Re: How efficient is mounting /usr ro?
Quoting Bernd Eckenfels ([EMAIL PROTECTED]): > In article <[EMAIL PROTECTED]> you wrote: > > In the IT field, "security" refers specifically to unauthorized use, as in > > "security guard", and "security system". It does not, in general, refer to > > the more generic definitions of "security", as in "security blanket", > > "securities and exchange commission", or "job security". > > Can you show me a definition of that? I presented two which teach you > otherwise. To quote Garfinkel and Spafford (2nd edition, page 6): "A formal definition wouldn't necessarily help you any more than our working definition, and would require detailed explanations of risk assessment, asset valuation, policy formation, and a number of other topics beyond what we are able to present here." (in 971 pages). Their definition: "Computer Security: 'A computer is secure if you can depend on it and its software to behave as you expect.'" And they go on... "Our practical definition might also imply to some that security is concerned with issues of testing your software and hardware, and with preventing user mistakes. However, we don't intend our definition to be that inclusive." So I for one would prefer to keep off debian-security such Safety issues as mounting /usr ro (except to expose them as NOT a help towards Security); though running linux off readonly media (hardware-locked) is borderline on-topic. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: How efficient is mounting /usr ro?
Quoting Bernd Eckenfels ([EMAIL PROTECTED]): > In article <[EMAIL PROTECTED]> you wrote: > > In the IT field, "security" refers specifically to unauthorized use, as in > > "security guard", and "security system". It does not, in general, refer to > > the more generic definitions of "security", as in "security blanket", > > "securities and exchange commission", or "job security". > > Can you show me a definition of that? I presented two which teach you otherwise. To quote Garfinkel and Spafford (2nd edition, page 6): "A formal definition wouldn't necessarily help you any more than our working definition, and would require detailed explanations of risk assessment, asset valuation, policy formation, and a number of other topics beyond what we are able to present here." (in 971 pages). Their definition: "Computer Security: 'A computer is secure if you can depend on it and its software to behave as you expect.'" And they go on... "Our practical definition might also imply to some that security is concerned with issues of testing your software and hardware, and with preventing user mistakes. However, we don't intend our definition to be that inclusive." So I for one would prefer to keep off debian-security such Safety issues as mounting /usr ro (except to expose them as NOT a help towards Security); though running linux off readonly media (hardware-locked) is borderline on-topic. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: services installed and running "out of the box"
Quoting Matt Zimmerman ([EMAIL PROTECTED]): > On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote: > > > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: > > > For starters, I think portmap, rpc.statd, and inetd should not run by > > > default. Not running a mail server (or perhaps only running one on the > > > loopback interface) would be nice, too. > > > > It can be damnably difficult to dump the web server... I've ended > > up downloading dhttpd and then removing links or changing the > > init.d/dhttpd file name. > > What is so difficult? No web server is installed by default. If you don't > want one, don't install one. The problem is that I want to read my documentation with a browser. ~# apt-get remove thttpd Reading Package Lists... Done Building Dependency Tree... Done The following packages will be REMOVED: dwww info2www thttpd 0 packages upgraded, 0 newly installed, 3 to remove and 0 not upgraded. Need to get 0B of archives. After unpacking 786kB will be freed. Do you want to continue? [Y/n] n Abort. ~# logout ~$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 *:www *:* LISTEN ... Where does one go from here? Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: services installed and running "out of the box"
Quoting Matt Zimmerman ([EMAIL PROTECTED]): > On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote: > > > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: > > > For starters, I think portmap, rpc.statd, and inetd should not run by > > > default. Not running a mail server (or perhaps only running one on the > > > loopback interface) would be nice, too. > > > > It can be damnably difficult to dump the web server... I've ended > > up downloading dhttpd and then removing links or changing the > > init.d/dhttpd file name. > > What is so difficult? No web server is installed by default. If you don't > want one, don't install one. The problem is that I want to read my documentation with a browser. ~# apt-get remove thttpd Reading Package Lists... Done Building Dependency Tree... Done The following packages will be REMOVED: dwww info2www thttpd 0 packages upgraded, 0 newly installed, 3 to remove and 0 not upgraded. Need to get 0B of archives. After unpacking 786kB will be freed. Do you want to continue? [Y/n] n Abort. ~# logout ~$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 *:www *:* LISTEN ... Where does one go from here? Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to reduce sid security
