Re: icmp attack?
On Sat, 09 Nov 2002 at 09:09:27AM -0600, Hanasaki JiJi wrote: > Anyone have an interpretation of the below? > [65.26.127.147] = firewall > [192.168.1.1] = firewall > its a two nic system > > Nov 2 10:04:49 ICMP message type destination unreachable - bad host > from mkc-65-26-127-147.kc.rr.com [65.26.127.147] > (65.26.127.147->65.26.127.147) If you were attempting to contact someone and a router along the way deemed it undeliverable it would send back a message such as the one above... Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #234: Digital Manipulator exceeding velocity parameters pgpuVF3IfL42K.pgp Description: PGP signature
Chrooting named by default (was: Re: chrooting apache[ssl,php,perl] and some mta)
OoO En cette nuit striée d'éclairs du samedi 09 novembre 2002, vers 02:02, Michael Ablassmeier <[EMAIL PROTECTED]> disait: > i did some apache chroot environment (php,perl,ssl), and now > some users want to use the php "mail" command, so i have to > include some mta into the chroot. > As far as i know, Sendmail is not a good candiate to chroot. This is not related, but I wonder what are the reasons that named is not chrooted by default ? The README.Debian says there are some reasons but does not say what they are. Chrooting named can be done easily with the appropriate howto, but it would be nice if it was done by default. Debian OpenBSD has been discontinued because the main author thought that Debian GNU/Linux is equally secure. However, OpenBSD chroots named and now apache by default. There are some additional measures and also the code audit which make a serious advantage for OpenBSD. It would be great if Debian moved towards more active security. -- Follow each decision as closely as possible with its associated action. - The Elements of Programming Style (Kernighan & Plaugher)
Re: spamd config problems
This one time, at band camp, Hanasaki JiJi said: > I have installed the woody spam package on a woody box and cannot find > the config file to fix the below output in syslog. > > Can someone help out w/ this? > > Thanks > > Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not > specified, not found, or set to root. Fall back to nobody. Look at /etc/default/spamassassin - you can change how it's called there, and set it to run as 'mail' or whoever you like. Steve -- History is on our side (as long as we can control the historians). pgpBesPzlBERC.pgp Description: PGP signature
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 05:00:23PM +0100, Michael Eyrich wrote: > On Sat, Nov 09, 2002 at 10:41:05AM -0500, Matt Zimmerman wrote: > | An easier wethod: > | > | $ su > | # export XAUTHORITY=~user/.Xauthority > > This won't work, if ~user is NFS-mounted with the > 'root_squash'-option, because 'nobody' won't be allowed to read ~users > .Xauthority. It also won't work if SE Linux or RSBAC access controls forbid root from reading this file, or if the user's X authority tokens are not in ~/.Xauthority, or any number of other reasons. The point was that it is simple. Anyone running a largish multiuser system with NFS-mounted home directories already understands these issues. Others are asking questions. -- - mdz
Re: icmp attack?
