-Agent: Roundcube Webmail/1.1.4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 12:01:56 -0000 Hello everybody. I just read the above security advisory. In the solution it says: "This vulnerability can be fixed by modifying the permission on /etc/bsnmpd.conf to owner root:wheel and permission 0600." I guess it's a typo and the correct filename is /etc/snmpd.config, right? There's no /etc/bsnmpd.conf in the default config... Thanks. -- Andrea Brancatelli From owner-freebsd-stable@freebsd.org Thu Jan 14 15:42:44 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8B9BA82B52 for ; Thu, 14 Jan 2016 15:42:44 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 58BC61BDB for ; Thu, 14 Jan 2016 15:42:44 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3ph8zN6TDnzWR for ; Thu, 14 Jan 2016 16:42:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1452786157; x=1455378158; bh=4PL 6XiuLx57NjNmETaOF9+A/ue69AebFShoDwu9cJOw=; b=PF1UjWdQ5wn+KTZHWaq dWicSKy17ObMr3h/bAdI+eNOk+FfYFV8tUo/dJ4cEydcPRQfio5e3NEwEhPk/bSQ 2hl2zZqz1L3Y0lsUvojpgf0zcQUuL3qGHgaPuooS/YnAgzngc/CanwHR4PRmQrgq bkDIC0mLLPSd8U2ojgQhjyAc= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id T5EXOLeW1P0s for ; Thu, 14 Jan 2016 16:42:37 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3ph8zK0vgrzWN for ; Thu, 14 Jan 2016 16:42:36 +0100 (CET) Received: from nabiralnik.ijs.si (nabiralnik.ijs.si [IPv6:2001:1470:ff80::80:16]) by mildred.ijs.si (Postfix) with ESMTP id 3ph8zJ4yz8z1LZ for ; Thu, 14 Jan 2016 16:42:36 +0100 (CET) Received: from neli.ijs.si (2001:1470:ff80:88:21c:c0ff:feb1:8c91) by nabiralnik.ijs.si with HTTP (HTTP/1.1 POST); Thu, 14 Jan 2016 16:42:36 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 14 Jan 2016 16:42:36 +0100 From: Mark Martinec To: freebsd-stable@freebsd.org Subject: Re: A recent 10.2-STABLE no longer builds on a no-exec /usr/src file system Organization: Jozef Stefan Institute In-Reply-To: <484e5e28706f1d717bcd02542e7ba306@mailbox.ijs.si> References: <636a770981c5655f3cc45f2c6aee6474@mailbox.ijs.si> <56575324.9070400@quip.cz> <484e5e28706f1d717bcd02542e7ba306@mailbox.ijs.si> Message-ID: X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.1.4 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 15:42:44 -0000 Prompted by recent security advisories I did a 'make buildworld' on a fresh svn checkout, only to find out that it seems the 'exec' mount flag on /usr/src is still required for a successful build. This wasn't so for 10.2, and I hope it won't become a requirement in 10.3 - or at least it should be clearly documented in release notes. Mark On 2015-12-07 16:35, Mark Martinec wrote: > So, is this a new state of affairs that /usr/src file system > needs to be mounted exec in order for buildworld to succeed, > or is this an unintended change and I should file a bug report? > > Mark > > > On 2015-11-26 19:44, Miroslav Lachman wrote: >> Mark Martinec wrote on 11/26/2015 19:31: >>> Up to about a week ago building world on FreeBSD 10.2-STABLE went >>> just fine. Today after svn update the build fails: >>> >>> >>> # make buildworld >>> [...] >>> >>> CC='cc ' mkdep -f .depend.getprotoent_test -a >>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd >>> -I/usr/src/contrib/netbsd-tests -std=gnu99 >>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c >>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a >>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> >>> .depend.getprotoent_test >>> (cd /usr/src/lib/libc/tests/net && make -f >>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= SUBDIR= >>> PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test >>> .MAKE.DEPENDFILE=.depend.ether_aton_test depend) >>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c >>> make[7]: >>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) >>> failed (Permission denied) >>> *** Error code 1 >>> >>> Stop. >>> make[7]: stopped in /usr/src/lib/libc/tests/net >>> *** Error code 1 >>> >>> >>> It turns out that our file system /usr/src had an "exec" flag >>> turned off, so now running a command: >>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>> fails with "Permission denied". >>> >>> It would be valuable if building a system on an exec-protected >>> src file system would continue to be possible. >>> >>> Not sure if the >>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>> is the only such new command breaking the build. Anyway, a simple >>> workaround is to run shell from a command line instead of as a >>> shebang, i.e.: >>> >>> # /bin/sh >>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>> >>> instead of: >>> >>> # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >> >> I was puzzled by similar thing years ago. I was using /var/db and /tmp >> mounted with noexec. And then there was some changes. Ports need >> /var/db with exec because of some script in /var/db/pkg and /tmp must >> have exec too for buildworld or installworld (I don't remember it >> well, now I always do mount -u -o current,exec /tmp before build + >> install world and kernel) >> >> Anyway - it would be better to not have these partitions mounted with >> exec. >> >> Miroslav Lachman > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"