Re: Secure wu-ftpd for Testing?
On 30/11/01, David Ehle wrote: Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Not so far. But calling a software where the source and the fix are available, so that you can build a fixed version on your own is inappropriate. Especially if you are using Win98 and Netscape, both closed source products, for mailing. Do you also call mail both companies calling their software a stinker and asking them directly for fixed versions? Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 msg04542/pgp0.pgp Description: PGP signature
Re: VI wrapper for SUDO?
hi, maybe i misunderstand the intention here, but isn't it pointless to restrict privileges of the editing process of /etc/aliases if you could just as well change root's alias to a program that's run whenever root receives email and, e. g., puts one's most favourite /etc/passwd in place of the original? regards, uLI On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote: A lazy sysadmin, not thinking through the ramifications, might put things like /usr/bin/vi /etc/aliases in the sudoers file, thinking that it limits access. But of course, vi has the :e command... Is there any kind of wrapper that can be used to allow sudo to grant editing access to only one file? I am thinking of something similar to vipw or visudo, but with security in mind; following this basic algorithm: 1. Using user privileges, Copy the desired file to a temp file owned by the real user. 2. Using user privileges, Edit the temp file. 3. Using root privileges, copy the temp file to the final location. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: VI wrapper for SUDO?
That is a fair point but addressable with post-editing checks in the wrapper. Of course, one is exceedingly vulnerable to race conditions if one is not very careful about what is read and when. You don't have to use vi; there are dumber editors in the world. Maybe you should just have some programmatic (i.e. commandline, not full-screen) editing program for aliases that's callable from sudo. However the whole idea fills me with worry; /etc/aliases IS quite a critical file and I'm certain that specific attacks could be engineered against you if write access was obtained. Why not just have users make their changes and mail a diff to the sysadmin for approval :) J p.s. failing that, investigate LIDS; but that's a different ball game. On Fri, Nov 30, 2001 at 12:23:14PM +0100, Christoph Ulrich Scholler wrote: hi, maybe i misunderstand the intention here, but isn't it pointless to restrict privileges of the editing process of /etc/aliases if you could just as well change root's alias to a program that's run whenever root receives email and, e. g., puts one's most favourite /etc/passwd in place of the original? regards, uLI On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote: A lazy sysadmin, not thinking through the ramifications, might put things like /usr/bin/vi /etc/aliases in the sudoers file, thinking that it limits access. But of course, vi has the :e command... Is there any kind of wrapper that can be used to allow sudo to grant editing access to only one file? I am thinking of something similar to vipw or visudo, but with security in mind; following this basic algorithm: 1. Using user privileges, Copy the desired file to a temp file owned by the real user. 2. Using user privileges, Edit the temp file. 3. Using root privileges, copy the temp file to the final location. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SSH1 CRC-32 bug?
Hello, just to be sure about this. Sorry to beat a dead horse, but has the infamous CRC-32 compensation bug been fixed in the ssh package in sid? I am being bugged about Debian being vulnerable to this attack, and I would like to know for sure. Of course, tools like nessus just check daemon version numbers, and report non-existent vulnerabilities, and right now I haven't got access to a ready tool to try and break the one installed on my system. If I _am_ vulnerable, I would like to know that ASAP, to shut down the service immediately. On the other hand, if I am not, I would like to be able to tell the overzelous sysadmin of my ISP that I am not vulnerable and please stop bugging me... Thanks in advance Giacomo Mulas -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: home directory permission
How are you creating a new user directory? are you mkdir'ing directly or using a program like useradd? If you are mkdir'ing, change your umask (be aware, this changes the umask of ALL of your newly created files. If you are using useradd, look into the -D option. If you are using some other method, look into the manpages on that method and see how to change the defaults. If you explain how you are creating user accounts, I'm sure someone on the list can tell you how to change the defauls. Also, you could write a small shell script to create the user home directory given the username and group. -rishi On Fri, 30 Nov 2001, [iso-8859-1] teste teste1 wrote: Hi all, Howto modify permission when create a new user, I do not want to change the permissions all time that to add a new user. Default Permission drwxr-sr-x2 teste2 teste2 teste2 best security permission drwx--2 testeteste teste Thanks, Ricardson ___ Yahoo! GeoCities Tenha seu lugar na Web. Construa hoje mesmo sua home page no Yahoo! GeoCities. É fácil e grátis! http://br.geocities.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: VI wrapper for SUDO? - aliases
hi joshua... /etc/aliases... what can we do with it... i dont know if this was bill's original intent or not but lets see what can (regular) people do with /etc/aliases /etc/aliases badthing: mail -s send me the passwd [EMAIL PROTECTED] \ /etc/passwd but since the persons allowed to edit the /etc/aliases file is internal anyway .. dont think we have to worry about that kind of stuff if the company is 500 people with people leaving and coming onboard and if there are jr admins... let them add/delete the people from all or sales or engineering or managers etc... - in this case ..the sudo wrapper/editor script is good and the script can also propagate the /etc/aliases file to each machine that needs to have the aliases file kept current root@Slaves # sucpaliases -scp where it does ( and only if its out-of-date ) scp MasterCopy:/etc/aliases /etc ; newaliases the wrapper script can also do the difff and/or run newaliases depending on your level of paranoia of the ones allowed to run this sudo alias script - nothing happens till *you* run new aliases...which i would do myself if i was responsible... but id do a diff between the new one and the previously tested/good version have fun linuxing alvin On Fri, 30 Nov 2001, Joshua Goodall wrote: That is a fair point but addressable with post-editing checks in the wrapper. Of course, one is exceedingly vulnerable to race conditions if one is not very careful about what is read and when. You don't have to use vi; there are dumber editors in the world. Maybe you should just have some programmatic (i.e. commandline, not full-screen) editing program for aliases that's callable from sudo. However the whole idea fills me with worry; /etc/aliases IS quite a critical file and I'm certain that specific attacks could be engineered against you if write access was obtained. Why not just have users make their changes and mail a diff to the sysadmin for approval :) J p.s. failing that, investigate LIDS; but that's a different ball game. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: whats up?
