Re: NTP servers
On Thu, Aug 12, 2004 at 10:40:14AM -0700, Adam Morley wrote: I'm looking for a software package that provides: - An NTP server (to serve time to NTP clients) that I can run as a non-priveleged user, chrooted. - An NTP client, that will keep the clock of the computer doing the NTP serving up to date. Stock ntpd will suit your needs. From version 4.2 it drops its privileges early and only retains CAP_SYS_TIME to be able to adjust the clock. Drop me a line if you need backported packages from testing. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
On Tue, Jul 27, 2004 at 01:42:19PM +0200, Christian Hammers wrote: On Tue, Jul 27, 2004 at 01:01:10PM +0200, Rhesa Rozendaal wrote: In my case, the frontend handles SSL connections. Its config file is /etc/apache/ht-light.conf. The backend instance uses the original filename /etc/apache/httpd.conf. The frontend is already bound to port 443. The backend tried to restart, but now has a load mod_ssl line, and can't start. And now our application won't run... Oh, come on, if you apt-get install the Apache SSL module then you really can expect it to actually get installed in the httpd.conf :-) Depends on you taste. For me, I'd rather upgrade scripts did not mess with my config files, which I have (well, I'm supposed to have) crafted carefully. The same goes for automatic service restarts. Don't take it as a complaint. Mind you, the downtime ws limmited to some 5 hours, while it was night in the USA, so there's hardly any damage done wrt our customers. There's If you run service for customers you should really install some kind of watchdog on a different machine that monitors your servers and can contact you by mail/SMS/phonering... Could you recommend some *simple*, yet effective stuff? I'm tired of coding up dirty are-you-alive? scripts.. Also I would recommend you to try using RCS for these kind of config files so you can review changes and/or keep the files readonly. darcs power :) bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote: On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. Correct; that would be impossible (the SSL session is established before the client sends the name of the host it is looking for). I've heard somewhere that it might be possible to specify multiple subjects in a single X.509 cert. That would solve the problem, provided that the clients supported this feature.. Could you confirm/refute the rumour? bit, adam -- Seven deadly sins | 1024D/37B8D989 | Seven signs Seven gates to hell | 954B 998A E5F5 BA2A 3622 | Seven lies Seven world wonders | 82DD 54C2 843D 37B8 D989 | Seven days Seven years bad luck | http://sks.dnsalias.net | Seven dreams -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote: On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. Correct; that would be impossible (the SSL session is established before the client sends the name of the host it is looking for). I've heard somewhere that it might be possible to specify multiple subjects in a single X.509 cert. That would solve the problem, provided that the clients supported this feature.. Could you confirm/refute the rumour? bit, adam -- Seven deadly sins | 1024D/37B8D989 | Seven signs Seven gates to hell | 954B 998A E5F5 BA2A 3622 | Seven lies Seven world wonders | 82DD 54C2 843D 37B8 D989 | Seven days Seven years bad luck | http://sks.dnsalias.net | Seven dreams
Re: web password change
On Sun, Mar 14, 2004 at 05:51:55PM +0100, Ulrich Scholler wrote: Hi, On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote: I would like to make users avaiable some kind of 'web control panel'. I have created a design and also already intergrated squirrelmail into it. Now i would also them to have a web form for password changing. I've browsd freshmeat and i've found a program called chpasswd http://chpasswd.sourceforge.net. I'm using poppassd in conjunction with poppass-cgi via https. The advantage of this solution is that it uses PAM instead of directly altering /etc/{passwd,shadow}. Could you tell me a couple of words how the script works then, I mean, which functions of libpam is used to update the password? My curiosity origins from memories from my previous findings which concluded there were no hooks in PAM for this kind of functionality. (Even /usr/bin/passwd from the shadow source package manipulates the files directly while it uses PAM for authentication.) bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: web password change
On Sun, Mar 14, 2004 at 05:51:55PM +0100, Ulrich Scholler wrote: Hi, On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote: I would like to make users avaiable some kind of 'web control panel'. I have created a design and also already intergrated squirrelmail into it. Now i would also them to have a web form for password changing. I've browsd freshmeat and i've found a program called chpasswd http://chpasswd.sourceforge.net. I'm using poppassd in conjunction with poppass-cgi via https. The advantage of this solution is that it uses PAM instead of directly altering /etc/{passwd,shadow}. Could you tell me a couple of words how the script works then, I mean, which functions of libpam is used to update the password? My curiosity origins from memories from my previous findings which concluded there were no hooks in PAM for this kind of functionality. (Even /usr/bin/passwd from the shadow source package manipulates the files directly while it uses PAM for authentication.) bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: arpwatch and arp packets ...urgent
On Thu, Feb 19, 2004 at 10:37:50AM +0100, m wrote: Control, I mean as doing proxy arp only for special IP's not for all, or etc.. I do not have any idea :( This is more important from day to day for me :( I have some hakers;) in my networks who trying to spoof another computers, If I turn off arpwatch I completly will lost control about this. But for now I am receiving hundreds mails :( Is it possible to do arp_proxy only for special MACs/IPs ? Perhaps arptables and ebtables could lend a hand resolving your problem. See http://ebtables.sf.net bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch and arp packets ...urgent
On Thu, Feb 19, 2004 at 10:37:50AM +0100, m wrote: Control, I mean as doing proxy arp only for special IP's not for all, or etc.. I do not have any idea :( This is more important from day to day for me :( I have some hakers;) in my networks who trying to spoof another computers, If I turn off arpwatch I completly will lost control about this. But for now I am receiving hundreds mails :( Is it possible to do arp_proxy only for special MACs/IPs ? Perhaps arptables and ebtables could lend a hand resolving your problem. See http://ebtables.sf.net bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: arpwatch and arp packets ...urgent
On Thu, Feb 19, 2004 at 01:00:02AM +0100, m wrote: Another question : it is possible to control arp protocol packets by kernel ? ... if so - this will solve some of problems. But how control arps? perhaps on firewall ? kern 2.4.24/grsec/... I didn't follow the thread closely, could you explain what do you mean by controlling? You can adjust the refresh timer by setting /proc/sys/net/ipv4/neigh/*/gc_stale_time, or you can disable ARP altogether for a paricular interface by ifconfig -arp. HTH, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch and arp packets ...urgent
On Thu, Feb 19, 2004 at 01:00:02AM +0100, m wrote: Another question : it is possible to control arp protocol packets by kernel ? ... if so - this will solve some of problems. But how control arps? perhaps on firewall ? kern 2.4.24/grsec/... I didn't follow the thread closely, could you explain what do you mean by controlling? You can adjust the refresh timer by setting /proc/sys/net/ipv4/neigh/*/gc_stale_time, or you can disable ARP altogether for a paricular interface by ifconfig -arp. HTH, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: SSL client with peer verification?
