Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8 Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault. Will update once I've reviewed. On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2668-1secur...@debian.org http://www.debian.org/security/ Dann Frazier May 14, 2013http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users maybe able to bypass the address space layout randomization (ASLR) facility due to a leaking of information to child processes. CVE-2013-1767 Greg Thelen reported an issue in the tmpfs virtual memory filesystem. Local users with sufficient privilege to mount filesystems can cause a denial of service or possibly elevated privileges due to a use-after
Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Apologies, hit the wrong reply to! Please ignore and thanks for all the good work. On Tue, May 14, 2013 at 09:15:48PM +0100, Jon Marshall wrote: Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8 Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault. Will update once I've reviewed. On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2668-1secur...@debian.org http://www.debian.org/security/ Dann Frazier May 14, 2013http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users maybe able to bypass the address space layout randomization (ASLR) facility due to a leaking
Re: [SECURITY] [DSA 2563-1] viewvc security update
Hi, This DSA was signed with key 0x401DAC04, which is not in any debian-keyring package I can find, nor on pgp.mit.edu. Is this a mistake? Thanks! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121023204811.GJ25000@debian
Re: security issues with apache!
At 1141730613, Petter Senften wrote: Recently I've noticed that my Apache-installation gets violated and that an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it makes Apache execute these. Do you have mod_cgi installed and activated? If you are not using it, disable it. If the trouble-maker is executing things via PHP scripts, you can stop them by disabling the exec and related functions in PHP. The following line in /etc/php.ini would do it for example: disable_functions = system, exec, shell_exec, passthru, popen, pcntl_exec, openlog Alternatively turning on safe mode does this, I believe. -- Jon Dowland http://alcopop.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 871-1] New libgda2 packages fix arbitrary code execution
On Tue, Oct 25, 2005 at 05:23:19PM +0200, Martin Schulze wrote: Package: libgda2 ^^^ snip http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.2.dsc ^ Sorry to be a pest :( -- Jon Dowland signature.asc Description: Digital signature
Re: http://security.debian.org - down?
On Mon, 2004-02-02 at 09:51, Maria Rodriguez wrote: Am I the only one who is having difficulties reaching security.debian.org? I manage a few Debian machines here in Florida as well as Southern Georgia and all of them seem to be timing out when trying to reach that server: Err http://security.debian.org woody/updates/main Packages Could not connect to security.debian.org:80 (194.109.137.218), connection timed out That appears to be klecker.debian.org which isn't currently responding to pings, which in itself isn't scary, but it looks as though it may have been inaccessible for a few days now. Does anyone know what's going on? An announcement was sent to [EMAIL PROTECTED] at 8:54 PST this morning. -- Yesterday around 15:00 UTC we the host klecker.debian.org crashed. Unfortunately, it didn't react on the serial console and to a remotely issued power-cycle. The following services are affected by this downtime: security.debian.org The public security archive. As a temporary solution, please switch to http://ftp.rfc822.org/debian-security/ instead. snip - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: http://security.debian.org - down?