On Sat, 09 Nov 2002 at 09:09:27AM -0600, Hanasaki JiJi wrote: > Anyone have an interpretation of the below? > [65.26.127.147] = firewall > [192.168.1.1] = firewall > its a two nic system > > Nov 2 10:04:49 ICMP message type destination unreachable - bad host > from mkc-65-26-127-147.kc.rr.com [65.26.127.147] > (65.26.127.147->65.26.127.147) If you were attempting to contact someone and a router along the way deemed it undeliverable it would send back a message such as the one above... Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #234: Digital Manipulator exceeding velocity parameters msg07664/pgp0.pgp Description: PGP signature
Chrooting named by default (was: Re: chrooting apache[ssl,php,perl]and some mta)
OoO En cette nuit striée d'éclairs du samedi 09 novembre 2002, vers 02:02, Michael Ablassmeier <[EMAIL PROTECTED]> disait: > i did some apache chroot environment (php,perl,ssl), and now > some users want to use the php "mail" command, so i have to > include some mta into the chroot. > As far as i know, Sendmail is not a good candiate to chroot. This is not related, but I wonder what are the reasons that named is not chrooted by default ? The README.Debian says there are some reasons but does not say what they are. Chrooting named can be done easily with the appropriate howto, but it would be nice if it was done by default. Debian OpenBSD has been discontinued because the main author thought that Debian GNU/Linux is equally secure. However, OpenBSD chroots named and now apache by default. There are some additional measures and also the code audit which make a serious advantage for OpenBSD. It would be great if Debian moved towards more active security. -- Follow each decision as closely as possible with its associated action. - The Elements of Programming Style (Kernighan & Plaugher) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spamd config problems
This one time, at band camp, Hanasaki JiJi said: > I have installed the woody spam package on a woody box and cannot find > the config file to fix the below output in syslog. > > Can someone help out w/ this? > > Thanks > > Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not > specified, not found, or set to root. Fall back to nobody. Look at /etc/default/spamassassin - you can change how it's called there, and set it to run as 'mail' or whoever you like. Steve -- History is on our side (as long as we can control the historians). msg07662/pgp0.pgp Description: PGP signature
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 10:41:05AM -0500, Matt Zimmerman wrote: | On Sat, Nov 09, 2002 at 12:40:12PM +0700, Jean Christophe ANDR? wrote: | | > Matt Zimmerman ?crivait : | > > This disables access control in the X server. This is, almost always, a | > > very bad idea. | > | > A better way to allow it (when you switch from normal to root user) : | > | > [EMAIL PROTECTED]:~$ su - | > [EMAIL PROTECTED]:~# xauth merge ~test/.Xauthority | > [EMAIL PROTECTED]:~# export DISPLAY=:0.0 | > [EMAIL PROTECTED]:~# xterm# or whatever Xwindow program you want to run | > | > I can remember there was some 'su' feature doing it automagically somewhere | > (with RedHat, Mandrake or another one)... | | An easier wethod: | | $ su | # export XAUTHORITY=~user/.Xauthority This won't work, if ~user is NFS-mounted with the 'root_squash'-option, because 'nobody' won't be allowed to read ~users .Xauthority. Regards, Michael -- Michael EyrichTechnische Universität Berlin
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 12:40:12PM +0700, Jean Christophe ANDR? wrote: > Matt Zimmerman ?crivait : > > This disables access control in the X server. This is, almost always, a > > very bad idea. > > A better way to allow it (when you switch from normal to root user) : > > [EMAIL PROTECTED]:~$ su - > [EMAIL PROTECTED]:~# xauth merge ~test/.Xauthority > [EMAIL PROTECTED]:~# export DISPLAY=:0.0 > [EMAIL PROTECTED]:~# xterm # or whatever Xwindow program you want to run > > I can remember there was some 'su' feature doing it automagically somewhere > (with RedHat, Mandrake or another one)... An easier wethod: $ su # export XAUTHORITY=~user/.Xauthority -- - mdz
spamd config problems
I have installed the woody spam package on a woody box and cannot find the config file to fix the below output in syslog. Can someone help out w/ this? Thanks Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not specified, not found, or set to root. Fall back to nobody.
icmp attack?