Hello, I don't put the original message in the body but that guy just took my identity !! The original spam seems to come from Germany and I don't have any aol account !! Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
What this means in my logs?
Heya,i got those lines often lately..Can anyone explain me every little part of it? If you can drop an url link too,it would be great.. Thank you. Nov 30 16:16:28 brutus-gw kernel: Packet log: input DENY eth1 PROTO=6 210.86.20.213:1621 194.102.92.21:6000 L=48 S=0x00 I=52039 F=0x4000 T=102 SYN (#1) c yah, Dani. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What this means in my logs?
Petre Daniel [EMAIL PROTECTED] writes: Heya,i got those lines often lately..Can anyone explain me every little part of it? If you can drop an url link too,it would be great.. Thank you. Nov 30 16:16:28 brutus-gw kernel: Packet log: input DENY eth1 PROTO=6 210.86.20.213:1621 194.102.92.21:6000 L=48 S=0x00 I=52039 F=0x4000 T=102 SYN (#1) Paste it into the ipchains analyser at http://logi.cc/; that'll tell you about every word in detail. ~Tim -- Clouds cross the black moonlight, |[EMAIL PROTECTED] Rushing on down to the sound|http://spodzone.org.uk/ of a turning world | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Secure wu-ftpd for Testing?
Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David.
RE: Secure wu-ftpd for Testing?
The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED] Sent: Friday, November 30, 2001 14:20 To: debian-security@lists.debian.org Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure wu-ftpd for Testing?
Thanks Curtis, I know the maintainer has put together a fixed version for Potato/stable, I am wondering if he has had time to do the testing yet, or if we rollback to the testing one or what. I'm just hoping that rollback won't be a dependency nightmare... the stable version is wu-ftpd_2.6.0-6 available from: ftp.debian.org but NOT (as of about 6:00pm my local time) ftp.us.debian.org. Anyway thanks for the info. here are some other info sources i've found: http://www.securityfocus.com/archive/1/242750 http://www.wu-ftpd.org (they only put up something around 3:00 pm local-chicago time) Later, David. Howland, Curtis wrote: The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED] Sent: Friday, November 30, 2001 14:20 To: debian-security@lists.debian.org Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure wu-ftpd for Testing?
On 30/11/01, David Ehle wrote: Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Not so far. But calling a software where the source and the fix are available, so that you can build a fixed version on your own is inappropriate. Especially if you are using Win98 and Netscape, both closed source products, for mailing. Do you also call mail both companies calling their software a stinker and asking them directly for fixed versions? Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgpGLP5tbcbdB.pgp Description: PGP signature
RE: whats up?
Hello, I don't put the original message in the body but that guy just took my identity !! The original spam seems to come from Germany and I don't have any aol account !! Florent
Re: VI wrapper for SUDO?
hi, maybe i misunderstand the intention here, but isn't it pointless to restrict privileges of the editing process of /etc/aliases if you could just as well change root's alias to a program that's run whenever root receives email and, e. g., puts one's most favourite /etc/passwd in place of the original? regards, uLI On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote: A lazy sysadmin, not thinking through the ramifications, might put things like /usr/bin/vi /etc/aliases in the sudoers file, thinking that it limits access. But of course, vi has the :e command... Is there any kind of wrapper that can be used to allow sudo to grant editing access to only one file? I am thinking of something similar to vipw or visudo, but with security in mind; following this basic algorithm: 1. Using user privileges, Copy the desired file to a temp file owned by the real user. 2. Using user privileges, Edit the temp file. 3. Using root privileges, copy the temp file to the final location.
Re: VI wrapper for SUDO?