Quoting Boyd Moore ([EMAIL PROTECTED]): > Well I did have rlogin, that is it points to netkit-rlogin. I finally > got rsh to work by commenting out the ALL: PARANOID line in > hosts.deny. I thought that the hosts.allow overrode the hosts.deny, > but apparently they have reversed the priority. hosts.allow is consulted first, so if hosts.deny makes any difference at all, then hosts.allow didn't provide a match. The first match is all that matters. (Overriding depends on reading to the end of all the files and then taking the last match. It doesn't happen here.) > Now rsh, rlogin, etc. > works, but still not remote X windows. > > I have gone through the xauth routine to make sure the .Xauthority > files are the same for the same user on both hosts. And I have set > the xhost + on both machines, but I always get the "Can't open display > ..." message. /etc/X11/xinit/xserverrc contains -nolisten tcp in the default Debian configuration which prevents port 6000 (or is it 6001, it's so long ago...) from being opened. netstat should confirm this. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to reduce sid security
Quoting Boyd Moore ([EMAIL PROTECTED]): > Well I did have rlogin, that is it points to netkit-rlogin. I finally > got rsh to work by commenting out the ALL: PARANOID line in > hosts.deny. I thought that the hosts.allow overrode the hosts.deny, > but apparently they have reversed the priority. hosts.allow is consulted first, so if hosts.deny makes any difference at all, then hosts.allow didn't provide a match. The first match is all that matters. (Overriding depends on reading to the end of all the files and then taking the last match. It doesn't happen here.) > Now rsh, rlogin, etc. > works, but still not remote X windows. > > I have gone through the xauth routine to make sure the .Xauthority > files are the same for the same user on both hosts. And I have set > the xhost + on both machines, but I always get the "Can't open display > ..." message. /etc/X11/xinit/xserverrc contains -nolisten tcp in the default Debian configuration which prevents port 6000 (or is it 6001, it's so long ago...) from being opened. netstat should confirm this. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Why is proftpd always started when one update it?
Quoting Preben Randhol ([EMAIL PROTECTED]): > I had to do a update-rc.d -f proftpd remove again. > If somebody could explain why it is like this it would be nice. >From man update-rc.d: If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten. You should leave at least one K link in place so that when the installer runs update-rc.d, it does nothing. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Why is proftpd always started when one update it?
Quoting Preben Randhol ([EMAIL PROTECTED]): > I had to do a update-rc.d -f proftpd remove again. > If somebody could explain why it is like this it would be nice. >From man update-rc.d: If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten. You should leave at least one K link in place so that when the installer runs update-rc.d, it does nothing. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): > From: "David Endler" <[EMAIL PROTECTED]> > [...]In a default abuse installation in > Debian Linux, both abuse.console and abuse.x11R6 can be used in > exploitation; both files are set group id games, and abuse.console is > set user id root. What's this about? _ > 2. Remove the setuid bit from the XaoS binary by executing the > following command: > > # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): > From: "David Endler" <[EMAIL PROTECTED]> > [...]In a default abuse installation in > Debian Linux, both abuse.console and abuse.x11R6 can be used in > exploitation; both files are set group id games, and abuse.console is > set user id root. What's this about? _ > 2. Remove the setuid bit from the XaoS binary by executing the > following command: > > # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do I get mail for root of sunbird.aimcomm.com?
Quoting Andreas Goesele ([EMAIL PROTECTED]): > OK, I kind of understand, why I got this one: It came over the > list. But I got a bunch of messages to root (and some privileged user) > of sunbird.aimcomm.com which did not come over the list. How is this > possible? Because the body of the (single) email looks like this: Unusual System Events =-=-=-=-=-=-=-=-=-=-= Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running From root Fri Feb 1 06:14:01 2002 <-- Received: (from [EMAIL PROTECTED]) by .aimcomm.com (8.9.3/8.9.3/Debian 8.9.3-21) id GAA19224 for root; Fri, 1 Feb 2002 06:02:03 -0800 Date: Fri, 1 Feb 2002 06:02:03 -0800 From: root etc. etc. where I put spaces to prevent your email client from splitting this quotation at the <- line. AIUI something somewhere should have put a > in front of that "From". Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Why do I get mail for root of sunbird.aimcomm.com?