On Sat, Feb 14, 2004 at 10:56:20PM -0700, Hein Roehrig wrote: can you recommend a SSL client ` la openssl s_client that performs both verification of the peer certificate and that the peer CN actually corresponds to the requested host name? stunnel4, openssl s_client, and telnet-ssl do not, AFAICT. stunnel is supposed to do (though I can't convince it right now). Play around with the -v and -D options to see what's going on. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSL client with peer verification?
On Sat, Feb 14, 2004 at 10:56:20PM -0700, Hein Roehrig wrote: can you recommend a SSL client ` la openssl s_client that performs both verification of the peer certificate and that the peer CN actually corresponds to the requested host name? stunnel4, openssl s_client, and telnet-ssl do not, AFAICT. stunnel is supposed to do (though I can't convince it right now). Play around with the -v and -D options to see what's going on. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: Hacked - is it my turn? - interesting
On Tue, Feb 03, 2004 at 02:09:42PM +0100, François TOURDE wrote: Le 12451i?me jour apr?s Epoch, Richard Atterer écrivait: On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote: No, with REJECT they would show up as closed. DROP produces filtered. FWIW, you also need --reject-with tcp-reset to fool nmap. But I think DROP is the best way, 'cause it slow down NMAP or other sniffers. Sniffers must wait packet timeout, then retry, then wait, etc. Check out the TARPIT target [*] if you're to take this route, but beware it is really a killer patch--at least, we've had a misconfigured rule that caused significant head ache to our legitim users. [*] http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: 2.6.1 CryptoAPI woes
On Wed, Jan 21, 2004 at 05:12:18AM -0400, Peter Cordes wrote: On Tue, Jan 20, 2004 at 11:07:51PM -0800, Johannes Graumann wrote: I feel this is kind of over my head ... to boil it down: does it even make sense to run reiserfs inside a loopback partition? Yes, if the file you're looping back to is on a journalled filesystem, or is a partition. Does keeping the log off the loopbacked file make any difference? bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: tty's messages
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote: From i've set up iptables i've get this messages continual on tty's (console): I suggest that you explore the `dmesg' command and experiment with the -n argument. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG mutt on Woody 3.0r2.
On Sun, Dec 21, 2003 at 10:08:44PM -0700, s. keeling wrote: My trouble right now is verifying keys. If I send myself mail, it's correctly compared to my local copy (in my keyring?) and gpg says it's good. Other mail coming in triggers a lookup at pgp.mit.edu for keys, leading to strange results: [...] gpg: Signature made Sun Dec 21 17:14:28 2003 MST using DSA key ID 946886AE gpg: Good signature from Trey Sizemore [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 683F FFE2 AA2D D341 6002 A973 8443 F068 9468 86AE You don't appear to have built a trust path between one of your trusted keys to Trey Sizemore's key. If you're certain the key 946886AE really belongs to Trey Sizemore you can sign it locally (gpg --edit-key 946886AE; and use the lsign command). *Your* signature on the key will assure gnupg that you trust that key. [...] gpg: Signature made Sun Dec 21 20:32:36 2003 MST using DSA key ID 16D0B8EF gpg: BAD signature from Joey Hess (email key) [EMAIL PROTECTED] Sometimes broken MUAs or MTAs trigger this error. Browse the archive of the gnupg-user mailing list (http://marc.theaimsgroup.com/?l=gnupg-usersr=1w=2) for possible causes and explanations. The commands driving gpg in mutt were clipped right out of /etc/Muttrc (Woody 3.0r2): --- set pgp_autosign=no set pgp_sign_as=AC94E4B7 Are you sure you want to specify this in the global configuration file? Ideas anyone? I feel like I'm within spitting distance of the goal line, and I'm not getting any closer no matter what I do. It definitely takes some time to get used to the concept and resolve technical problems, but once you're done you'll be fine for eternity. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tty's messages
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote: From i've set up iptables i've get this messages continual on tty's (console): I suggest that you explore the `dmesg' command and experiment with the -n argument. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: GnuPG mutt on Woody 3.0r2.
On Sun, Dec 21, 2003 at 10:08:44PM -0700, s. keeling wrote: My trouble right now is verifying keys. If I send myself mail, it's correctly compared to my local copy (in my keyring?) and gpg says it's good. Other mail coming in triggers a lookup at pgp.mit.edu for keys, leading to strange results: [...] gpg: Signature made Sun Dec 21 17:14:28 2003 MST using DSA key ID 946886AE gpg: Good signature from Trey Sizemore [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 683F FFE2 AA2D D341 6002 A973 8443 F068 9468 86AE You don't appear to have built a trust path between one of your trusted keys to Trey Sizemore's key. If you're certain the key 946886AE really belongs to Trey Sizemore you can sign it locally (gpg --edit-key 946886AE; and use the lsign command). *Your* signature on the key will assure gnupg that you trust that key. [...] gpg: Signature made Sun Dec 21 20:32:36 2003 MST using DSA key ID 16D0B8EF gpg: BAD signature from Joey Hess (email key) [EMAIL PROTECTED] Sometimes broken MUAs or MTAs trigger this error. Browse the archive of the gnupg-user mailing list (http://marc.theaimsgroup.com/?l=gnupg-usersr=1w=2) for possible causes and explanations. The commands driving gpg in mutt were clipped right out of /etc/Muttrc (Woody 3.0r2): --- set pgp_autosign=no set pgp_sign_as=AC94E4B7 Are you sure you want to specify this in the global configuration file? Ideas anyone? I feel like I'm within spitting distance of the goal line, and I'm not getting any closer no matter what I do. It definitely takes some time to get used to the concept and resolve technical problems, but once you're done you'll be fine for eternity. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: aide, apt-get and remote management...