Anyone have an interpretation of the below? [65.26.127.147] = firewall [192.168.1.1] = firewall its a two nic system Nov 2 10:04:49 ICMP message type destination unreachable - bad host from mkc-65-26-127-147.kc.rr.com [65.26.127.147] (65.26.127.147->65.26.127.147) Nov 2 20:47:36 ICMP message type destination unreachable - bad host from portal.home.hanaden.com [192.168.1.1] (192.168.1.1->192.168.1.1) Nov 7 11:14:17 ICMP message type destination unreachable - bad port from localhost [127.0.0.1] (127.0.0.1->127.0.0.1)
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 05:00:23PM +0100, Michael Eyrich wrote: > On Sat, Nov 09, 2002 at 10:41:05AM -0500, Matt Zimmerman wrote: > | An easier wethod: > | > | $ su > | # export XAUTHORITY=~user/.Xauthority > > This won't work, if ~user is NFS-mounted with the > 'root_squash'-option, because 'nobody' won't be allowed to read ~users > .Xauthority. It also won't work if SE Linux or RSBAC access controls forbid root from reading this file, or if the user's X authority tokens are not in ~/.Xauthority, or any number of other reasons. The point was that it is simple. Anyone running a largish multiuser system with NFS-mounted home directories already understands these issues. Others are asking questions. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chrooting apache[ssl,php,perl] and some mta
On Sat, Nov 09, 2002 at 12:32:40AM -0200, Henrique de Moraes Holschuh wrote: > You could have a proper MTA outside the chroots (like postfix or exim). And > a bogus, stupid, cat-it-to-localhost-port-25 MTA inside the chroot, like > ssmtp :-) ok, i did it your way and in it works fine. Thanks. -- greetings /*/ michael ablassmeier
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 10:41:05AM -0500, Matt Zimmerman wrote: | On Sat, Nov 09, 2002 at 12:40:12PM +0700, Jean Christophe ANDR? wrote: | | > Matt Zimmerman ?crivait : | > > This disables access control in the X server. This is, almost always, a | > > very bad idea. | > | > A better way to allow it (when you switch from normal to root user) : | > | > test@localhost:~$ su - | > root@localhost:~# xauth merge ~test/.Xauthority | > root@localhost:~# export DISPLAY=:0.0 | > root@localhost:~# xterm # or whatever Xwindow program you want to run | > | > I can remember there was some 'su' feature doing it automagically somewhere | > (with RedHat, Mandrake or another one)... | | An easier wethod: | | $ su | # export XAUTHORITY=~user/.Xauthority This won't work, if ~user is NFS-mounted with the 'root_squash'-option, because 'nobody' won't be allowed to read ~users .Xauthority. Regards, Michael -- Michael EyrichTechnische Universität Berlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: allowing X display from su'd environment
On Sat, Nov 09, 2002 at 12:40:12PM +0700, Jean Christophe ANDR? wrote: > Matt Zimmerman ?crivait : > > This disables access control in the X server. This is, almost always, a > > very bad idea. > > A better way to allow it (when you switch from normal to root user) : > > test@localhost:~$ su - > root@localhost:~# xauth merge ~test/.Xauthority > root@localhost:~# export DISPLAY=:0.0 > root@localhost:~# xterm # or whatever Xwindow program you want to run > > I can remember there was some 'su' feature doing it automagically somewhere > (with RedHat, Mandrake or another one)... An easier wethod: $ su # export XAUTHORITY=~user/.Xauthority -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: su and x (was Re: XFree86 4.2 bug in Debian Testing)
Try http://fgouget.free.fr/sux/sux-readme.shtml chj
spamd config problems
I have installed the woody spam package on a woody box and cannot find the config file to fix the below output in syslog. Can someone help out w/ this? Thanks Nov 9 08:13:16 portal spamd[1290]: Still running as root: user not specified, not found, or set to root. Fall back to nobody. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
su and x (was Re: XFree86 4.2 bug in Debian Testing)
On Sat, 9 Nov 2002, Jörg Schütter wrote: > On Sat, 9 Nov 2002 13:36:25 +0200 (EET) > Martin Fluch <[EMAIL PROTECTED]> wrote: > > > On Sat, 9 Nov 2002, Rick Moen wrote: > > > > > It's a little simpler to do: > > > > > > $ ssh -X [EMAIL PROTECTED] > > > > Even easier: the following lines in the /root/.bashrc do the same trick: > > > > if [ ! "$LOGNAME" = "root" ]; then > > export XAUTHORITY=/home/$LOGNAME/.Xauthority > > fi > > > This solution doesn't work with "su -" > > > And then su works without any problem (and computational overhead as the > > ssh sollution). > > You can decrease the "overhead" with ssh -c des -X [EMAIL PROTECTED] And for what reason use ssh when the application can connect directly to X. Why insert ssh inbetween? Cheers, - Martin
Re: XFree86 4.2 bug in Debian Testing
On Sat, 9 Nov 2002 13:36:25 +0200 (EET) Martin Fluch <[EMAIL PROTECTED]> wrote: > > > > On Sat, 9 Nov 2002, Rick Moen wrote: > > > It's a little simpler to do: > > > > $ ssh -X [EMAIL PROTECTED] > > Even easier: the following lines in the /root/.bashrc do the same trick: > > if [ ! "$LOGNAME" = "root" ]; then > export XAUTHORITY=/home/$LOGNAME/.Xauthority > fi > This solution doesn't work with "su -" > And then su works without any problem (and computational overhead as the > ssh sollution). You can decrease the "overhead" with ssh -c des -X [EMAIL PROTECTED] Gruß Jörg -- http://www.lug-untermain.de/ - http://mypenguin.bei.t-online.de/ Dipl.-Ing. Jörg Schütter [EMAIL PROTECTED]
icmp attack?