That is a fair point but addressable with post-editing checks in the wrapper. Of course, one is exceedingly vulnerable to race conditions if one is not very careful about what is read and when. You don't have to use vi; there are dumber editors in the world. Maybe you should just have some programmatic (i.e. commandline, not full-screen) editing program for aliases that's callable from sudo. However the whole idea fills me with worry; /etc/aliases IS quite a critical file and I'm certain that specific attacks could be engineered against you if write access was obtained. Why not just have users make their changes and mail a diff to the sysadmin for approval :) J p.s. failing that, investigate LIDS; but that's a different ball game. On Fri, Nov 30, 2001 at 12:23:14PM +0100, Christoph Ulrich Scholler wrote: hi, maybe i misunderstand the intention here, but isn't it pointless to restrict privileges of the editing process of /etc/aliases if you could just as well change root's alias to a program that's run whenever root receives email and, e. g., puts one's most favourite /etc/passwd in place of the original? regards, uLI On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote: A lazy sysadmin, not thinking through the ramifications, might put things like /usr/bin/vi /etc/aliases in the sudoers file, thinking that it limits access. But of course, vi has the :e command... Is there any kind of wrapper that can be used to allow sudo to grant editing access to only one file? I am thinking of something similar to vipw or visudo, but with security in mind; following this basic algorithm: 1. Using user privileges, Copy the desired file to a temp file owned by the real user. 2. Using user privileges, Edit the temp file. 3. Using root privileges, copy the temp file to the final location. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SSH1 CRC-32 bug?
Hello, just to be sure about this. Sorry to beat a dead horse, but has the infamous CRC-32 compensation bug been fixed in the ssh package in sid? I am being bugged about Debian being vulnerable to this attack, and I would like to know for sure. Of course, tools like nessus just check daemon version numbers, and report non-existent vulnerabilities, and right now I haven't got access to a ready tool to try and break the one installed on my system. If I _am_ vulnerable, I would like to know that ASAP, to shut down the service immediately. On the other hand, if I am not, I would like to be able to tell the overzelous sysadmin of my ISP that I am not vulnerable and please stop bugging me... Thanks in advance Giacomo Mulas -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
What this means in my logs?
Heya,i got those lines often lately..Can anyone explain me every little part of it? If you can drop an url link too,it would be great.. Thank you. Nov 30 16:16:28 brutus-gw kernel: Packet log: input DENY eth1 PROTO=6 210.86.20.213:1621 194.102.92.21:6000 L=48 S=0x00 I=52039 F=0x4000 T=102 SYN (#1) c yah, Dani. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
home directory permission
Hi all, Howto modify permission when create a new user, I do not want to change the permissions all time that to add a new user. Default Permission drwxr-sr-x2 teste2 teste2 teste2 best security permission drwx--2 testeteste teste Thanks, Ricardson ___ Yahoo! GeoCities Tenha seu lugar na Web. Construa hoje mesmo sua home page no Yahoo! GeoCities. É fácil e grátis! http://br.geocities.yahoo.com/
Re: What this means in my logs?
Petre Daniel [EMAIL PROTECTED] writes: Heya,i got those lines often lately..Can anyone explain me every little part of it? If you can drop an url link too,it would be great.. Thank you. Nov 30 16:16:28 brutus-gw kernel: Packet log: input DENY eth1 PROTO=6 210.86.20.213:1621 194.102.92.21:6000 L=48 S=0x00 I=52039 F=0x4000 T=102 SYN (#1) Paste it into the ipchains analyser at http://logi.cc/; that'll tell you about every word in detail. ~Tim -- Clouds cross the black moonlight, |[EMAIL PROTECTED] Rushing on down to the sound|http://spodzone.org.uk/ of a turning world |
Re: VI wrapper for SUDO? - aliases
hi joshua... /etc/aliases... what can we do with it... i dont know if this was bill's original intent or not but lets see what can (regular) people do with /etc/aliases /etc/aliases badthing: mail -s send me the passwd [EMAIL PROTECTED] \ /etc/passwd but since the persons allowed to edit the /etc/aliases file is internal anyway .. dont think we have to worry about that kind of stuff if the company is 500 people with people leaving and coming onboard and if there are jr admins... let them add/delete the people from all or sales or engineering or managers etc... - in this case ..the sudo wrapper/editor script is good and the script can also propagate the /etc/aliases file to each machine that needs to have the aliases file kept current [EMAIL PROTECTED] # sucpaliases -scp where it does ( and only if its out-of-date ) scp MasterCopy:/etc/aliases /etc ; newaliases the wrapper script can also do the difff and/or run newaliases depending on your level of paranoia of the ones allowed to run this sudo alias script - nothing happens till *you* run new aliases...which i would do myself if i was responsible... but id do a diff between the new one and the previously tested/good version have fun linuxing alvin On Fri, 30 Nov 2001, Joshua Goodall wrote: That is a fair point but addressable with post-editing checks in the wrapper. Of course, one is exceedingly vulnerable to race conditions if one is not very careful about what is read and when. You don't have to use vi; there are dumber editors in the world. Maybe you should just have some programmatic (i.e. commandline, not full-screen) editing program for aliases that's callable from sudo. However the whole idea fills me with worry; /etc/aliases IS quite a critical file and I'm certain that specific attacks could be engineered against you if write access was obtained. Why not just have users make their changes and mail a diff to the sysadmin for approval :) J p.s. failing that, investigate LIDS; but that's a different ball game.