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: We don't use AIDE exclusively at a client site, but in combination with Tripwire. We think tripwire is a little more secure becuse it uses signed databases. Perhaps the following ./configure options will prove themselves useful: --with-confighmactype=TYPEHash type to use for checking config. Valid values are md5 and sha1. --with-confighmackey=KEY HMAC hash key to use for checking config. Must be a base64 encoded byte stream. Maximum string length is 31 chars. --with-dbhmactype=TYPEHash type to use for checking db. Valid values are md5 and sha1. --with-dbhmackey=KEY HMAC hash key to use for checking db. Must be a base64 encoded byte stream. Maximum string lentgth is 31 chars. --enable-forced_configmd Forces the config to have checksum. Also disables --config-check --enable-forced_dbmd Forces the file/pipe database's to have checksum. This will be the default in the next release. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
On Thu, Dec 11, 2003 at 12:44:27PM +0100, DI Peter Burgstaller wrote: I'm trying to use aide now as well .. but with the default debian config .. it produces every day massive changes .. especially to the /var/log/* files due to logrotate. Any reasonable settings that account for that? Peter Solobov has provided valuable suggestions. What I would like to add is that in my opinion you shouldn't try to eliminate all occurances of reports about expected file changes. Instead let AIDE complain and utilize some mechanism to sort the report entries according to their importance. For example, you could create a script which reorders the report so that changes made to files under /usr/bin come first, then modifications detected in /etc and finally any activity in the /var hierarchy. If you're smart enough the output could be colorized as well. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://pgpkeys.mit.edu
Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
On Thu, Dec 04, 2003 at 07:54:03AM -0800, Karsten M. Self wrote: on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI ([EMAIL PROTECTED]) wrote: I tend to disagree. The kernel is a versatile program, it can be patched, configured and compiled in too many ways. ...including many of which are wrong, broken, or suboptimal. [...] I already count seven builds of the 2.4.20 kernel on x86 architecture, fitting specific needs of different specific kernel types as well as uni- and multi-processor systems. I can't accept that the seven builds could come ahywhere close to satisfy adequately the needs of 75% of the user base at least. Perhaps there are actually more people who rely on the prebuilt kernel packages but I'm sure a great deal of the installations are a result of the lack of time, skills or motivation. To illustrate my point, let us suppose you want a module-less system. This case all of the prebuilt binary packages suddenly become useless. What if you need a driver for thrid-party NIC which conflicts with another in the vanilla tree? What about PaX + UML which you cannot apply to the same tree without tinkering the source? No doubt, many people, for they don't know any better, can survive without the features I've outlined above, but it appears to me the solution (of staying with dpkg -i kernel*) leads them to a situation you've described in you reply: suboptimal. To sum up, it's always great to have a chance to learn from the more experienced, but I don't expect them to do my homework. They are not supposed to. You're missing the point of collaborative development. For the individual, or group, which puts the effort into building a secure architecture, Debian offers distribution, bugtracking, QC, and release mechanisms which can prove highly useful. In the specific case of kernel hardening, there's the question of how to package and structure things in a way that's useful across other axes of variance (arches, SMP/UP, server/workstation/desktop, etc.), but the task isn't impossible. You've misunderstood what I tried to explain, I'm afraid. I was talking specially about the kernel, not the general consciousness of the project. I really appreciate the effort the Debian Developers make to produce well-thought, accountable and cooperating packages that cover the common expectations. On the other hand, it's impossible for them to prepare for the less common ones. How come I've never been able to deploy any web service (phpmyadmin, mailman, bugzilla, ...) via a simple dpkg -i? The packages place files under /var/www when I need a different destination directory in a different layout and with different owner/group/permissions; the packages put symlinks and suid binaries here and there which I don't allow; the php scripts are assumed to be interpreted by the mod_php module that I refuse to load... Little details of a system are subject to change and my observation is that the more you customize the more likely you'll end up in trouble. Clearly, in my case with my little changes I diverge from the Debian (and likely other) standards more than the automatic install scripts could tolerate. In a nutshell, I can hardly imagine a well-maintained system without a fistful of customizations, and in my opinion, it's easy to reach the point after which the standard Debian packages cannot support your strategies. And certainly, the Debian developers are not to be blamed for the natural limitations of their packages. Peace. PaX. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
On Fri, Dec 05, 2003 at 08:32:02PM +0100, Florian Weimer wrote: Keep in mind that there is no official security contact for the kernel, and no established bug handling procedure. What about http://bugzilla.kernel.org ? Time to fix is now measured in months, and official kernel release schedules do not take security issues into account (nowadays, not even critical data loss mandates a coordinated emergency release). Yes, I can confirm (ahtough I'm not sure about the -pre and -rc releases, especially since MT is in charge dealing with 2.4). In short: Don't run official, unpatched kernels. Use vendor kernels. Or take the alternative approach: watch the vendor advisories and see which bits are worth importing into your tree. My only expectation on behalf of the vendor is to help me making the decision by providing clear explanation on the purpose of the patch and of the inclusion in his tree. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
On Thu, Dec 04, 2003 at 07:54:03AM -0800, Karsten M. Self wrote: on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI ([EMAIL PROTECTED]) wrote: I tend to disagree. The kernel is a versatile program, it can be patched, configured and compiled in too many ways. ...including many of which are wrong, broken, or suboptimal. [...] I already count seven builds of the 2.4.20 kernel on x86 architecture, fitting specific needs of different specific kernel types as well as uni- and multi-processor systems. I can't accept that the seven builds could come ahywhere close to satisfy adequately the needs of 75% of the user base at least. Perhaps there are actually more people who rely on the prebuilt kernel packages but I'm sure a great deal of the installations are a result of the lack of time, skills or motivation. To illustrate my point, let us suppose you want a module-less system. This case all of the prebuilt binary packages suddenly become useless. What if you need a driver for thrid-party NIC which conflicts with another in the vanilla tree? What about PaX + UML which you cannot apply to the same tree without tinkering the source? No doubt, many people, for they don't know any better, can survive without the features I've outlined above, but it appears to me the solution (of staying with dpkg -i kernel*) leads them to a