Quoting Andreas Goesele ([EMAIL PROTECTED]): > OK, I kind of understand, why I got this one: It came over the > list. But I got a bunch of messages to root (and some privileged user) > of sunbird.aimcomm.com which did not come over the list. How is this > possible? Because the body of the (single) email looks like this: Unusual System Events =-=-=-=-=-=-=-=-=-=-= Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running Feb 1 04:58:15 sunbird uservd[19110]: call connected Feb 1 04:58:15 sunbird uservd/check[19109]: uservd[535] is running From root Fri Feb 1 06:14:01 2002 <-- Received: (from root@localhost) by .aimcomm.com (8.9.3/8.9.3/Debian 8.9.3-21) id GAA19224 for root; Fri, 1 Feb 2002 06:02:03 -0800 Date: Fri, 1 Feb 2002 06:02:03 -0800 From: root etc. etc. where I put spaces to prevent your email client from splitting this quotation at the <- line. AIUI something somewhere should have put a > in front of that "From". Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mounting /tmp noexec
Quoting Alexey Vyskubov ([EMAIL PROTECTED]): > > That's not my experience. I can only assume your /tmp filesystem, > > like mine, is not vfat-like. Whereas this floppy is: > > You probably have some additional settings somewhere (where?). [...] > Please show output for 'mount' command after mounting floppy. No, I'm afraid you're doing something differently from me (remount). I get the impression that you're trying to find an exploit against the useful feature that I pointed out in my original message, as if it was a security defence. I didn't offer it as a defence but as a convenience (acknowledged in my first message to you). I was concerned lest his statement "noexec has no good purpose" should cause anyone to consider getting rid of it, or not going to the trouble of continuing to support it on filesystems that don't actually have exec permissions. If it has any security (sensu lato) value at all, noexec only prevents accidents rather than maintaining security (sensu stricto) against exploits. If you want the feature to remain useful, mount the filesystem noexec to begin with---don't mount it exec, fiddle with it, and then remount noexec. If you're not interested in why remount leads to the effects you've posted, stop reading here... When you mount a vfat-like filesystem without noexec, all the files inherit an x permission. With noexec, they all lose the x (except directories). However, all this is actually faked, and that leads to a problem (your exploit) when files are in use on a filesystem that gets remounted. Unused files are able to inherit the new mount flags, but files already in use have to keep their current flags. (Thanks to [EMAIL PROTECTED] for clearly commenting the kernel code.) How it should be done: # mount -v -t vfat -o noexec /dev/fd0 /mnt /dev/fd0 on /mnt type vfat (rw,noexec) # chmod -v +x /mnt/* mode of /mnt/afile changed to 0755 (rwxr-xr-x)[all this has no mode of /mnt/bfile changed to 0755 (rwxr-xr-x) effect because mode of /mnt/flip retained as 0755 (rwxr-xr-x) of noexec flag] # ls -lR /mnt /mnt: total 8 -rw-r--r--1 root root 3705 Apr 6 1999 afile -rw-r--r--1 root root 3705 Apr 6 1999 bfile drwxr-xr-x2 root root 512 Apr 6 1999 flip /mnt/flip: total 4 -rw-r--r--1 root root 3705 Apr 6 1999 cfile # umount /mnt How it's best not done: # mount -v -t vfat /dev/fd0 /mnt /dev/fd0 on /mnt type vfat (rw) # ls -l /mnt/b*[use bfile] -rwxr-xr-x1 root root 3705 Apr 6 1999 /mnt/bfile # mount -v -o remount,noexec /mnt /dev/fd0 on /mnt type vfat (rw,noexec) # ls -lR /mnt /mnt: total 8 -rw-r--r--1 root root 3705 Apr 6 1999 afile -rwxr-xr-x1 root root 3705 Apr 6 1999 bfile [x retained] drwxr-xr-x2 root root 512 Apr 6 1999 flip /mnt/flip: total 4 -rw-r--r--1 root root 3705 Apr 6 1999 cfile I hope my intentions, and those of the developers, are clearer now. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: mounting /tmp noexec
