Re: Re[2]: phpBB vulnerability exploited
On Mon, 13 Dec 2004, Marek Podmaka wrote: Yes, I have been doing the same with /tmp, but some debian packages won't install on noexec /tmp. But there are other directorieso n my system which are world writable - for example /var/tmp and /var/lock. If you can make /tmp noexec, you can also make /var/tmp and /var/lock noexec. File wishlist bugs against packages that run stuff in /tmp, request that the maintainer not close it but rather mark it wontfix if he doesn't want to fix the bug (so that we can find which packages do not support noexec /tmp). Use a consistent subject for this (e.g.: foo: does not suport noexec /tmp) Can entire /var be mounted noexec? No. It will break all chroots, and also dpkg. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
better look at your php4 settings: limit with php opendir. make another tmp directory, and set php temp dir, with all permissions you want. limit the system function, if you don't need it. they are a per-vhost apache settings, check the manuals. wwell edi Fraser Campbell writes: On Sunday 12 December 2004 17:46, Marek Podmaka wrote: I don't want to give hints on how to exploit this, but the attacker did wget the .tgz file, unpacked it in /tmp and run the program. So update all your phpBB installations ASAP (and of course all installations of your customers). On a somewhat related note ... I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Monday 13 December 2004 03:31, Marek Podmaka wrote:
Yes, I have been doing the same with /tmp, but some debian packages
won't install on noexec /tmp. But there are other directorieso n my
system which are world writable - for example /var/tmp and
/var/lock.
If you've configured apt to preconfigure packages (at least I think that's the
case) then apt will extract some stuff to /tmp and execute it from there.
The solution I use is to temporarily remount partitions with necessary
permissions during apt's run. I do this automatically with the following
commands in apt's config files:
DPkg::Pre-Install-Pkgs {mount -o remount,rw /boot;};
DPkg::Pre-Install-Pkgs {mount -o remount,exec /tmp;};
DPkg::Pre-Install-Pkgs {mount -o remount,rw /usr;};
DPkg::Post-Invoke {mount -o remount /boot;};
DPkg::Post-Invoke {mount -o remount /tmp;};
DPkg::Post-Invoke {mount -o remount /usr;};
I'd think you can get away with linking /var/tmp to /tmp but /var/lock might
be tricky to get around.
Can entire /var be mounted noexec?
In my case I doubt it since much of postfix lives there. It might be possible
in certain cases though I'm not sure.
--
Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Mon, Dec 13, 2004 at 01:44:41PM +0200, Boris Pavlov wrote: limit with php opendir. make another tmp directory, and set php temp dir, with all permissions you want. limit the system function, if you don't need it. they are a per-vhost apache settings, check the manuals. I run apache using dchroot to avoid the most common problems. Breaking a chroot is possible, but not so easy and it's more difficult within dchroot which _should_ drops privileges properly AFAIK. I do that commonly for hosting services where users can run their own php and cgi scripts. That cannot avoid creating shells services, surely but avoid password cracking, use of cron, access to kernel modules and log files, and so on. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
bandwidth accounting
Hi There, Im wondering if someone can point me in the right direction We are wanting to account bandwidth usage per IP in our rack.. Is this possible, if so - and good ideas? Simon -- This message was scanned for spam and viruses by BitDefender For more information please visit http://linux.bitdefender.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bandwidth accounting
also sprach Simon Buchanan [EMAIL PROTECTED] [2004.12.13.2110 +0100]: Hi There, Im wondering if someone can point me in the right direction We are wanting to account bandwidth usage per IP in our rack.. Is this possible, if so - and good ideas? read the archives. check out ipac. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: bandwidth accounting
Am 2004-12-14 09:10:18, schrieb Simon Buchanan: Hi There, Im wondering if someone can point me in the right direction We are wanting to account bandwidth usage per IP in our rack.. Is this possible, if so - and good ideas? apt-get install ipac-ng Simon Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
postgrey 1.17rc2 Debian packages
Hi, postgrey 1.17rc2 Debian packages are now available at http://fortytwo.ch/debian/postgrey (the 1.17~rc2 version number allows a seamless upgrade to the release 1.17 in Debian. Just don't worry about it.) Posting this to the debian-isp mailing list because there was recent discussion about greylisting: this release features the automatic whitelisting of a sending mailserver after a certain number of emails have come through the greylisting (option: --auto-whitelist-clients.) (The package should be usable, but the logcheck files has not yet been updated. Also, since this is not uploaded: please report bugs in the Debian packaging directly to me by email; problems with the postgrey program as such, especially the --auto-whitelist-clients function, to the postgrey mailing list.) greetings -- vbi -- Beware of the FUD - know your enemies. This week * Patent Law, and how it is currently abused. * http://fortytwo.ch/opinion pgpJa8CVysntL.pgp Description: PGP signature
Re[2]: phpBB vulnerability exploited
Hello Fraser, Yes, I have been doing the same with /tmp, but some debian packages won't install on noexec /tmp. But there are other directorieso n my system which are world writable - for example /var/tmp and /var/lock. Can entire /var be mounted noexec? Monday, December 13, 2004, 4:17:19, you wrote: FC I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr FC and /boot ro. These minor changes can prevent common automated attacks FC (probably the one you encountered) and don't cause any problems. -- bYE, Marki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
New SSL Certificates for Postfix Courier-imap
I am trying to figure out how to re-build my SSL certificates for postfix and courier-imap. Right now my certificate for postfix has some errors on it (wrong CN), but I am able to download it and set it to be accepted by OS X (ends pop-ups in Mail.app). My courier-imap certificate does not work in OS X, I've tried using mkimapdcert in /usr/sbin/ but it is not generating certificates that are compatible with OS X. Suggestions on how I can use OpenSSL to generate certificates for both? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
