On Sun, Feb 16, 2014 at 12:37:08AM +0100, Gilles Chehade wrote:
On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote:
Hi,
On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
I would try using a full path.
pki example ca /etc/ssl/myca.pem
I already tried it
On Sun, Feb 16, 2014 at 10:44:39AM +0100, Remco wrote:
Frank Brodbeck wrote:
Hi,
On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
I would try using a full path.
pki example ca /etc/ssl/myca.pem
I already tried it with full path. But I got it working now by
On Thu, Feb 13, 2014 at 02:42:58PM +0100, Gilles Chehade wrote:
On Thu, Feb 13, 2014 at 02:09:53AM -0500, Ted Unangst wrote:
Correct me if I'm wrong, but there's no way to find out what parts of
smtpd (mda, mta) are paused? I can always run smtpctl pause mta
again to get an error message as
On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote:
Hi,
On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
I would try using a full path.
pki example ca /etc/ssl/myca.pem
I already tried it with full path. But I got it working now by
specifying certificate and
Just thought of a funny way to promote some OpenBSD merchandise sales.
This is just for followers of the bitcoin roller coaster.
Tell me to get lost if it's too dumb an idea, or something too crass and
commercial, and so unrelated to OpenBSD core values, that I shouldn't ever
clutter up the
On 16. februar 2014 at 10:11 PM, Daniel CegieÅka wrote:try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int getegid(){return 0;}
--- end cut ---
# shell (as normal user):
id -un
cc -shared id0.c -o id0
LD_PRELOAD=./id0 sh
id -un
What does
Hi all,
I have been battling with this issue for far too long, and I am at wits
end.
I have an OpenBSD 5.4 machine, with httpd serving pages successfully
over both HTTP and HTTPS (with a CaCert-issued certificate). I want to
serve multiple sites on both protocols (the certificate has AltNames
2014-02-17 13:15 GMT+01:00 openda...@hushmail.com:
On 16. februar 2014 at 10:11 PM, Daniel Cegiełka
daniel.cegie...@gmail.com wrote:
try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int getegid(){return 0;}
--- end cut ---
# shell
Good afternoon,
Firstly, thanks for your ongoing development and good work.
I have a question that I would like to pose to you, as I have not found
any satisfactory answer despite long research.
Background:
We use ssh keys to distribute code and run commands. These are
appropriately
On Sun, Feb 16, 2014 at 10:44:39AM +0100, Remco wrote:
From smtpd.conf(5) on OpenBSD 5.4:
(You seem to run CURRENT, which I didn't check, so things might be different
in your case)
Yes I do. Sorry, running -current comes so naturally to me that I didn't
thought about mentioning it.
You seem
Em 17-02-2014 10:59, Daniel Cegiełka escreveu:
2014-02-17 13:15 GMT+01:00 openda...@hushmail.com:
On 16. februar 2014 at 10:11 PM, Daniel Cegiełka
daniel.cegie...@gmail.com wrote:
try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int
2014-02-17 15:49 GMT+01:00 Giancarlo Razzolini grazzol...@gmail.com:
Solution: static linking of critical binaries.
I hope that my explanation was helpful.
best regards,
Daniel
Static linking does solves the issue with this particular rootkit, but
won't help with kmod rootkits. The truth
I am not sure what point it is you are trying to make but:
$ LD_PRELOAD=./id0 sh
\u@\h:\w\n$ id -un
root
\u@\h:\w\n$ less /etc/master.passwd
/etc/master.passwd: Permission denied
\u@\h:\w\n$ ls -l /etc/master.passwd
-rw--- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd
\u@\h:\w\n$
2014-02-16 23:36 GMT+01:00 Frank Brodbeck f...@guug.de:
I am not sure what point it is you are trying to make but:
$ LD_PRELOAD=./id0 sh
\u@\h:\w\n$ id -un
root
\u@\h:\w\n$ less /etc/master.passwd
/etc/master.passwd: Permission denied
\u@\h:\w\n$ ls -l /etc/master.passwd
-rw--- 1
On Mon, Feb 17, 2014 at 02:21:45PM +, Richard Heasman wrote:
Good afternoon,
Firstly, thanks for your ongoing development and good work.
I have a question that I would like to pose to you, as I have not found
any satisfactory answer despite long research.
Background:
We use ssh
On 2014-02-16, Zoran Kolic zko...@sbb.rs wrote:
Does not regard openbsd at all, but this channel sounds
like the proper place to take an advice from, since I
consider people on it enough safety aware.
I plan to get android phone and go through some channel,
with home vpn server not an option.
Hi,
Does anyone have any ideas on this? How can we configure isakmpd to
only listen on certain IP addresses to avoid this limitation when it
tries to listen on *every* IP address?
I see listen-on in isakmpd.conf, but we are using ipsec.conf and I
understand these are mutually-exclusive..
Face-palm!!!
When I tried it before I only created /etc/isakmpd.conf
not;
/etc/isakmpd/isakmpd.conf
chmod 600 /etc/isakmpd/isakmpd.conf
isakmpd.conf
[general]
listen-on=pubip1,pubip2,pubip3
Dohh, Have to miss the obvious in a man page every now and then I guess..
Hopefully my fail-over
Because it was not supposed to compile anything at that time.
When you installed OpenBSD, did you install the comp54 set? Why not?
On Mon, Feb 17, 2014 at 10:36:29AM -0700, nvw6lxh2yt...@pyramidheadgroup.ca
wrote:
Because it was not supposed to compile anything at that time.
[...]
But you did install it before your first post to misc@, right? If not,
you might want to boot bsd.rd and do an upgrade from there, this time
On 2014-02-17 12:36, nvw6lxh2yt...@pyramidheadgroup.ca wrote:
Because it was not supposed to compile anything at that time.