Quoting Alexey Vyskubov ([EMAIL PROTECTED]): > > That's not my experience. I can only assume your /tmp filesystem, > > like mine, is not vfat-like. Whereas this floppy is: > > You probably have some additional settings somewhere (where?). [...] > Please show output for 'mount' command after mounting floppy. No, I'm afraid you're doing something differently from me (remount). I get the impression that you're trying to find an exploit against the useful feature that I pointed out in my original message, as if it was a security defence. I didn't offer it as a defence but as a convenience (acknowledged in my first message to you). I was concerned lest his statement "noexec has no good purpose" should cause anyone to consider getting rid of it, or not going to the trouble of continuing to support it on filesystems that don't actually have exec permissions. If it has any security (sensu lato) value at all, noexec only prevents accidents rather than maintaining security (sensu stricto) against exploits. If you want the feature to remain useful, mount the filesystem noexec to begin with---don't mount it exec, fiddle with it, and then remount noexec. If you're not interested in why remount leads to the effects you've posted, stop reading here... When you mount a vfat-like filesystem without noexec, all the files inherit an x permission. With noexec, they all lose the x (except directories). However, all this is actually faked, and that leads to a problem (your exploit) when files are in use on a filesystem that gets remounted. Unused files are able to inherit the new mount flags, but files already in use have to keep their current flags. (Thanks to [EMAIL PROTECTED] for clearly commenting the kernel code.) How it should be done: # mount -v -t vfat -o noexec /dev/fd0 /mnt /dev/fd0 on /mnt type vfat (rw,noexec) # chmod -v +x /mnt/* mode of /mnt/afile changed to 0755 (rwxr-xr-x)[all this has no mode of /mnt/bfile changed to 0755 (rwxr-xr-x) effect because mode of /mnt/flip retained as 0755 (rwxr-xr-x) of noexec flag] # ls -lR /mnt /mnt: total 8 -rw-r--r--1 root root 3705 Apr 6 1999 afile -rw-r--r--1 root root 3705 Apr 6 1999 bfile drwxr-xr-x2 root root 512 Apr 6 1999 flip /mnt/flip: total 4 -rw-r--r--1 root root 3705 Apr 6 1999 cfile # umount /mnt How it's best not done: # mount -v -t vfat /dev/fd0 /mnt /dev/fd0 on /mnt type vfat (rw) # ls -l /mnt/b*[use bfile] -rwxr-xr-x1 root root 3705 Apr 6 1999 /mnt/bfile # mount -v -o remount,noexec /mnt /dev/fd0 on /mnt type vfat (rw,noexec) # ls -lR /mnt /mnt: total 8 -rw-r--r--1 root root 3705 Apr 6 1999 afile -rwxr-xr-x1 root root 3705 Apr 6 1999 bfile [x retained] drwxr-xr-x2 root root 512 Apr 6 1999 flip /mnt/flip: total 4 -rw-r--r--1 root root 3705 Apr 6 1999 cfile I hope my intentions, and those of the developers, are clearer now. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mounting /tmp noexec
Quoting Alexey Vyskubov ([EMAIL PROTECTED]): > > > > noexec has no good purpose, really. But it's intention was for > > > > networked filesystems in certain environments, not a generalized > > > > security tool. > > > > > > It's very useful for mounting filesystems like vfat, where otherwise > > > all the files are marked executable which makes mc a PITA to use for > > > examining archive files (mc tries to execute them!). > > > > Ah, interesting. ;) Of course, that isn't a security related reason. Granted. Except that it does prevent one from accidently executing programs on certain removable media, e.g. those that my partner has written on with 'doze. > It's just wrong. > > If you will mount filesystem with noexec option (try!) files may have > 'x' permission. And they can *look* executable (e.g. on vfat partition > you will see all files 'executable', as usual). The only difference is > that if you will try to execute such file you will get 'permission > denied' error message. But mc will try to execute every file :) That's not my experience. I can only assume your /tmp filesystem, like mine, is not vfat-like. Whereas this floppy is: Script started on Thu Jan 3 11:41:37 2002 ~# mount -t vfat /dev/fd0 /floppy ~# ls -l /floppy/p* -rwxr-xr-x1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# umount /floppy/ ~# mount -t vfat -o noexec /dev/fd0 /floppy ~# ls -l /floppy/p* -rw-r--r--1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# chmod +x /floppy/pcbits.zip ~# ls -l /floppy/p* -rw-r--r--1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# umount /floppy/ ~# Script done on Thu Jan 3 11:44:12 2002 > [terrapin] 08:46:52 ~$ sudo mount -o remount,noexec /tmp > Password: > [terrapin] 08:47:11 ~$ touch /tmp/a > [terrapin] 08:47:14 ~$ chmod +x /tmp/a > [terrapin] 08:47:17 ~$ ls -l /tmp/a > -rwxr-xr-x1 alexey alexey 0 ñÎ× 3 08:47 /tmp/a > [terrapin] 08:47:21 ~$ /tmp/a > bash: /tmp/a: Permission denied > [terrapin] 08:47:25 ~$ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: mounting /tmp noexec