situation you've described in you reply: suboptimal. To sum up, it's always great to have a chance to learn from the more experienced, but I don't expect them to do my homework. They are not supposed to. You're missing the point of collaborative development. For the individual, or group, which puts the effort into building a secure architecture, Debian offers distribution, bugtracking, QC, and release mechanisms which can prove highly useful. In the specific case of kernel hardening, there's the question of how to package and structure things in a way that's useful across other axes of variance (arches, SMP/UP, server/workstation/desktop, etc.), but the task isn't impossible. You've misunderstood what I tried to explain, I'm afraid. I was talking specially about the kernel, not the general consciousness of the project. I really appreciate the effort the Debian Developers make to produce well-thought, accountable and cooperating packages that cover the common expectations. On the other hand, it's impossible for them to prepare for the less common ones. How come I've never been able to deploy any web service (phpmyadmin, mailman, bugzilla, ...) via a simple dpkg -i? The packages place files under /var/www when I need a different destination directory in a different layout and with different owner/group/permissions; the packages put symlinks and suid binaries here and there which I don't allow; the php scripts are assumed to be interpreted by the mod_php module that I refuse to load... Little details of a system are subject to change and my observation is that the more you customize the more likely you'll end up in trouble. Clearly, in my case with my little changes I diverge from the Debian (and likely other) standards more than the automatic install scripts could tolerate. In a nutshell, I can hardly imagine a well-maintained system without a fistful of customizations, and in my opinion, it's easy to reach the point after which the standard Debian packages cannot support your strategies. And certainly, the Debian developers are not to be blamed for the natural limitations of their packages. Peace. PaX. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
On Fri, Dec 05, 2003 at 08:32:02PM +0100, Florian Weimer wrote: Keep in mind that there is no official security contact for the kernel, and no established bug handling procedure. What about http://bugzilla.kernel.org ? Time to fix is now measured in months, and official kernel release schedules do not take security issues into account (nowadays, not even critical data loss mandates a coordinated emergency release). Yes, I can confirm (ahtough I'm not sure about the -pre and -rc releases, especially since MT is in charge dealing with 2.4). In short: Don't run official, unpatched kernels. Use vendor kernels. Or take the alternative approach: watch the vendor advisories and see which bits are worth importing into your tree. My only expectation on behalf of the vendor is to help me making the decision by providing clear explanation on the purpose of the patch and of the inclusion in his tree. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net
Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote: on Wed, Dec 03, 2003 at 01:31:29PM +, Dale Amon ([EMAIL PROTECTED]) wrote: On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote: This is reason why i ask what about stock kernels, because i belive i am not lonely cowboy at the middle of the no where. Debian is distrubution and Probably not... it is just that amongst a security conscious group you are likely to find that most will build their own kernels and add their own security patches. Paranoia is your friend in security. [...] Having a team that shares experience and combines talents in patching a kernel and tuning it to secure configurations is a preferable approach. I tend to disagree. The kernel is a versatile program, it can be patched, configured and compiled in too many ways. As far as I know, Debian is not is not intended to best fit the needs of a security architecture, but to provide a usable environment to the mass of slightly advanced skills. The requirements often conflict, and while the developers do their best to fulfill as many as possible of them (for instance, by creating alternative kernel packeges), in certain situation they might choose to prefer something else over security. To sum up, it's always great to have a chance to learn from the more experienced, but I don't expect them to do my homework. They are not supposed to. While you _might_ do well on your own, the typical admin doesn't have these skills. As times go I'm more and more convinced you're right. Conversely... we're on debian-security, after all. bit, adam PS: Apologies for the ranting I sent at the beginning of the other thread. I, too, didn't realize that no-one had known about the possible impacts of the kernel bug. -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote: on Wed, Dec 03, 2003 at 01:31:29PM +, Dale Amon ([EMAIL PROTECTED]) wrote: On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote: This is reason why i ask what about stock kernels, because i belive i am not lonely cowboy at the middle of the no where. Debian is distrubution and Probably not... it is just that amongst a security conscious group you are likely to find that most will build their own kernels and add their own security patches. Paranoia is your friend in security. [...] Having a team that shares experience and combines talents in patching a kernel and tuning it to secure configurations is a preferable approach. I tend to disagree. The kernel is a versatile program, it can be patched, configured and compiled in too many ways. As far as I know, Debian is not is not intended to best fit the needs of a security architecture, but to provide a usable environment to the mass of slightly advanced skills. The requirements often conflict, and while the developers do their best to fulfill as many as possible of them (for instance, by creating alternative kernel packeges), in certain situation they might choose to prefer something else over security. To sum up, it's always great to have a chance to learn from the more experienced, but I don't expect them to do my homework. They are not supposed to. While you _might_ do well on your own, the typical admin doesn't have these skills. As times go I'm more and more convinced you're right. Conversely... we're on debian-security, after all. bit, adam PS: Apologies for the ranting I sent at the beginning of the other thread. I, too, didn't realize that no-one had known about the possible impacts of the kernel bug. -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Just a humble question: how the average user who doesn't use the kernel sources provided by Debian and cannot follow lk should have known about the bug? The changelog read ``Add TASK_SIZE check to do_brk()'', there's no indication that it's a security fix. I'm really curious how you cope with it. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Just a humble question: how the average user who doesn't use the kernel sources provided by Debian and cannot follow lk should have known about the bug? The changelog read ``Add TASK_SIZE check to do_brk()'', there's no indication that it's a security fix. I'm really curious how you cope with it. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever?| 82DD 54C2 843D 37B8 D989 Renegade? | http://www.keyserver.net
Re: Attack using php+apache