On Mon, 2004-02-02 at 09:51, Maria Rodriguez wrote: Am I the only one who is having difficulties reaching security.debian.org? I manage a few Debian machines here in Florida as well as Southern Georgia and all of them seem to be timing out when trying to reach that server: Err http://security.debian.org woody/updates/main Packages Could not connect to security.debian.org:80 (194.109.137.218), connection timed out That appears to be klecker.debian.org which isn't currently responding to pings, which in itself isn't scary, but it looks as though it may have been inaccessible for a few days now. Does anyone know what's going on? An announcement was sent to debian-news@lists.debian.org at 8:54 PST this morning. -- Yesterday around 15:00 UTC we the host klecker.debian.org crashed. Unfortunately, it didn't react on the serial console and to a remotely issued power-cycle. The following services are affected by this downtime: security.debian.org The public security archive. As a temporary solution, please switch to http://ftp.rfc822.org/debian-security/ instead. snip - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: evolution
On Mon, 2003-06-30 at 00:29, Martynas Domarkas wrote: Pn, 2003-06-27 05:59, Jean Christophe ANDR ra: Matt Zimmerman crivait : There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any configuration options with that hosts. What could it be? This is surely an evolution feature where it means to provide you with news and information. I would call this a pain instead of a feature... 700 connections in 5 minutes is more than 2 in 1 second... I thought modern programers of modern software (say evolution) knew about twicing waiting time between each connection failure... J.C. Thats the best answer :- As far as I know evolution has no configuration of proxy for WEB connection. So it very diligent tries show me stupid pictures about enlarge your... and so on, but without success. Hmmm, not bad. It's like kind of spam filter ;-) I'm kidding of course. Thanks to all for your answers. Now I configured evolution download pictures from WEB only if sender is in my address book, and try all traffic going out of my box with destination port 80 redirect to our proxy. And maybe somebody knows how to force evolution use proxy another (not transparent) way? Have you tried configuring Gnome to use a proxy? I think I remember reading that evolution obeys Gnome's setting somewhere... -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: evolution
On Mon, 2003-06-30 at 00:29, Martynas Domarkas wrote: Pn, 2003-06-27 05:59, Jean Christophe ANDRÉ rašė: Matt Zimmerman écrivait : There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any configuration options with that hosts. What could it be? This is surely an evolution feature where it means to provide you with news and information. I would call this a pain instead of a feature... 700 connections in 5 minutes is more than 2 in 1 second... I thought modern programers of modern software (say evolution) knew about twicing waiting time between each connection failure... J.C. Thats the best answer :- As far as I know evolution has no configuration of proxy for WEB connection. So it very diligent tries show me stupid pictures about enlarge your... and so on, but without success. Hmmm, not bad. It's like kind of spam filter ;-) I'm kidding of course. Thanks to all for your answers. Now I configured evolution download pictures from WEB only if sender is in my address book, and try all traffic going out of my box with destination port 80 redirect to our proxy. And maybe somebody knows how to force evolution use proxy another (not transparent) way? Have you tried configuring Gnome to use a proxy? I think I remember reading that evolution obeys Gnome's setting somewhere... -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: evolution
On Wed, 2003-06-25 at 22:40, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec http://ws.arin.net/cgi-bin/whois.pl?queryinput=205.156.51.200 Looks like it's trying to fetch the weather. tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec 40.209.14.206.in-addr.arpa domain name pointer www.salon.com. Salon.com's XML feed... tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec And... I'm not sure about this one, but it's probably another item on the Summary page. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: evolution
On Wed, 2003-06-25 at 22:40, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec http://ws.arin.net/cgi-bin/whois.pl?queryinput=205.156.51.200 Looks like it's trying to fetch the weather. tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec 40.209.14.206.in-addr.arpa domain name pointer www.salon.com. Salon.com's XML feed... tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec And... I'm not sure about this one, but it's probably another item on the Summary page. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 07:59, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). There *are* issues with running suExec + php. First, php must be run as a cgi - you can't use mod_php. This introduces performance issues, since mod_php is much faster than a executing a standalone php interperter for each page requested. Next, you have to decide whether you want to have the interperter executable inside or outside the web root. Outside is safer - but then your scripts have to have #!/path/to/php at the top - although there are ways around that too. Google has some success stories where people managed to get it to work. - Jon On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 07:59, Stefan Neufeind wrote: But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). There *are* issues with running suExec + php. First, php must be run as a cgi - you can't use mod_php. This introduces performance issues, since mod_php is much faster than a executing a standalone php interperter for each page requested. Next, you have to decide whether you want to have the interperter executable inside or outside the web root. Outside is safer - but then your scripts have to have #!