Quoting Alexey Vyskubov ([EMAIL PROTECTED]): > > > > noexec has no good purpose, really. But it's intention was for > > > > networked filesystems in certain environments, not a generalized > > > > security tool. > > > > > > It's very useful for mounting filesystems like vfat, where otherwise > > > all the files are marked executable which makes mc a PITA to use for > > > examining archive files (mc tries to execute them!). > > > > Ah, interesting. ;) Of course, that isn't a security related reason. Granted. Except that it does prevent one from accidently executing programs on certain removable media, e.g. those that my partner has written on with 'doze. > It's just wrong. > > If you will mount filesystem with noexec option (try!) files may have > 'x' permission. And they can *look* executable (e.g. on vfat partition > you will see all files 'executable', as usual). The only difference is > that if you will try to execute such file you will get 'permission > denied' error message. But mc will try to execute every file :) That's not my experience. I can only assume your /tmp filesystem, like mine, is not vfat-like. Whereas this floppy is: Script started on Thu Jan 3 11:41:37 2002 ~# mount -t vfat /dev/fd0 /floppy ~# ls -l /floppy/p* -rwxr-xr-x1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# umount /floppy/ ~# mount -t vfat -o noexec /dev/fd0 /floppy ~# ls -l /floppy/p* -rw-r--r--1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# chmod +x /floppy/pcbits.zip ~# ls -l /floppy/p* -rw-r--r--1 root root 160498 May 15 2001 /floppy/pcbits.zip ~# umount /floppy/ ~# Script done on Thu Jan 3 11:44:12 2002 > [terrapin] 08:46:52 ~$ sudo mount -o remount,noexec /tmp > Password: > [terrapin] 08:47:11 ~$ touch /tmp/a > [terrapin] 08:47:14 ~$ chmod +x /tmp/a > [terrapin] 08:47:17 ~$ ls -l /tmp/a > -rwxr-xr-x1 alexey alexey 0 ñÎ× 3 08:47 /tmp/a > [terrapin] 08:47:21 ~$ /tmp/a > bash: /tmp/a: Permission denied > [terrapin] 08:47:25 ~$ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mounting /tmp noexec
Quoting Thomas Bushnell, BSG ([EMAIL PROTECTED]): > Ian <[EMAIL PROTECTED]> writes: > > so surely, if nothing needs to be executed, it is better to mount > > noexec? > > noexec has no good purpose, really. But it's intention was for > networked filesystems in certain environments, not a generalized > security tool. It's very useful for mounting filesystems like vfat, where otherwise all the files are marked executable which makes mc a PITA to use for examining archive files (mc tries to execute them!). Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: mounting /tmp noexec
Quoting Thomas Bushnell, BSG ([EMAIL PROTECTED]): > Ian <[EMAIL PROTECTED]> writes: > > so surely, if nothing needs to be executed, it is better to mount > > noexec? > > noexec has no good purpose, really. But it's intention was for > networked filesystems in certain environments, not a generalized > security tool. It's very useful for mounting filesystems like vfat, where otherwise all the files are marked executable which makes mc a PITA to use for examining archive files (mc tries to execute them!). Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
Quoting Ted Cabeen ([EMAIL PROTECTED]): > >Hm, why should I do that? Is my admin right when he thinks that my > >current sshd is vulnerable? I have the latest stable precompiled > >package, i.e. the default ssh installed. > > Make sure that you have the security site in your /etc/apt/sources.list file. > If you do, and apt-get update; apt-get upgrade says you're up to date, then > you're fine. In general, the security team patches the current version to > fix security bugs in stable rather than upgrade to a newer version. That > could be confusing your sysadmin. The CRC bug was patched in debian as of > ssh version 1.2.3-9.2. You can look at the changelog in > /usr/share/doc/ssh/changelog.Debian.gz for specific information. The original posting was "... (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). " One has to be a little more careful than that if one is running woody (i.e. not stable) because security-patched versions for potato may be seen as downgrades by one's system, and apt-get may ignore them. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Which ssh should I have?