On Sat, Nov 15, 2003 at 10:43:14PM -0500, Alex J. Avriette wrote: On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote: If you have register globals off *or* safe mode on, this particular exploit is useless. If you had register globals on and safe mode off then he could run arbitrary programs as your Apache user. It's possible he could run a local root exploiting program, but that's not as likely. It really irritates me that people continue to use this when the php.ini file repeatedly warns (no, begs) you not to. FWIW, having register globals off sometimes gives a false sense of security. Recently, I've discovered that PHP-Nuke just seems to work well with this setting, because it circumventes it by calling import_request_variables('GPC'). I'm less than happy about PHP. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: authentication in ssh
First off, thank all of you for your replies. Since I was unable to find a standard way to achieve what I wanted, I've developed a set of patches for OpenSSH 3.7.1p1. The patch adds a new configuration option, by which you can define what authentication methods are available for a given user|group, host twin. Unfortunately, I will only work for protocol versions 1.99 and above. If you're interested, just drop me an e-mail. On Wed, Nov 12, 2003 at 10:23:08AM -0600, David Ehle wrote: Hmm, just occured to me that you could do the following, though I think it would be considered a kludge. Run 2 sshd daemons on different ports. On I think I'll choose this approach in the long run anyway. Having a separated daemon for the powerusers (including me in this context) seems reasonable, so that I won't be locked out if the public sshd gets DoSed somehow. This would mean however that you power users would need to custom configure their ssh clients to talk to your oddball port. Kind of inconvenient... Packet filters are more of my concerns. Probably a few REDIRECT rules will be needed. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Attack using php+apache
On Sat, Nov 15, 2003 at 10:43:14PM -0500, Alex J. Avriette wrote: On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote: If you have register globals off *or* safe mode on, this particular exploit is useless. If you had register globals on and safe mode off then he could run arbitrary programs as your Apache user. It's possible he could run a local root exploiting program, but that's not as likely. It really irritates me that people continue to use this when the php.ini file repeatedly warns (no, begs) you not to. FWIW, having register globals off sometimes gives a false sense of security. Recently, I've discovered that PHP-Nuke just seems to work well with this setting, because it circumventes it by calling import_request_variables('GPC'). I'm less than happy about PHP. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: authentication in ssh
First off, thank all of you for your replies. Since I was unable to find a standard way to achieve what I wanted, I've developed a set of patches for OpenSSH 3.7.1p1. The patch adds a new configuration option, by which you can define what authentication methods are available for a given user|group, host twin. Unfortunately, I will only work for protocol versions 1.99 and above. If you're interested, just drop me an e-mail. On Wed, Nov 12, 2003 at 10:23:08AM -0600, David Ehle wrote: Hmm, just occured to me that you could do the following, though I think it would be considered a kludge. Run 2 sshd daemons on different ports. On I think I'll choose this approach in the long run anyway. Having a separated daemon for the powerusers (including me in this context) seems reasonable, so that I won't be locked out if the public sshd gets DoSed somehow. This would mean however that you power users would need to custom configure their ssh clients to talk to your oddball port. Kind of inconvenient... Packet filters are more of my concerns. Probably a few REDIRECT rules will be needed. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
authentication in ssh
How can I tell sshd to only accept a particular authentication method for some users, while letting others to use any methods they wish? One of our servers has two kinds of users: a group of low-privileged ones and a few power users. The former class may choose to log in by providing his password, but I want the latter to use his private key, which I consider a more secure alternative. On the other hand, they need to retain their unix password, so I cannot just fill that with garbage. I've looked at the recent openssh sources but it didn't seem to support this kind of distinction. One possibility I can think of is PAM, but I don't know which module to use. Any suggestion would be greatly appreciated. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
authentication in ssh
How can I tell sshd to only accept a particular authentication method for some users, while letting others to use any methods they wish? One of our servers has two kinds of users: a group of low-privileged ones and a few power users. The former class may choose to log in by providing his password, but I want the latter to use his private key, which I consider a more secure alternative. On the other hand, they need to retain their unix password, so I cannot just fill that with garbage. I've looked at the recent openssh sources but it didn't seem to support this kind of distinction. One possibility I can think of is PAM, but I don't know which module to use. Any suggestion would be greatly appreciated. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote: If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? Fixing bogus user apps and taking backups on regular basis are two orthogonal approaches. I'm sure you remember the recent debate about the meaning of `security'. The former is a preventive, while the latter is a corrective measure. Moreover, not only data manipulation can be performed by the means of an exploited user app. For instance, sending funny faked emails to your manager can be quite embarrassing just as well :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote: If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? Fixing bogus user apps and taking backups on regular basis are two orthogonal approaches. I'm sure you remember the recent debate about the meaning of `security'. The former is a preventive, while the latter is a corrective measure. Moreover, not only data manipulation can be performed by the means of an exploited user app. For instance, sending funny faked emails to your manager can be quite embarrassing just as well :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote: For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the Perhaps, in the co-existance of a bug in a suid root binary (let's say traceroute. Anyone?) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote: For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the Perhaps, in the co-existance of a bug in a suid root binary (let's say traceroute. Anyone?) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: How efficient is mounting /usr ro?
On Fri, Oct 17, 2003 at 08:57:43PM +0200, Christian Storch wrote: Yes, a very sophisticated kind of definition. But what about the small gap between theory and practice? In theory, it approximates the practice :) So I think security and availability represent to basic independend points of discussion. Security in a sense of preventing of bad impact from outside a system. My view is that either C, I or A represents an area against which an attacker or some accident could bring on `bad impact'. Consider the simple question `Is my site defaced?'. To stay on topic, I'm for keeping /usr and /usr/local read-only, because really nothing should update them except for a few programs under controlled circumstances (that's what makes the enforcment of this policy cheap). In addition, it might help you notice an intrusion. (I also got used to remount,ro /, for that matter) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How efficient is mounting /usr ro?