Anyone have an interpretation of the below? [65.26.127.147] = firewall [192.168.1.1] = firewall its a two nic system Nov 2 10:04:49 ICMP message type destination unreachable - bad host from mkc-65-26-127-147.kc.rr.com [65.26.127.147] (65.26.127.147->65.26.127.147) Nov 2 20:47:36 ICMP message type destination unreachable - bad host from portal.home.hanaden.com [192.168.1.1] (192.168.1.1->192.168.1.1) Nov 7 11:14:17 ICMP message type destination unreachable - bad port from localhost [127.0.0.1] (127.0.0.1->127.0.0.1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chrooting apache[ssl,php,perl] and some mta
On Sat, Nov 09, 2002 at 03:48:39AM +0100, Michael Ablassmeier wrote: > On Sat, Nov 09, 2002 at 12:32:40AM -0200, Henrique de Moraes Holschuh wrote: > > > > You could have a proper MTA outside the chroots (like postfix or exim). And > > a bogus, stupid, cat-it-to-localhost-port-25 MTA inside the chroot, like > > ssmtp :-) > ok, that sounds better to me than unnecessary bloating my chroot > environment. Of course ... what is the interest of chroot if you put all your services inside the same jail...;-) -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: chrooting apache[ssl,php,perl] and some mta
On Sat, Nov 09, 2002 at 12:32:40AM -0200, Henrique de Moraes Holschuh wrote: > You could have a proper MTA outside the chroots (like postfix or exim). And > a bogus, stupid, cat-it-to-localhost-port-25 MTA inside the chroot, like > ssmtp :-) ok, i did it your way and in it works fine. Thanks. -- greetings /*/ michael ablassmeier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
On Sat, 9 Nov 2002, Rick Moen wrote: > > [EMAIL PROTECTED]:~$ su > > Password: > > [EMAIL PROTECTED]:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority > > [EMAIL PROTECTED]:/home/mfluch> > > > > ...and then every X application works just as before as the normal user. > > It's a little simpler to do: > > $ ssh -X [EMAIL PROTECTED] Even easier: the following lines in the /root/.bashrc do the same trick: if [ ! "$LOGNAME" = "root" ]; then export XAUTHORITY=/home/$LOGNAME/.Xauthority fi And then su works without any problem (and computational overhead as the ssh sollution). Cheers, - Martin
Re: su and x (was Re: XFree86 4.2 bug in Debian Testing)
Try http://fgouget.free.fr/sux/sux-readme.shtml chj -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
su and x (was Re: XFree86 4.2 bug in Debian Testing)
On Sat, 9 Nov 2002, Jörg Schütter wrote: > On Sat, 9 Nov 2002 13:36:25 +0200 (EET) > Martin Fluch <[EMAIL PROTECTED]> wrote: > > > On Sat, 9 Nov 2002, Rick Moen wrote: > > > > > It's a little simpler to do: > > > > > > $ ssh -X root@localhost > > > > Even easier: the following lines in the /root/.bashrc do the same trick: > > > > if [ ! "$LOGNAME" = "root" ]; then > > export XAUTHORITY=/home/$LOGNAME/.Xauthority > > fi > > > This solution doesn't work with "su -" > > > And then su works without any problem (and computational overhead as the > > ssh sollution). > > You can decrease the "overhead" with ssh -c des -X root@localhost And for what reason use ssh when the application can connect directly to X. Why insert ssh inbetween? Cheers, - Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
On Sat, 9 Nov 2002 13:36:25 +0200 (EET) Martin Fluch <[EMAIL PROTECTED]> wrote: > > > > On Sat, 9 Nov 2002, Rick Moen wrote: > > > It's a little simpler to do: > > > > $ ssh -X root@localhost > > Even easier: the following lines in the /root/.bashrc do the same trick: > > if [ ! "$LOGNAME" = "root" ]; then > export XAUTHORITY=/home/$LOGNAME/.Xauthority > fi > This solution doesn't work with "su -" > And then su works without any problem (and computational overhead as the > ssh sollution). You can decrease the "overhead" with ssh -c des -X root@localhost Gruß Jörg -- http://www.lug-untermain.de/ - http://mypenguin.bei.t-online.de/ Dipl.-Ing. Jörg Schütter [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chrooting apache[ssl,php,perl] and some mta
On Sat, Nov 09, 2002 at 03:48:39AM +0100, Michael Ablassmeier wrote: > On Sat, Nov 09, 2002 at 12:32:40AM -0200, Henrique de Moraes Holschuh wrote: > > > > You could have a proper MTA outside the chroots (like postfix or exim). And > > a bogus, stupid, cat-it-to-localhost-port-25 MTA inside the chroot, like > > ssmtp :-) > ok, that sounds better to me than unnecessary bloating my chroot > environment. Of course ... what is the interest of chroot if you put all your services inside the same jail...;-) -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:elacour@;easter-eggs.com -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
Quoting Martin Fluch ([EMAIL PROTECTED]): > Indeed. Therefore I use > > [EMAIL PROTECTED]:~$ su > Password: > [EMAIL PROTECTED]:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority > [EMAIL PROTECTED]:/home/mfluch> > > ...and then every X application works just as before as the normal user. It's a little simpler to do: $ ssh -X [EMAIL PROTECTED] -- Cheers, Right to keep and bear Rick Moen Haiku shall not be abridged [EMAIL PROTECTED] Or denied. So there.
Re: XFree86 4.2 bug in Debian Testing
> > I am using woody + testing + some unstable: > > > > in xterm/gnome-terminal usually I do (as normal user) > > xhost + > > This disables access control in the X server. This is, almost always, > a very bad idea. Indeed. Therefore I use [EMAIL PROTECTED]:~$ su Password: [EMAIL PROTECTED]:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority [EMAIL PROTECTED]:/home/mfluch> ...and then every X application works just as before as the normal user. - Martin
Re: XFree86 4.2 bug in Debian Testing
On Sat, 9 Nov 2002, Rick Moen wrote: > > mfluch@seneca:~$ su > > Password: > > root@seneca:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority > > root@seneca:/home/mfluch> > > > > ...and then every X application works just as before as the normal user. > > It's a little simpler to do: > > $ ssh -X root@localhost Even easier: the following lines in the /root/.bashrc do the same trick: if [ ! "$LOGNAME" = "root" ]; then export XAUTHORITY=/home/$LOGNAME/.Xauthority fi And then su works without any problem (and computational overhead as the ssh sollution). Cheers, - Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
Quoting Martin Fluch ([EMAIL PROTECTED]): > Indeed. Therefore I use > > mfluch@seneca:~$ su > Password: > root@seneca:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority > root@seneca:/home/mfluch> > > ...and then every X application works just as before as the normal user. It's a little simpler to do: $ ssh -X root@localhost -- Cheers, Right to keep and bear Rick Moen Haiku shall not be abridged [EMAIL PROTECTED] Or denied. So there. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
> > I am using woody + testing + some unstable: > > > > in xterm/gnome-terminal usually I do (as normal user) > > xhost + > > This disables access control in the X server. This is, almost always, > a very bad idea. Indeed. Therefore I use mfluch@seneca:~$ su Password: root@seneca:/home/mfluch> export XAUTHORITY=/home/mfluch/.Xauthority root@seneca:/home/mfluch> ...and then every X application works just as before as the normal user. - Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]