Quoting Ted Cabeen ([EMAIL PROTECTED]): > >Hm, why should I do that? Is my admin right when he thinks that my > >current sshd is vulnerable? I have the latest stable precompiled > >package, i.e. the default ssh installed. > > Make sure that you have the security site in your /etc/apt/sources.list file. > If you do, and apt-get update; apt-get upgrade says you're up to date, then > you're fine. In general, the security team patches the current version to > fix security bugs in stable rather than upgrade to a newer version. That > could be confusing your sysadmin. The CRC bug was patched in debian as of > ssh version 1.2.3-9.2. You can look at the changelog in > /usr/share/doc/ssh/changelog.Debian.gz for specific information. The original posting was "... (I'm running woody on a laptop PC). I should have all the security fixes installed on my system (there is this security.debian.org line on my sources.list file). " One has to be a little more careful than that if one is running woody (i.e. not stable) because security-patched versions for potato may be seen as downgrades by one's system, and apt-get may ignore them. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): > On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: > > Do you mean this package? > > > > "Programmer for Atmel AVR microcontrolers that uses PC parallel port > > Yes. > > > If so, I'm not sure why you think it needs to be setuid. Just > > chgrp somegroup /dev/lp0 (or whichever port) and put yourself > > (and any others) into somegroup. > > I tried /dev/lp* and couldn't make the program work with it. I should have looked back at what I had done. I didn't use /dev/lp* but a device of my own making /dev/pp125 which is major 125, minor 0 (i.e. in the range reserved for users). But chgrp it just the same. > This program uses a specific hardware connected to the printer port. It has > to read some bits of the port and write other bits in patterns which has to > change in some microseconds. > > That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at > user option[1]) and runs setuid root. I used a kernel module, which saves using ioperm and setuid root. The module loads automatically when anyone (allowed) opens the device. > I think (not sure about all architectures) that because of this, it will run > only in i386 machines. If I used /dev/lp* it would run in all machines. If > someone knows how to use lp device for this specific purpose, please write me. Are you sure you aren't writing /dev/lp* to mean a special device with LP_MAJOR = 6, and hence the lp.o module. That won't work because lp.o only drives printers - it doesn't do arbitrary bit-twiddling. My module didn't use any architecture-specific headers, so I guess it should work on any architecture. However, I had no hardware to test that assertion. > [1] root must edit a config file to say which ports the user can choose. A module might look at /etc/modules.conf similarly. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): > On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: > > Do you mean this package? > > > > "Programmer for Atmel AVR microcontrolers that uses PC parallel port > > Yes. > > > If so, I'm not sure why you think it needs to be setuid. Just > > chgrp somegroup /dev/lp0 (or whichever port) and put yourself > > (and any others) into somegroup. > > I tried /dev/lp* and couldn't make the program work with it. I should have looked back at what I had done. I didn't use /dev/lp* but a device of my own making /dev/pp125 which is major 125, minor 0 (i.e. in the range reserved for users). But chgrp it just the same. > This program uses a specific hardware connected to the printer port. It has to read >some bits of the port and write other bits in patterns which has to change in some >microseconds. > > That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at user >option[1]) and runs setuid root. I used a kernel module, which saves using ioperm and setuid root. The module loads automatically when anyone (allowed) opens the device. > I think (not sure about all architectures) that because of this, it will run only in >i386 machines. If I used /dev/lp* it would run in all machines. If someone knows how >to use lp device for this specific purpose, please write me. Are you sure you aren't writing /dev/lp* to mean a special device with LP_MAJOR = 6, and hence the lp.o module. That won't work because lp.o only drives printers - it doesn't do arbitrary bit-twiddling. My module didn't use any architecture-specific headers, so I guess it should work on any architecture. However, I had no hardware to test that assertion. > [1] root must edit a config file to say which ports the user can choose. A module might look at /etc/modules.conf similarly. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): >I wrote a program that needs to run setuid root due to direct hardware > access (Package: avrprog). Do you mean this package? "Programmer for Atmel AVR microcontrolers that uses PC parallel port to program the device in serial mode. The device can be programmed "in-system". It comes with a schematic of the hardware required. The hardware was designed to be efficient and unexpensive." If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): >I wrote a program that needs to run setuid root due to direct hardware access >(Package: avrprog). Do you mean this package? "Programmer for Atmel AVR microcontrolers that uses PC parallel port to program the device in serial mode. The device can be programmed "in-system". It comes with a schematic of the hardware required. The hardware was designed to be efficient and unexpensive." If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Server reboots
Quoting Josh Hattery ([EMAIL PROTECTED]): > I think I can safely say that it's not an overheating problem. The system > has done much more than run web browsers (i.e. Unreal servers, etc) for > over 2 years without similar problems. > > It's reproduced when viewing a microsoft .asp or clicking between windows > with a flash animation in one or both of them. I can probably reproduce > it doing other tasks as well, but I haven't tried it. You might want to test your memory (memtest). Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Server reboots
Quoting Josh Hattery ([EMAIL PROTECTED]): > I think I can safely say that it's not an overheating problem. The system > has done much more than run web browsers (i.e. Unreal servers, etc) for > over 2 years without similar problems. > > It's reproduced when viewing a microsoft .asp or clicking between windows > with a flash animation in one or both of them. I can probably reproduce > it doing other tasks as well, but I haven't tried it. You might want to test your memory (memtest). Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > Has anyone seen the announcement about a root exploit > > > in the 2.2.15 and earlier kernel versions as posted > > > yes ages ago. > > > > Does this apply to the debian kernels? > > > > depends what debian kernel, i think some of them had backported > > patches, but really there is no reason to be running anything that > > old. upgrade to 2.2.18. > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? i.e. 2.2.15-3 is patched. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Kernel 2.2.15 hole ?
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > Has anyone seen the announcement about a root exploit > > > in the 2.2.15 and earlier kernel versions as posted > > > yes ages ago. > > > > Does this apply to the debian kernels? > > > > depends what debian kernel, i think some of them had backported > > patches, but really there is no reason to be running anything that > > old. upgrade to 2.2.18. > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? i.e. 2.2.15-3 is patched. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Suspending services
Quoting Jürgen Dollinger ([EMAIL PROTECTED]): > Piotr Tarnowski wrote: > > What I did looks very tricky - I would prefer something similar to > > putting '#' in front of line in /etc/inittab. > > Install file-rc. This will replace all those links with one configfile > (/etc/runlevel.conf). Put a '#' in front of lines in /etc/runlevel.conf. Why not just mangle the name of /etc/init.d/whatever, e.g. /etc/init.d/whatever-hidden. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Suspending services
Quoting Jürgen Dollinger ([EMAIL PROTECTED]): > Piotr Tarnowski wrote: > > What I did looks very tricky - I would prefer something similar to > > putting '#' in front of line in /etc/inittab. > > Install file-rc. This will replace all those links with one configfile > (/etc/runlevel.conf). Put a '#' in front of lines in /etc/runlevel.conf. Why not just mangle the name of /etc/init.d/whatever, e.g. /etc/init.d/whatever-hidden. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian audititing tool?
Quoting Christian Kurz ([EMAIL PROTECTED]): > [ Stop sending me unnecessary Ccs.] > | Date: Tue, 26 Dec 2000 16:02:30 +0100 | From: Christian Kurz <[EMAIL PROTECTED]> | To: debian-security@lists.debian.org | Subject: Re: Debian audititing tool? | Message-ID: <[EMAIL PROTECTED]> | Mail-Followup-To: Christian Kurz <[EMAIL PROTECTED]>, | debian-security@lists.debian.org I must be missing something here. You're the second person in about as many days to ask for people not to send Ccs while including a mail-followup-to: header for their own address. What is the latter intended to do? Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Debian audititing tool?
Quoting Christian Kurz ([EMAIL PROTECTED]): > [ Stop sending me unnecessary Ccs.] > | Date: Tue, 26 Dec 2000 16:02:30 +0100 | From: Christian Kurz <[EMAIL PROTECTED]> | To: [EMAIL PROTECTED] | Subject: Re: Debian audititing tool? | Message-ID: <[EMAIL PROTECTED]> | Mail-Followup-To: Christian Kurz <[EMAIL PROTECTED]>, | [EMAIL PROTECTED] I must be missing something here. You're the second person in about as many days to ask for people not to send Ccs while including a mail-followup-to: header for their own address. What is the latter intended to do? Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Portmap removal, was Re: [RFC] Network Security Policy
Quoting Simon Huggins ([EMAIL PROTECTED]): > There used to be an annoying dependency that stopped portmap being > removed at all. I think this has gone now (*removes portmap*) yep, but > the policy of Debian IMHO wrt open ports/daemons enabled when installed > etc. leaves something to be desired. > > Comments? Yes. What did you do just before you wrote "yep"? I have hidden portmap by renaming /etc/init.d/portmap-hidden, but netbase (which contains /sbin/portmap) also contains arp, inetd, ping, netstat, ifconfig, etc., etc. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Portmap removal, was Re: [RFC] Network Security Policy
Quoting Simon Huggins ([EMAIL PROTECTED]): > There used to be an annoying dependency that stopped portmap being > removed at all. I think this has gone now (*removes portmap*) yep, but > the policy of Debian IMHO wrt open ports/daemons enabled when installed > etc. leaves something to be desired. > > Comments? Yes. What did you do just before you wrote "yep"? I have hidden portmap by renaming /etc/init.d/portmap-hidden, but netbase (which contains /sbin/portmap) also contains arp, inetd, ping, netstat, ifconfig, etc., etc. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Have I misunderstood an ipchains concept?
Quoting Christian Pernegger ([EMAIL PROTECTED]): > > > > Volume 1 of Rich Stevens' TCP/IP Illustrated indicates that your thinking > > is correct. It's in section 2.7, where the book discusses the loopback > > interface. I'll quote from the book for bit here: > > --- > > Datagrams sent to a broadcast address or a multicast addresss are copied > > to the loopback interface and sent out on the Ethernet. This is because > > the definition of broadcasting and multicasting includes the sending host. > > --- > > Maybe the keyterm here is copied? Then the vroadcasting host'd get 2 packets > ... hmmm. No. The outgoing packet is copied to the loopback interface which makes it turn up as input. That's the only packet the sending host should see. The packet that is broadcast on the ethernet should not be received by the NIC. It should pass along the wire past all the other interfaces and be absorbed by the termination at each end of the cable. If by any chance it *is* received because of faults elsewhere, it gets dropped in net/ipv4/route.c . Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Have I misunderstood an ipchains concept?
Quoting Noah L. Meyerhans ([EMAIL PROTECTED]): > On Thu, 21 Sep 2000, Christian Pernegger wrote: > > > > What they are saying is that a machine *should* never recieve a packet > > > that > > > has originated from outside the machine, yet claims (by way of the source > > > IP) to have originated from that machine? > > > > Exactly. A packet arriving on an eth interface comes from outside. > > I always thought that a packet destined to the host itself would > > arrive on the loopback interface, no matter what. > > Volume 1 of Rich Stevens' TCP/IP Illustrated indicates that your thinking > is correct. It's in section 2.7, where the book discusses the loopback > interface. I'll quote from the book for bit here: > ___ > Datagrams sent to a broadcast address or a multicast addresss are copied > to the loopback interface and sent out on the Ethernet. This is because > the definition of broadcasting and multicasting includes the sending host. > - --- > > So, were we to take the Stevens book as gospel, then it seems like Linux > is doing something wrong here. Surely a bit early to say that. If this is a fault in the Linux kernel (which one, by the way?), it ought to be replicatable on other systems. The original posting had "eth?". What are these cards connected to? It should be relatively easy to make a packet broadcast from a host arrive back at that host. For example, a mis-configured router, a missing termination, ... Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Have I misunderstood an ipchains concept?
Quoting Christian Pernegger ([EMAIL PROTECTED]): > > > > Volume 1 of Rich Stevens' TCP/IP Illustrated indicates that your thinking > > is correct. It's in section 2.7, where the book discusses the loopback > > interface. I'll quote from the book for bit here: > > --- > > Datagrams sent to a broadcast address or a multicast addresss are copied > > to the loopback interface and sent out on the Ethernet. This is because > > the definition of broadcasting and multicasting includes the sending host. > > --- > > Maybe the keyterm here is copied? Then the vroadcasting host'd get 2 packets > ... hmmm. No. The outgoing packet is copied to the loopback interface which makes it turn up as input. That's the only packet the sending host should see. The packet that is broadcast on the ethernet should not be received by the NIC. It should pass along the wire past all the other interfaces and be absorbed by the termination at each end of the cable. If by any chance it *is* received because of faults elsewhere, it gets dropped in net/ipv4/route.c . Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Have I misunderstood an ipchains concept?
Quoting Noah L. Meyerhans ([EMAIL PROTECTED]): > On Thu, 21 Sep 2000, Christian Pernegger wrote: > > > > What they are saying is that a machine *should* never recieve a packet that > > > has originated from outside the machine, yet claims (by way of the source > > > IP) to have originated from that machine? > > > > Exactly. A packet arriving on an eth interface comes from outside. > > I always thought that a packet destined to the host itself would > > arrive on the loopback interface, no matter what. > > Volume 1 of Rich Stevens' TCP/IP Illustrated indicates that your thinking > is correct. It's in section 2.7, where the book discusses the loopback > interface. I'll quote from the book for bit here: > ___ > Datagrams sent to a broadcast address or a multicast addresss are copied > to the loopback interface and sent out on the Ethernet. This is because > the definition of broadcasting and multicasting includes the sending host. > - --- > > So, were we to take the Stevens book as gospel, then it seems like Linux > is doing something wrong here. Surely a bit early to say that. If this is a fault in the Linux kernel (which one, by the way?), it ought to be replicatable on other systems. The original posting had "eth?". What are these cards connected to? It should be relatively easy to make a packet broadcast from a host arrive back at that host. For example, a mis-configured router, a missing termination, ... Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]