When you installed OpenBSD, did you install the comp54 set? Why not?
See FAQ 4.11 for instructions to follow to add the comp54.tgz fileset to
your existing system.
I installed compiler packages via pkg_add, see pkg_info output in the
original message.
See FAQ 4.11 for instructions to follow to add the comp54.tgz fileset
to your existing system.
That should enable you to compile stuff.
Ok, will do. Thank you.
On 2014-02-17 12:54, nvw6lxh2yt...@pyramidheadgroup.ca wrote:
I installed compiler packages via pkg_add, see pkg_info output in the
original message.
These require the comp*.tgz fileset. As I previously posted, FAQ 4.11
is your guide. It shows two different ways to install your missing
On Mon, Feb 17, 2014 at 10:36:29AM -0700, nvw6lxh2yt...@pyramidheadgroup.ca
wrote:
Because it was not supposed to compile anything at that time.
When you installed OpenBSD, did you install the comp54 set? Why not?
And you expect the magic fairies to just like that, find the compiler when
I'm looking for recommendations on what works well for people, since
this doesn't appear to be covered by the FAQ or AOBSD2E. I know several
ways to accomplish what I'm after, but none of them seem to have any
clear advantage over the other.
1. I have about a dozen OpenBSD systems running
Mailertable would be a good approach, no?
Vijay Sankar
ForeTell Technologies Limited
vsan...@foretell.ca
Sent from my iPhone
On Feb 17, 2014, at 12:13, Adam Thompson athom...@athompso.net wrote:
I'm looking for recommendations on what works well for people, since this
doesn't appear to
On Mon, Feb 17, 2014 at 12:13, Adam Thompson wrote:
1. I have about a dozen OpenBSD systems running (5.4-RELEASE), all of
which share a common list of users, all of which generate email
automatically.
2. Only one of those systems is the designated mail server. I would
like all the other
On Mon 17 Feb 2014 12:54:23 PM CST, mx1.foretell.ca wrote:
Mailertable would be a good approach, no?
Hm. Not quite what I was looking for, unless you can use wildcards in
the mailertable. I literally want all local mail proxied, if you
will, to the mailhost.
So far, it looks like an
2014-02-16 23:36 GMT+01:00 Frank Brodbeck f...@guug.de:
I am not sure what point it is you are trying to make but:
$ LD_PRELOAD=./id0 sh
\u@\h:\w\n$ id -un
root
\u@\h:\w\n$ less /etc/master.passwd
/etc/master.passwd: Permission denied
\u@\h:\w\n$ ls -l /etc/master.passwd
-rw--- 1
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable to this type of stuff.
You forgot to mention that the value of LD_PRELOAD is ignored for set*id
executables, in order to
And it never was a threat?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
http://www.cvedetails.com/cve/CVE-2006-6164/
Daniel
And it never was a threat?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
http://www.cvedetails.com/cve/CVE-2006-6164/
Please state your case very carefully and clearly. Right now, you
are not talking facts.
2014-02-17 20:48 GMT+01:00 Miod Vallat m...@online.fr:
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable to this type of stuff.
You forgot to mention that the value of
2014-02-17 20:48 GMT+01:00 Miod Vallat m...@online.fr:
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable to this type of stuff.
You forgot to mention that the value of
It actually should reduce the risk for set*id(), but this in the past
related to CVE-2006-6164 (_dl_unsetenv())?
Yes, and this has been fixed since.
2014-02-17 21:25 GMT+01:00 Theo de Raadt dera...@cvs.openbsd.org:
2014-02-17 20:48 GMT+01:00 Miod Vallat m...@online.fr:
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable
On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable to this type of stuff.
You forgot to mention that the
2014-02-17 21:49 GMT+01:00 Marc Espie es...@nerim.net:
On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is vulnerable
and of course PAM:
http://blackhatlibrary.net/Hooking_PAM
Well, there's a reason why OpenBSD does not embed PAM. It has to do with
software giving people enough rope to hang themselves.
On Mon, Feb 17, 2014 at 10:02:18PM +0100, Daniel Cegie?ka wrote:
[...]
At least on linux this type of abuse seem to be still (very) effective:
http://blackhatlibrary.net/LD_PRELOAD
http://blackhatlibrary.net/Azazel
and of course PAM:
http://blackhatlibrary.net/Hooking_PAM
Here's a
On Mon, Feb 17, 2014 at 09:12:53PM +, Miod Vallat wrote:
| and of course PAM:
|
| http://blackhatlibrary.net/Hooking_PAM
|
| Well, there's a reason why OpenBSD does not embed PAM. It has to do with
| software giving people enough rope to hang themselves.
Giving people enough rope to hang
Hm, funny. I wasn't able to reproduce it on my side neither:
# touch /etc/ssl/foo{pem,key}
# chmod 0600 /etc/ssl/foo{pem,key}
# grep foo /etc/mail/smtpd.conf
pki foo certificate /etc/ssl/foo.pem
pki foo key /etc/ssl/foo.key
pki foo ca /etc/ssl/sbde-ca.pem
# smtpd -nf /etc/mail/smtpd.conf
fatal:
On Mon, Feb 17, 2014 at 11:43:50PM +0100, Frank Brodbeck wrote:
Hm, funny. I wasn't able to reproduce it on my side neither:
# touch /etc/ssl/foo{pem,key}
# chmod 0600 /etc/ssl/foo{pem,key}
# grep foo /etc/mail/smtpd.conf
pki foo certificate /etc/ssl/foo.pem
pki foo key /etc/ssl/foo.key
44 matches
Mail list logo