/path/to/php at the top - although there are ways around that too. Google has some success stories where people managed to get it to work. - Jon On 6 Jun 2003 at 17:06, Wade Richards wrote: On 06 Jun 2003 16:15:37 PDT, Jon writes: I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? I suggest you look up the suEXEC Apache module, it seems to do exactly what you want. -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? MISC Binary is not patching the kernel. MISC Binary comes as an option with the stock kernel. You might have to compile your own kernel (I don't know, I haven't used a stock Debian kernel in a VERY long time...) The binfmt_misc kernel module is included in the stock Debian kernels, AFAIK. There is a nice package, binfmt-support (ala update-alternatives) that allows one to easily configure binfmt_misc: Package: binfmt-support Support for extra binary formats The binfmt_misc kernel module, contained in versions 2.1.43 and later of the Linux kernel, allows system administrators to register interpreters for various binary formats based on a magic number or their file extension, and cause the appropriate interpreter to be invoked whenever a matching file is executed. Think of it as a more flexible version of the #! executable interpreter mechanism. This package provides an 'update-binfmts' script with which package maintainers can register interpreters to be used with this module without having to worry about writing their own init.d scripts, and which sysadmins can use for a slightly higher-level interface to this module. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Fri, 2003-06-06 at 15:42, Tim Cunningham wrote: Is there some reason why you can't give each user an account and have them put their files in ~/public_html? That would have their page show up at domain.net/~username/. Sorry if you already knew this and I'm misunderstanding the problem. I believe Apache would still be executing php/cgi scripts as www-data, so users could snoop on other users's scripts, session files, etc. Something like: ?php echo `ls ../neighbor/public_html`; ? - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Thu, 2003-05-08 at 10:54, Oliver Hitz wrote: On 08 May 2003, Markus Kolb wrote: There are patched Debian kernel images with version 2.4.18-7 by the kernel-image maintainer Herbet Xu but not in official debian package trees. Just don't know where to find Herbert's packages. Perhaps someone can post the place! You can find patched kernel images and sources for woody in proposed-updates. Don't know if there is a more official place to find them. ftp://ftp.debian.org/debian/dists/woody-proposed-updates/ Sources are patched as of woody.2, according to this changes file[1], but only woody.1 images are available[2], as far as I can tell. The images at the second URL are still vulnerable: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.+ 516 - 516 ok! [1]http://ftp.debian.org/dists/proposed-updates/kernel-source-2.4.20_2.4.20-3woody.2_i386.changes [2]http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-i386/ - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Fri, 2003-05-09 at 00:27, Jon wrote: Sources are patched as of woody.2, according to this changes file[1], but only woody.1 images are available[2], as far as I can tell. The images at the second URL are still vulnerable: [1]http://ftp.debian.org/dists/proposed-updates/kernel-source-2.4.20_2.4.20-3woody.2_i386.changes [2]http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-i386/ Oops, spoke too soon. These packages are not vulnerable: http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-1-i386/ - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com
Re: PTRACE Fixed?
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote: When I run it as root it does the following: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. Does this mean the patch I downloaded worked? Yes. - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: Jon wrote: [...] Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the Child process started... messages and produced child process zombies. The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an ok! message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. What is that? Is k3m buggy? Very strange... Works great on my machine... unfortunately. ;) - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Fri, 2003-03-21 at 17:43, Phillip Hofmeister wrote: When I run it as root it does the following: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. Does this mean the patch I downloaded worked? Yes. - Jon
Re: PTRACE Fixed?
On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: Jon wrote: [...] Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the Child process started... messages and produced child process zombies. The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an ok! message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. What is that? Is k3m buggy? Very strange... Works great on my machine... unfortunately. ;) - Jon
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: Are the Debian kernels vulnerable to this hole? This post to BugTraq by Andrzej Szombierski (who found the problem) includes a sample exploit for x86. You can use it to see if you are vulnerable. http://www.securityfocus.com/archive/1/315635 - Jon
Good Day - pls stop these mails
Hi, I've got more mails re this Spam mail than I've have actual spam in the last month (I use filters, maybe some of the complainers should ??). This mails had nothing to do with the list and are also therefore spam (in my book anyway). As a previous mail said, spam happens, get used to it, or stop using email. I cannot believe the number of mails I've deleted regarding this off-topic. 'nuff said Jon __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
In proftpd.conf: RequireValidShell off ;-) I would be careful about doing that. That might open ftp access for accounts you dont want to have access. Plus some applications create special accounts without shells like mysql,inetd,etc. mysql:x:103:102:MySQL Server:/var/lib/mysql:/bin/false You don't want to sacrifice security for convenience. ___ (@ @) --oOo--(_)--oOo--- Jon McCainEmail: [EMAIL PROTECTED] Sr. ProgrammerVoice: 912-355-3213 DavLong Business Solutions Fax: 912-355-3575 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the Internet using sftp which is part of the ssh2 protocol. A down side of implementing this is that users logging on can browse the whole filesystem. I have done some research and found a way to chroot users so they won't be able to browse the filesystem (http://chrootssh.sourceforge.net/). Can someone please suggest if there are any other ways of implementing a secure file transfer without patching sshd ??? Nato I had the same concerns a few months back. I wanted to use sftp but I disliked the fact that they can see the whole filesystem although debian's default permission on the important files prevents anyone from changing them. I did not want to patch ssh either. It was so complex and I wanted to be keep to a standard ssh so as to keep up with the security updates to ssh. So I used vpn and ftp. The firewall is set to block the ftp ports for anything from the internet. Using vpn gives the user a local ip and thus allows ftp to get through plus the traffic is encrypted. Proftp lets you chroot the user to their home dir. You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. -- ___ (@ @) --oOo--(_)--oOo--- Jon McCainEmail: [EMAIL PROTECTED] Sr. ProgrammerVoice: 912-355-3213 DavLong Business Solutions Fax: 912-355-3575 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the Internet using sftp which is part of the ssh2 protocol. A down side of implementing this is that users logging on can browse the whole filesystem. I have done some research and found a way to chroot users so they won't be able to browse the filesystem (http://chrootssh.sourceforge.net/). Can someone please suggest if there are any other ways of implementing a secure file transfer without patching sshd ??? Nato I had the same concerns a few months back. I wanted to use sftp but I disliked the fact that they can see the whole filesystem although debian's default permission on the important files prevents anyone from changing them. I did not want to patch ssh either. It was so complex and I wanted to be keep to a standard ssh so as to keep up with the security updates to ssh. So I used vpn and ftp. The firewall is set to block the ftp ports for anything from the internet. Using vpn gives the user a local ip and thus allows ftp to get through plus the traffic is encrypted. Proftp lets you chroot the user to their home dir. You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. -- ___ (@ @) --oOo--(_)--oOo--- Jon McCainEmail: [EMAIL PROTECTED] Sr. ProgrammerVoice: 912-355-3213 DavLong Business Solutions Fax: 912-355-3575 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
re: scp and ftp
I'm not sure if this message made it through. Our ISP was having problems this morning. Sorry if you get this message twice. I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
The user can change to directories above their home. Is there a way to chroot them Use restricted bash shell for the user (/bin/rbash) in the /etc/passwd. This does not seem to affect sshd. I changed a user to use rbash but I could still go to a windows machine and use the putty program pscp to get a file from /etc. pscp [EMAIL PROTECTED]:/etc/passwd passwd.txt Maybe it's simply just not a feature of openssh. I think I'll investigate that chroot patch to sshd someone mentioned. I think they said it was for woody, but I'll see if it works with potato. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
re: scp and sftp
I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
re: scp and ftp
I'm not sure if this message made it through. Our ISP was having problems this morning. Sorry if you get this message twice. I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
The user can change to directories above their home. Is there a way to chroot them Use restricted bash shell for the user (/bin/rbash) in the /etc/passwd. This does not seem to affect sshd. I changed a user to use rbash but I could still go to a windows machine and use the putty program pscp to get a file from /etc. pscp [EMAIL PROTECTED]:/etc/passwd passwd.txt Maybe it's simply just not a feature of openssh. I think I'll investigate that chroot patch to sshd someone mentioned. I think they said it was for woody, but I'll see if it works with potato. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
re: scp and sftp
I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
re: scp and sftp
All of this has gotten me to thinking about another flaw in the way I have things set up. I'm preventing users from getting to a $ by running a menu from their profile. exec /usr/bin/menu This works fine since the exec causes menu to become their shell process. But some smart user could get around this by using pscp to upload their own .bash_profile. Even if I fix it so I have them chroot'd on their home would not prevent this since this file is in their home. But changing permissions on the .bash_profile so they don't own it (and not in their group) should take care of that problem. They can read it all they want, just not change it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
Chris Reeves wrote: Why not change the users' shell to /usr/bin/menu? Because they need to be able to transfer files to their home directories. If you do this, then ftp,pscp,etc won't work. My original goal was to allow them transfer files to/from home directory with something besides ftp (since they are going over the internet) but not allow them to change to directories above the home. Proftp allowed me to chroot them to the home but scp/sftp does not. I can use vpn to let them safely use ftp over the internet. That's only way they can use ftp since the firewall blocks ftp from the internet. But that stills leaves the scp hole. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scp and sftp
I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scp and sftp
I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default security
I'd agree with your comments. I being looking at OpenBSD (for various reasons) and the default setup is reasonable secure (there are still some things left on , which supprised me). Not sure if Debian needs to go as far as OpenBSD but I think that it is a good referance base Jon --- Tarjei [EMAIL PROTECTED] wrote: Debian being what it is, are there any reasons why the debian bind package should not be chroot as the default instalation? One thing that might be a good idea, would be a security review of the main debian packages. It's probably beeing done for some already, but I would guess a lot of debian packages could benefit from even stricter default setups. For example, maybe libsafe should be default inn all installs. I know this would take some time to implement, but I think it would help the image of debian and linux over time. I'm often frustrated that the big distros (rh, mandrake) doesn't do more to harden their distros. For example the default install of ssh in RH still provides both ssh1 and ssh2 root login. Tarjei __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Layne (was: Re: Is ident secure?)
On 31 Aug 2001 23:54:40 -0400, Ed Street wrote: If not is anyone up for a road trip? ;) Sure :) * jcm fires off another abuse report... ...or should that be I HAVE FIRED OFF ANOTHER ABUSE REPORT AND NOW I CAN'T FIGURE OUT HOW TO TURN OFF CAPS LOCK ? :) --jcm -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[Fwd: Re: HARASS ME MORE.........]
Hi,
I'm sure someone else can do much better with a bit of effort :)
--jcm
On 01 Sep 2001 16:26:29 +0200, [EMAIL PROTECTED] wrote:
On Sat, Sep 01, 2001 at 07:13:06AM -0500, Bud Rogers wrote:
I put him in a filter. Every mail I receive from him gets forwarded back to
him and to postmaster and abuse at his ISP. I don't think he'll be around
long.
Could you tell me how to do that ?
Quickly hacked example:
:0:
* (^From:.*[EMAIL PROTECTED])
{
:0 c:
'Abuse/Layne-Log-'`date +%b-%Y`
:0 c:
! [EMAIL PROTECTED]
:0:
| (formail -r -k -AX-Loop: mail-loop@$YOURDOMAIN \
-AFrom: \$YOURNAME\ $YOURADDRESS;\
-ASubject: [ABUSE] Forwarded Message;\
) | $SENDMAIL -oi -t
}
I have not tested the above so it probably doesn't work...
--jcm
RE: Layne (was: Re: Is ident secure?)
On 31 Aug 2001 23:54:40 -0400, Ed Street wrote: If not is anyone up for a road trip? ;) Sure :) * jcm fires off another abuse report... ...or should that be I HAVE FIRED OFF ANOTHER ABUSE REPORT AND NOW I CAN'T FIGURE OUT HOW TO TURN OFF CAPS LOCK ? :) --jcm
[Fwd: Re: HARASS ME MORE.........]
Hi,
I'm sure someone else can do much better with a bit of effort :)
--jcm
---BeginMessage---
On 01 Sep 2001 16:26:29 +0200, [EMAIL PROTECTED] wrote:
On Sat, Sep 01, 2001 at 07:13:06AM -0500, Bud Rogers wrote:
I put him in a filter. Every mail I receive from him gets forwarded back
to
him and to postmaster and abuse at his ISP. I don't think he'll be around
long.
Could you tell me how to do that ?
Quickly hacked example:
:0:
* (^From:[EMAIL PROTECTED])
{
:0 c:
'Abuse/Layne-Log-'`date +%b-%Y`
:0 c:
! [EMAIL PROTECTED]
:0:
| (formail -r -k -AX-Loop: [EMAIL PROTECTED] \
-AFrom: \$YOURNAME\ $YOURADDRESS;\
-ASubject: [ABUSE] Forwarded Message;\
) | $SENDMAIL -oi -t
}
I have not tested the above so it probably doesn't work...
--jcm
---End Message---
Re: [Fwd: Re: HARASS ME MORE.........]
On 01 Sep 2001 16:32:50 +0100, Jon Masters wrote:
-ASubject: [ABUSE] Forwarded Message;\
) | $SENDMAIL -oi -t
Should have a:
-ACc: [EMAIL PROTECTED];\
in there, thus:
:0:
* (^From:[EMAIL PROTECTED])
{
:0 c:
'Abuse/Layne-Log-'`date +%b-%Y`
:0 c:
! [EMAIL PROTECTED]
:0:
| (formail -r -k -AX-Loop: [EMAIL PROTECTED] \
-AFrom: \$YOURNAME\ $YOURADDRESS;\
-ASubject: [ABUSE] Forwarded Message;\
-ACc: [EMAIL PROTECTED];\
) | $SENDMAIL -oi -t
}
Take out the middle rule if you think it's excessive :)
--jcm
Re: red worm amusement
Wichert Akkerman was said to been seen saying: ... we glad we all run Linux? :) ... Scratch another win for Linux... What you mean to say is: Aren't we all glad we don't run IIS because 1) this has nothing to do with Linux. Last I heard, *BSD, Solaris, etc.. weren't vulnerable to this. 2) Apache, Boa, thttpd, and others each deal with this differently. What way is the *correct* way? -- Pound for pound, the amoeba is the most vicious animal on earth. Jon Nelson [EMAIL PROTECTED]
Re: Kernel 2.4 SOS
Craig wrote: Goodday ladies and fellas I have potato installed on a box that will be a proxy and firewall. I needed to have the facility of port forwarding so i was told to install kernel 2.4. Does kernel 2.4 have some special feature of port forwarding that the 2.2.x kernels don't have? I don't see why mess with 2.4 at all when kernel 2.2.17 (potato rev0) or higher will handle port forwarding just fine. And by just using potato, you can keep up with the security updates easier. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.4 SOS
Craig wrote: Goodday ladies and fellas I have potato installed on a box that will be a proxy and firewall. I needed to have the facility of port forwarding so i was told to install kernel 2.4. Does kernel 2.4 have some special feature of port forwarding that the 2.2.x kernels don't have? I don't see why mess with 2.4 at all when kernel 2.2.17 (potato rev0) or higher will handle port forwarding just fine. And by just using potato, you can keep up with the security updates easier.
logging request
After setting up the IPChains policies and rules, I want to be able to have a log file of any DENY packets sent to me. We use GroupWise as a email package. I also want those log files to exist on another Debian server that sits behind the firewall. TIA Jon L. Miller, MCNE Director/Sr Systems Consultant MMT Networks Pty Ltd http://www.mmtnetworks.com.au PH: +61 8 9242 8600 FX: +61 8 9242 8611 I don't know the key to success, but the key to failure is trying to please everybody. -Bill Cosby !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1 META content=MSHTML 5.50.4611.1300 name=GENERATOR/HEAD BODY style=MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px DIVAfter setting up the IPChains policies and rules, I want to be able to have a log file of any DENY packets sent to me.nbsp; We use GroupWise as anbsp; email package.nbsp; I also want those log files to exist on another Debian server that sits behind the firewall./DIV DIVnbsp;/DIV DIVTIA/DIV DIVnbsp;/DIV DIVJon L. Miller, MCNEBRDirector/Sr Systems ConsultantBRMMT Networks Pty LtdBRA href=http://www.mmtnetworks.com.au;http://www.mmtnetworks.com.au/ABRPH: +61 8 9242 8600BRFX: +61 8 9242 8611BRI don't know the key to success, but the key to failureBRnbsp;is trying to please everybody. -Bill Cosby/DIV DIVnbsp;/DIV DIVnbsp;/DIV/BODY/HTML
Re: root fs/crypted
On Wed, May 30, 2001 at 10:46:19AM +0200, Jan Niehusmann wrote: On Wed, May 30, 2001 at 01:08:21AM -0700, [EMAIL PROTECTED] wrote: Couldn't you say something like I'm so sorry, I can't remember the pass phrase, my mind has failed me...etc? What about a more provable approach: The passphrase could be changed automatically on every system boot, and the new passphrase could be written to a floppy disk on a clean shutdown (which, of course, is only possible with the root password). So if the police takes the computer and doesn't do the clean shutdown (how could they?), you can tell them: Sorry folks, you just destroyed the possibility to get any data from that computer... This, of course, means that you lose your data if the computer crashes. This is likely solving the wrong problem, your security is almost never limited by cryptographic strength, but rather by human factors or other non-cryptographic weaknesses. However, there is a known answer to this particular threat model. You want UNprovable security, with a duress filesystem. Set up a cryptographic filesystem where some blocks are filled with encrypted data, and some are filled with garbage. There are various keys that identify which parts of the filesystem that are in which filesystem and how to read them. To use some of the files, you supply just the keys you need, and leave most of the disk as untouched garbage. If someone