On Fri, Oct 17, 2003 at 08:57:43PM +0200, Christian Storch wrote: Yes, a very sophisticated kind of definition. But what about the small gap between theory and practice? In theory, it approximates the practice :) So I think security and availability represent to basic independend points of discussion. Security in a sense of preventing of bad impact from outside a system. My view is that either C, I or A represents an area against which an attacker or some accident could bring on `bad impact'. Consider the simple question `Is my site defaced?'. To stay on topic, I'm for keeping /usr and /usr/local read-only, because really nothing should update them except for a few programs under controlled circumstances (that's what makes the enforcment of this policy cheap). In addition, it might help you notice an intrusion. (I also got used to remount,ro /, for that matter) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: services installed and running out of the box
On Mon, Sep 29, 2003 at 11:02:53AM +0100, Dale Amon wrote: There is another common case I'd not mentioned. Since I do a lot of development work, I tend to have a *lot* of servers installed on my laptop, ready to run, but only when I need them. I do this entirely manually at present. I'd like to have the option of installing a package and marking it to not be started or run at boot time. Just because I want it available does not at all mean I want it running all the time. My business is just like yours. Since I've always managed the /etc/rc?.d directories by hand the [trivial] solutuin for me is to remove the symlinks the install scripts create. You can also use update-rc or whatever Debian calls it. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: At high security levels, any new services that get installed (from RPMs) are only allowed from localhost or even, IIRC, services may not even be started by default, neither post-install nor on reboot: you have to set them up manually. We can see it the other way: why bother the user with the details of running a service if the clued ones can easily stop or disable the installed daemons until they are configured properly? Since Debian claims to be security conscious, the choice should be obvious. In this respect, the habit of the postinstall scripts of launching daemons after asking a few simple questions has always appeared at least controversial to me. One of you have suggested introducing a new configuration variable in /etc/default which would tell postinst whether it is to operate fully automagically. The approach brings up interesting questions about the case of upgrading an already running service, but they should probably be discussed elsewhere. Not being part of the community I'm satisfied with the current situation just as well. Conversely, I recommend taking the simple not-to-start-anything strategy unconditionally, which might decrease the respect on behalf of the less experienced user, but may call for applause from others. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: At high security levels, any new services that get installed (from RPMs) are only allowed from localhost or even, IIRC, services may not even be started by default, neither post-install nor on reboot: you have to set them up manually. We can see it the other way: why bother the user with the details of running a service if the clued ones can easily stop or disable the installed daemons until they are configured properly? Since Debian claims to be security conscious, the choice should be obvious. In this respect, the habit of the postinstall scripts of launching daemons after asking a few simple questions has always appeared at least controversial to me. One of you have suggested introducing a new configuration variable in /etc/default which would tell postinst whether it is to operate fully automagically. The approach brings up interesting questions about the case of upgrading an already running service, but they should probably be discussed elsewhere. Not being part of the community I'm satisfied with the current situation just as well. Conversely, I recommend taking the simple not-to-start-anything strategy unconditionally, which might decrease the respect on behalf of the less experienced user, but may call for applause from others. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: execute application from webinterface
On Tue, Sep 02, 2003 at 01:38:24AM +0200, Christopher Taylor wrote: Jens Gutzeit wrote: On Monday 01 September 2003 21:53, mario ohnewald wrote: What is the securest way of starting a application, like ping, from a webinterface as a diffrent user. what's wrong with making the program suid-to-some-other-user (not root) and then just executing it? I reallize this doesn't work for ping, which is suid-to-root anyway. It doesn't work for scripts. I don't like the sudo approach either. Instead, I've written a tiny suexec-like wrapper which does nothing but changes its uid to match the owner of the program prior to executing it. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Looking for a simple SSL-CA package
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote: On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. You don't need a CA to create self-signed certificates (by definition there is no CA involved if the certificate is self-signed). Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a simple SSL-CA package
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote: On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. You don't need a CA to create self-signed certificates (by definition there is no CA involved if the certificate is self-signed). Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Looking for a simple SSL-CA package
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: What are the alternatives besides OpenCA? Does anyone know of a set of scipts that are a bit less complex and at the same time gives me some of the same functionality? http://vekoll.saturnus.vein.hu/~borso/ca.tgz You'll find here the bits I've hacked together for similar purposes. Just don't complain about missing documentation :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a simple SSL-CA package
On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: What are the alternatives besides OpenCA? Does anyone know of a set of scipts that are a bit less complex and at the same time gives me some of the same functionality? http://vekoll.saturnus.vein.hu/~borso/ca.tgz You'll find here the bits I've hacked together for similar purposes. Just don't complain about missing documentation :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Debian Stable server hacked
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote: On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote: It actually does a very good job of stopping any kind of stack-smashing attack dead in its tracks (both the stack and heap are marked as non-executable). That takes care of most vulnerabilities, both known and unknown. No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? You don't need an executable stack to get control of execution, you only need to be able to change the instruction pointer, which is stored on the stack (as data). PaX is not just about non-executable address regions, but address space randomization. In my understanding, the attacker just doesn't know what he should modify the IP to. Given this, are you certain that only a narrow range of exploits (common implementations) can be killed via PaX? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
capabilities
Hello all, I'm toying with POSIX(-like) capabilities. I've dug up the libcap* packages, played with their source and done some research. Below I list three problems I need to resolve and the conclusions I've come to. -- Problem 1: I want to execute as root a program with reduced capability set. It seems to be impossible, for the kernel's behavour of forcing the effective and permitted sets to be full if the binary to be executed has euid == ruid == 0. (The `execcap' program included in libcap2-bin states incorrectly that it can do that, but it turned out to be only setting the cap_i set which renders it completely useless). -- Problem 2: I'd like to execute as root a program as non-root with reduced capability set. It's even harder than the previous item, because set*uid() resets capability sets unless a linux specific prctl() is issued prior to calling set*uid(). Other than this, the same comments apply. -- Problem 3: I'd like to grant or revoke capabilities to/from a running process. This seems to be the easiest, except that the kernel in the default configuration doesn't permit this (cap_bound doesn't contain CAP_SETPCAP which is requirement of a succesful capset() where the target is not the current process. The simplies workaround would be to set CAP_SETPCAT in cap_bound (requires to recompile the kernel, for cap_bset cannot be extended by anyone except pid == 1 (init)). However, I don't see clearly the implications this modification would cause, and I don't really want to risk it. In addition, libcap2 (the two-year old CVS version found both in Debian stable and unstable) doesn't provide capsetp(), thus implementing such a functionality would be difficulult and non-portable wrt different kernel versions. In any case, this workaround wouldn't be portable, since the POSIX draft didn't described capsetp(). It seems either I missed something or not many care about POSIX capabilities despite the fuss around them. Any comments and suggestions are welcome. Please do not direct me to other project like grsecurity. I'm familiar with it and don't want to use it for reasons I won't explain here. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: one user per daemon?
