Re: Daemon umask

2012-08-09 Thread Chris Davies 
Mike Mestnik  wrote:
> Actually I'm unsure if a shell would be invoked in most cases.  For
> example Apache starts as root and drops privs after opening up log
> files(I wish someone would fix this) and port 80(I wish this could be
> done with an ACL).

Sorry, it's not clear to me what it is that you want fixed. Can you
elaborate?

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/rj1df9xmr7@news.roaima.co.uk

Re: how to fix rootkit?

2012-02-09 Thread Chris Davies 

On Wed, 2012-02-08 at 22:56, Chris Davies wrote:
> You can no longer trust the kernel [...]

Milan P. Stanic  wrote:
> Of course, you are right here. But then I don't trust the CPU's. How we
> know that the manufacturer od CPU, Ethernet card or anything, didn't put
> some secret code into device [...]

You don't. But since your scenario applies whether or not someone's
system has been rooted, it should probably remain outside the scope of
the discussion.

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2p4d09xej3@news.roaima.co.uk

Re: how to fix rootkit?

2012-02-08 Thread Chris Davies 
Milan P. Stanic  wrote:
> What about statically linked binaries on the external media (CD, DVD,
> USB ...) which is write protected with 'execute in place' mode?

You can no longer trust the kernel. Therefore you cannot trust
ANY application that runs under that kernel, either directly or
indirectly. Period.

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/g5bb09xbl5@news.roaima.co.uk

Re: Default valid shells and home dir permissions

2012-01-12 Thread Chris Davies 
Poison Bit  wrote:
> Why filter to those in /etc/shells ? I mean... the filter should be
> applied by the system :)

Mainly because it's a convenient list of "real" shells, and some of the
remote service applications require a shell to be in that list. FTP is
one such that springs to mind. As a counter example, /bin/false is a
possible shell but it doesn't provide a particularly useful environment
for the user. You could change the scriptlet to check for the 7th column
being either empty or an executable file if you preferred.


> But neither of both codes take in mind if there is sudo in the system,
> and what is gained in its config.

I don't recall the OP mentioning access via sudo. (BICBW.)


> Also, neither of both codes think about ForceCommand in ssh... So I
> maybe listed as /bin/bash, but I me be able only of run /usr/bin/cal
> once as my shell and get kicked.

ForceCommand requires an interactive shell-like login on the target,
so I don't believe that's relevant here.

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/uad3u8x037@news.roaima.co.uk

Re: Default valid shells and home dir permissions

2012-01-12 Thread Chris Davies 
Davit Avsharyan  wrote:
> 1/  I'm wondering why most of the system users have valid shells by 
> default ?
> /cat /etc/passwd | grep -E '(sh|bash)' | wc -l
> *21*/

That's not necessarily sufficient to determine valid shells: the absence
of a shell definition implies the use of /bin/sh, so you need to check
that, too.

Something like this should probably give you a definitive list -

SS=$(grep '^/' /etc/shells | xargs)
for S in $SS ''; do
getent passwd | awk -F: -v S="$S" '{if ($7 == S) print $1, $7}'
done

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/djs2u8xfrv@news.roaima.co.uk

Re: Linux infected ?

2009-02-05 Thread Chris Davies 
Ralph Jenkin  wrote:
> Am I the only one thinking; "Wine can actually manage to get infected by 
> malware now? Cool."

I've seen a fair number of discussions about this on usenet, so it's
not new, no.

Chris


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Rainbow tables on Linux?

2008-10-24 Thread Chris Davies 
Johan 'yosh' Marklund <[EMAIL PROTECTED]> wrote:
> the open source rainbow tables are about 121GB (if my memory
> serves me correctly) and are only available via bittorrent.
> I think it took me about 2 months to download them.
> http://www.antsight.com/zsl/rainbowcrack/

Out of interest, how long do you estimate it would have taken you to
generate them locally?

Chris


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: What to do about SSH brute force attempts?

2008-08-21 Thread Chris Davies 
> Third use a non standart ssh port (for example )

Michael Tautschnig <[EMAIL PROTECTED]> wrote:
> I'm not a huge fan of security by obscurity, so I'd rather stick with 22 for
> now.

Try it before you dismiss it out of hand.
Chris


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]