demands that you decrypt your disk, all you can do is provide them some of the keys, which reveals some of the disk contents, but leaves a lot of suspiscious garbage left. But since you always have some real garbage left on the disk, you can't prove that you've told them everything, even if you wanted to. (This lets you conceal a key or two, since it would look like you had anyway.) Don't do this unless your data is quite valuable: The rational police response is to apply as much pressure as would coerce the most stubborn suspect, so expect to spend several years in jail for contempt of court (or your local equivalent) should you get raided with such a thing. I'm not aware of any actual implementations, unfortunately. The usual reference for this sort of thing is the cypherpunks list. Jon Leonard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root fs/crypted
On Wed, May 30, 2001 at 10:46:19AM +0200, Jan Niehusmann wrote: On Wed, May 30, 2001 at 01:08:21AM -0700, [EMAIL PROTECTED] wrote: Couldn't you say something like I'm so sorry, I can't remember the pass phrase, my mind has failed me...etc? What about a more provable approach: The passphrase could be changed automatically on every system boot, and the new passphrase could be written to a floppy disk on a clean shutdown (which, of course, is only possible with the root password). So if the police takes the computer and doesn't do the clean shutdown (how could they?), you can tell them: Sorry folks, you just destroyed the possibility to get any data from that computer... This, of course, means that you lose your data if the computer crashes. This is likely solving the wrong problem, your security is almost never limited by cryptographic strength, but rather by human factors or other non-cryptographic weaknesses. However, there is a known answer to this particular threat model. You want UNprovable security, with a duress filesystem. Set up a cryptographic filesystem where some blocks are filled with encrypted data, and some are filled with garbage. There are various keys that identify which parts of the filesystem that are in which filesystem and how to read them. To use some of the files, you supply just the keys you need, and leave most of the disk as untouched garbage. If someone demands that you decrypt your disk, all you can do is provide them some of the keys, which reveals some of the disk contents, but leaves a lot of suspiscious garbage left. But since you always have some real garbage left on the disk, you can't prove that you've told them everything, even if you wanted to. (This lets you conceal a key or two, since it would look like you had anyway.) Don't do this unless your data is quite valuable: The rational police response is to apply as much pressure as would coerce the most stubborn suspect, so expect to spend several years in jail for contempt of court (or your local equivalent) should you get raided with such a thing. I'm not aware of any actual implementations, unfortunately. The usual reference for this sort of thing is the cypherpunks list. Jon Leonard
Re: Editing and storing encrypted files
On Wed, Sep 06, 2000 at 10:22:44PM +0200, Wouter Hanegraaff wrote: Hi, I have some files that I would like to store encrypted. Of course I can just type them in, encrypt them using gpg and delete the original, but that seems to be a bit of a kludge. It would mean the file is at some time readable unencrypted (after saving in the editor), and forgetting to turn off the backup file option in the editor when changing the file. There must be better solutions, but I can't seem to find them. What I would like to have is an editor that has built-in encryption or gpg integration, and the option not to store any non-encrypted data on disk or on the clipboard. Is something like this available? There are several possibilities. A great deal depends on your threat model: What are you trying to protect against? It sounds like you're worried about someone searching your raw disk and recovering data. For that, you probably want to encrypt entire partitions, and also make sure swap and /tmp are protected. There's good discussion and several possibilities listed in the Encryption-HOWTO: (http://fachschaft.physik.uni-bielefeld.de/leute/marc/Encryption-HOWTO/Encryption-HOWTO.html) I personally would be tempted to use Matt Blaze's CFS (ftp://research.att.com/dist/mab/cfs.announce), but I actually store all of my sensitive files on a separate secured machine. (no network daemons, etc.) If you have more extreme secrecy needs, you might want to look into duress filesystems or steganographic file storage. Those are only really useful if you might need to plausibly deny that you had the encrypted files at all. I'm also not aware of any available implementations. Jon Leonard