On Sat, Jul 05, 2003 at 02:26:24PM +0200, Christian Kujau wrote: the things is, when some of the nobody processes are compromised, *every* daemon nobody has started is in danger to be killed or misused. /etc/password lists a lot of unused (but somehow standard-)users, they could be used to run processes under a different user id. On my systems, I have added several accounts dedicated to programs like snort, spamd, syslogd, tftpd and others. It's just as easy as doing an ``adduser --system --no-create-home foo''. Usually, it's a good idea to create a corresponding system group too. I think, it's not the default because sometimes process interaction gets difficult to manage. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: one user per daemon?
On Sat, Jul 05, 2003 at 02:26:24PM +0200, Christian Kujau wrote: the things is, when some of the nobody processes are compromised, *every* daemon nobody has started is in danger to be killed or misused. /etc/password lists a lot of unused (but somehow standard-)users, they could be used to run processes under a different user id. On my systems, I have added several accounts dedicated to programs like snort, spamd, syslogd, tftpd and others. It's just as easy as doing an ``adduser --system --no-create-home foo''. Usually, it's a good idea to create a corresponding system group too. I think, it's not the default because sometimes process interaction gets difficult to manage. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Strongest linux - kernel patches
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjgren wrote: -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) I doubt if SSP provides additional security beyound PaX. Any argument in favour of the combination? bit, adam ps: thank all of you very much for your opinions regarding the IP-MAC question -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjögren wrote: -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) I doubt if SSP provides additional security beyound PaX. Any argument in favour of the combination? bit, adam ps: thank all of you very much for your opinions regarding the IP-MAC question -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
MAC address change
Folks, How widely do you think changing the MAC address of a NIC via ``ifconfig if hw'' is supported by the various network cards and drivers out there nowadays? My collegue and me have debated several times whether watching the LAN for non-matching IP-MAC pairs can reveal any useful information. I argued that it may not, since the MAC is easily alterable, but he objected, because it's not. Now I ask you to decide who is right. tia, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
MAC address change
Folks, How widely do you think changing the MAC address of a NIC via ``ifconfig if hw'' is supported by the various network cards and drivers out there nowadays? My collegue and me have debated several times whether watching the LAN for non-matching IP-MAC pairs can reveal any useful information. I argued that it may not, since the MAC is easily alterable, but he objected, because it's not. Now I ask you to decide who is right. tia, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Keeping files away from users
On Thu, Jun 05, 2003 at 10:44:47AM +0200, Lars Ellenberg wrote: or keep an encrypted copy of all relevant files separately, and on bootup / service startup you decrypt it temporarily to the correct location, start the service, and unlink it again (after you wiped it with garbage, of course ;-] ). (will probably not work if services try to be smart and reread their conf files on a regular basis...) I'm almost certain it's a bad idea for two reasons: -- only data is encrypted, not file system metadata. This means an attacker might find additional information you wouldn't share otherwise e.g. extended attributes -- you just don't know where all the pieces of a sensitive file during its lifetime are scattered on your disk. Some bits may remain here or there--who knows? There's no guarantee that overwriting the file with garbage (wiping) destroys the staying bits. A few months ago there was a thread on this topic on linux-fsdevel in which you'll find these points explained in more detail. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
On Thu, Jun 05, 2003 at 09:30:51AM +0200, Luis Gomez - InfoEmergencias wrote: We'd like to protect that content, so that even if someone unplugs the machine and connects the HD to another Linux box, they can't access that information. Default answer: encrypt your file system. http://www.kerneli.org/index.php http://loop-aes.sourceforge.net (my preferred one) I find both of them very stable. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Keeping files away from users
On Thu, Jun 05, 2003 at 10:44:47AM +0200, Lars Ellenberg wrote: or keep an encrypted copy of all relevant files separately, and on bootup / service startup you decrypt it temporarily to the correct location, start the service, and unlink it again (after you wiped it with garbage, of course ;-] ). (will probably not work if services try to be smart and reread their conf files on a regular basis...) I'm almost certain it's a bad idea for two reasons: -- only data is encrypted, not file system metadata. This means an attacker might find additional information you wouldn't share otherwise e.g. extended attributes -- you just don't know where all the pieces of a sensitive file during its lifetime are scattered on your disk. Some bits may remain here or there--who knows? There's no guarantee that overwriting the file with garbage (wiping) destroys the staying bits. A few months ago there was a thread on this topic on linux-fsdevel in which you'll find these points explained in more detail. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Kernel 2.4 ioperm
On Fri, May 23, 2003 at 04:16:22PM +0200, Steffen Schulz wrote: Am I right that a local User is able to crash the system by putting evil data into these mysterious I/O-Ports? I'm not sure, but I don't *think* that the attacker is free to chose any target port. Is privilege escalation possible? According to the grsec guys, if you've obtained access to IO ports, everything is possible. Is this exploitable out of a chroot-jail(ssh,postfix)? Unprivileged processes can't call ioperm() (and jailed programs are usually unprivileged anyway) Are there any workarounds Remove CAP_SYS_RAWIO from the global capability bounding set. Then restart your sensitive services. or do I have to compile rc3? Beware, the fix in -rc3 is broken. The original one is here: http://linux.bkbits.net:8080/linux-2.4/diffs/arch/i386/kernel/[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] You'll find the fix for the fix here: http://marc.theaimsgroup.com/?l=linux-kernelm=105368405504595w=2 bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Does anybody knows of this security problem in the kernel?
On Fri, May 16, 2003 at 01:04:09PM +0300, Haim Ashkenazi wrote: Does anybody knows about this?, http://www.secunia.com/advisories/8786/ It has been fixed for two weeks both in 2.4 and 2.5. See http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED] bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Does anybody knows of this security problem in the kernel?
On Fri, May 16, 2003 at 05:35:37PM +0300, Haim Ashkenazi wrote: On Fri, 16 May 2003 15:54:57 +0200 Adam ENDRODI [EMAIL PROTECTED] wrote: On Fri, May 16, 2003 at 01:04:09PM +0300, Haim Ashkenazi wrote: Does anybody knows about this?, http://www.secunia.com/advisories/8786/ It has been fixed for two weeks both in 2.4 and 2.5. See http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED] not much information there... Sorry, I meant this one: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED] [Verified link this time] bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: ptrace fix in 2.4
On Mon, May 12, 2003 at 03:10:05AM +0200, Peter Holm wrote: On Fri, 09 May 2003 14:10:05 +0200, in linux.debian.security you wrote: Yesterday Bernhard Kaindl committed a cleanup patch addressing numerous problems encountered with the original ptrace fix. Now it should be in -rc2. For more information and diffs, see Could please someone instruct me, what to do now? I see there is a 2.4.21-rc2 at kernel.org, I have to patch this against an 2.4.20 kernel, ok, but can I use a debian package of the 2.4.20 source or will this mess up? You can give it a try, if you insist on having the Debian modifications. I suppose, with careful manual merging it's possible to get a working mule kernel. However, it seems easier to start from the other direction: download a vanilla -rc2 and merge the individual Debian-specific patches with it (after you've checked it hasn't been applied by kernel maintainers). bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
ptrace fix in 2.4
Hi - Yesterday Bernhard Kaindl committed a cleanup patch addressing numerous problems encountered with the original ptrace fix. Now it should be in -rc2. For more information and diffs, see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]|[EMAIL PROTECTED] and http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Re[2]: Chkrootkit
On Thu, Apr 24, 2003 at 07:32:01PM +0200, Kay-Michael Voit wrote: If I understand promisc mode, this is not a problem, so I can't fix it, so there will always be output (which I dont want, because cron sends a mail then) Promiscuous mode is a sign of a running sniffer. Not necessarily an instrusion, but it's something you should definitely know about. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Secure remote syslogging?
On Thu, Apr 24, 2003 at 08:52:10PM +0200, Jose Luis Domingo Lopez wrote: The implementation consisted in syslog-ng logging to a pipe (using a template for SQL output), which is depleted from an ever running PERL script that executes the SQL sentences in the remote server through a secure SSH tunnel. The only thing left to do would be some kind of sanitization of the SQL inserts, to avoid potentially harmful SQL injections. You're right at this point. Also, I'd like to note that should your script ever crash, you won't be able to restart and catch up again because the pipe would be closed and s-ng would just constantly get -EPIPE. Consider using unix domain sockets instead. Linux Registered User #189436 Debian Linux Sid (Linux 2.5.68) I see you like challenging fate :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Re: HELP, my Debian Server was hacked!
On Thu, Apr 24, 2003 at 11:43:06AM +0200, I.R. van Dongen wrote: lamorak:~# crontab -l @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q dist-upgrade Before you deploy such a mechanism, I advise that you set up another one between the update and upgrade which checks the authority of the downloaded databases. Details on how to implement this have been discusssed in the list several times and an adequate answer can be found in the Debian Security FAQ. Upon request, I can send the perl script we're using on daily basis. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
apt-check-sigs.pl
Due to several requests received both in private and in public I decided the best would be to post the script on the list. It requires perl5, wget and gnupg. The current Debian Archive Automatic Signing Key (38C6029A) should be present in the keyring of the user executing the script (who needn't be root). Some terse usage description can be found in the head of the script. Comments, corrections and enhancements are always welcome. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever apt-check-sigs.pl.gz Description: Binary data
Re: ptrace patch for vanilla kernel 2.4.20
On Wed, Apr 23, 2003 at 01:07:22AM +0200, Alexander Schmehl wrote: * Konstantin [EMAIL PROTECTED] [030422 23:03]: can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me an adress I can leech it from. http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html http://sinuspl.net/ptrace/ Can you tell me whether these patches are the ones which were known to break something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: ptrace patch for vanilla kernel 2.4.20
On Wed, Apr 23, 2003 at 09:35:32AM +0200, Alexander Schmehl wrote: * Adam ENDRODI [EMAIL PROTECTED] [030423 07:59]: http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html http://sinuspl.net/ptrace/ Can you tell me whether these patches are the ones which were known to break something? I didn't heard of a patch to break something, yet. The second one applied clean, and I didn't encountered any problems on four different machines. Did I miss something? There've been some problems, I'm afraid. Here's what I've found in the archives of lkml: Thread ``Oops: ptrace fix buggy'': http://marc.theaimsgroup.com/?t=10497185861r=1w=2 Thread ``ptrace patch side-effects on 2.4.x'': http://marc.theaimsgroup.com/?t=10497176421r=1w=2 Thread ``ptrace fix changes output of ps ax'': http://marc.theaimsgroup.com/?t=10496842512r=1w=2 Thread ``after ptrace patch'': http://marc.theaimsgroup.com/?t=10494832403r=1w=2 Especially http://marc.theaimsgroup.com/?l=focus-linuxm=104990668007208w=2 : # Yes, the most annoying side effect of the ptrace patch is that it broke # the ability to strace a non-root process. Very secure, but it makes # troubleshooting quite difficult. The most sensible workaround I've heard is disabling kmod (CONFIG_KMOD=n). bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever