Re: encrpyt harddrive without passphrase/userinput
On Sun, 2006-02-26 at 14:13 -0800, Stephan Wehner wrote: > Who is going to be booting this machine?? It´s a server. It is supposed to be online all the time. Once turned on it will run till someone reboots its remotely or due to power failure or something alike. The whole scenario can be pictured like this: Put your server in a corner of a street and secure it. In case someone hits the reset button it needs to be able to boot automatically without user input. In a nutshell: Secure it without physical security and user input. I guess it can`t be done?! :( Not the usual way... > Stephan > Mario Ohnewald wrote: > > Hi Horst > > > > On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: > > > >> On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: > >> > >>> Hello security list! > >>> > >>> I would like to secure the harddrive/partitions of linux box. > >>> > >>> The whole setup must fulfill the following requirements: > >>> > >>> a) it must be able to boot (remotely) without userinput/passphrase > >>> b) the importtant partitions such as /etc, /var, /usr and /home must be > >>> encrypted/protected. > >>> > >> I just ask myself why you bother encrypting a filesystem that will be > >> accessible to anyone having access to the machine since it boots without > >> password? > >> > > It boots with grub and pam/unix password. > > > > > >>> Is this even possible? Is there a way? > >>> > >> Is it something you'd really want? Encrypting a filesystem is a > >> protection against someone having physical access to the machine or the > >> harddrive. If the machine (the disk in another machine) boots without > >> password, you might as well _not_ encrypt it. > >> > > Thats the point. > > In my case i can not protect the linux box or lock it away 100% > > securely. > > > > I need to secure the box in some way without having a physical > > protection. > > > > Someone should be able to: Steal the whole server or hard drives, but > > still not be able to read it. > > > > Maybe we could narrow the actual problem down to where this scenario > > actually fails or where the problems are?! > > > > Maybe someone has some cool ideas, too. > > > > Cheers, Mario > > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Hi Horst On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: > On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: > > Hello security list! > > > > I would like to secure the harddrive/partitions of linux box. > > > > The whole setup must fulfill the following requirements: > > > > a) it must be able to boot (remotely) without userinput/passphrase > > b) the importtant partitions such as /etc, /var, /usr and /home must be > > encrypted/protected. > > I just ask myself why you bother encrypting a filesystem that will be > accessible to anyone having access to the machine since it boots without > password? It boots with grub and pam/unix password. > > > Is this even possible? Is there a way? > > Is it something you'd really want? Encrypting a filesystem is a > protection against someone having physical access to the machine or the > harddrive. If the machine (the disk in another machine) boots without > password, you might as well _not_ encrypt it. Thats the point. In my case i can not protect the linux box or lock it away 100% securely. I need to secure the box in some way without having a physical protection. Someone should be able to: Steal the whole server or hard drives, but still not be able to read it. Maybe we could narrow the actual problem down to where this scenario actually fails or where the problems are?! Maybe someone has some cool ideas, too. Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
encrpyt harddrive without passphrase/userinput
Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. Is this even possible? Is there a way? Thanks, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suid
On Saturday 17 April 2004 01:33, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > -rwsr-xr-x1 root root22460 Oct 1 2001 /usr/bin/crontab > > > > yes, because only in this condition normal user can set crontab rules. > > this deends on the cron used. The cron in qustion needs to restrict the > access to the spool directory because it is shared. One could change the > owner of the crontab file, but then it is hard to atomically replace the > file without write access to the spool dir. The best solution is to have > the crontab in a user owned directory. That sounds good! > > It is not a good idea to change this without having a close look at the > cron code in question. It might be much better to use another cron flavor. What are the secure alternatives? Thanks, Mario
Re: suid
On Saturday 17 April 2004 01:33, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > -rwsr-xr-x1 root root22460 Oct 1 2001 /usr/bin/crontab > > > > yes, because only in this condition normal user can set crontab rules. > > this deends on the cron used. The cron in qustion needs to restrict the > access to the spool directory because it is shared. One could change the > owner of the crontab file, but then it is hard to atomically replace the > file without write access to the spool dir. The best solution is to have > the crontab in a user owned directory. That sounds good! > > It is not a good idea to change this without having a close look at the > cron code in question. It might be much better to use another cron flavor. What are the secure alternatives? Thanks, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
suid
Hello! Everybody knows that files with a suid bit set can be dangerous. Well, i was asking myself today why exactly linux uses the suid bit files?! Could someone please explain that to me? Example: ~$ ls -lah /var/spool/cron/crontabs/user -rw---1 root user 408 Apr 16 Ok, the suid is set for the crontab binary because you have to edit the root owned file. But why is it owned by root in the first place? Cheers, Mario
suid
Hello! Everybody knows that files with a suid bit set can be dangerous. Well, i was asking myself today why exactly linux uses the suid bit files?! Could someone please explain that to me? Example: ~$ ls -lah /var/spool/cron/crontabs/user -rw---1 root user 408 Apr 16 Ok, the suid is set for the crontab binary because you have to edit the root owned file. But why is it owned by root in the first place? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Tripwire email
Hello list! This is a part of my tripwire config file: # # Critical System Boot Files # These files are critical to a correct system boot. # ( rulename = "Critical system boot files", emailto = [EMAIL PROTECTED], severity = $(SIG_HI) ) { /boot -> $(SEC_CRIT) ; /lib/modules-> $(SEC_CRIT) ; } Well, if i run tripwire -m c and this rule is beeing broken, then it should send me out an email to emailto = [EMAIL PROTECTED], right? Or am i wrong here? Cheers, Mario p.s. Hi Mic :D -- NEU : GMX Internet.FreeDSL Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/info
Tripwire email
Hello list! This is a part of my tripwire config file: # # Critical System Boot Files # These files are critical to a correct system boot. # ( rulename = "Critical system boot files", emailto = [EMAIL PROTECTED], severity = $(SIG_HI) ) { /boot -> $(SEC_CRIT) ; /lib/modules-> $(SEC_CRIT) ; } Well, if i run tripwire -m c and this rule is beeing broken, then it should send me out an email to emailto = [EMAIL PROTECTED], right? Or am i wrong here? Cheers, Mario p.s. Hi Mic :D -- NEU : GMX Internet.FreeDSL Ab sofort DSL-Tarif ohne Grundgebühr: http://www.gmx.net/info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
bsign
Hello! Is there a bsign howto out there or any more info than the manpage? The problem i am stuck with at the moment is: bsign --sign -i / -e /proc -I -s --P "--homedir keydir" Enter pass phrase: bsign: incorrect passphrase or gpg not installed I never set a passphrase i think. Anyway, a dpkg -P bsign and a resinstall did not help. How can i set a passphrase? And no, its not an empty one :P gnupg is installed. Cheers, Mario -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
bsign
Hello! Is there a bsign howto out there or any more info than the manpage? The problem i am stuck with at the moment is: bsign --sign -i / -e /proc -I -s --P "--homedir keydir" Enter pass phrase: bsign: incorrect passphrase or gpg not installed I never set a passphrase i think. Anyway, a dpkg -P bsign and a resinstall did not help. How can i set a passphrase? And no, its not an empty one :P gnupg is installed. Cheers, Mario -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: execute application from webinterface
Hello! > -Original Message- > From: Jens Gutzeit [mailto:[EMAIL PROTECTED] > Sent: 02 September 2003 18:44 > To: debian-security@lists.debian.org > Subject: Re: execute application from webinterface > > > On Tuesday 02 September 2003 19:25, Jens Gutzeit wrote: > > > > what's wrong with making the program suid-to-some-other-user > (not root) > > > and then just executing it? I reallize this doesn't work for > ping, which > > > is suid-to-root anyway. > > > > Well, to be honest, I just have forgotten this option. > > Damn, I should think first and then hit send, sorry for making so > much noise. > > Anyway, with making the programm setuid anyone who has access to > the webserver > could execute this programm under a fixed userid. So this option > is a realy > bad idea if this is a customers webserver or s.th. similar. This > means, if > you're the only one who has access to the webserver, setuid is > probably one > of the best and easiest options, but if there are webs that are > administrated > by a different person you might end up with security problems > (think of the > setuid programm has a bug which allows to execute abitrary code). > > I would still sugest to setup a second webserver instance, and if > you need > port 80 use apaches mod_proxy. I like the idea of a 2nd apache and the mod_proxy. But how do you install a 2nd httpd in debian? will i have to build it from source, or is there a trick with a apache package? Cheers, Mario > > Jens > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
RE: execute application from webinterface
Hello! > -Original Message- > From: Jens Gutzeit [mailto:[EMAIL PROTECTED] > Sent: 02 September 2003 18:44 > To: [EMAIL PROTECTED] > Subject: Re: execute application from webinterface > > > On Tuesday 02 September 2003 19:25, Jens Gutzeit wrote: > > > > what's wrong with making the program suid-to-some-other-user > (not root) > > > and then just executing it? I reallize this doesn't work for > ping, which > > > is suid-to-root anyway. > > > > Well, to be honest, I just have forgotten this option. > > Damn, I should think first and then hit send, sorry for making so > much noise. > > Anyway, with making the programm setuid anyone who has access to > the webserver > could execute this programm under a fixed userid. So this option > is a realy > bad idea if this is a customers webserver or s.th. similar. This > means, if > you're the only one who has access to the webserver, setuid is > probably one > of the best and easiest options, but if there are webs that are > administrated > by a different person you might end up with security problems > (think of the > setuid programm has a bug which allows to execute abitrary code). > > I would still sugest to setup a second webserver instance, and if > you need > port 80 use apaches mod_proxy. I like the idea of a 2nd apache and the mod_proxy. But how do you install a 2nd httpd in debian? will i have to build it from source, or is there a trick with a apache package? Cheers, Mario > > Jens > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
execute application from webinterface
Hello List! What is the securest way of starting a application, like ping, from a webinterface as a diffrent user. Lets say, to run ping 123.456.789.000 as user user123. If i use "system", it executes it as www-data. Any idea how i could solve this problem? With php, perl, bash, etc... ? Thank you very much in advance! Cheers, Mario p.s. i hope i explained it well enough. If not, let me know! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
execute application from webinterface
Hello List! What is the securest way of starting a application, like ping, from a webinterface as a diffrent user. Lets say, to run ping 123.456.789.000 as user user123. If i use "system", it executes it as www-data. Any idea how i could solve this problem? With php, perl, bash, etc... ? Thank you very much in advance! Cheers, Mario p.s. i hope i explained it well enough. If not, let me know!
Re: Heute abend
> and in english? He will properly drive up with the bike. Can you bring the battery changer for the mobile with you onto the mountain. -- Wrong address i guess :D > > On Tue, 29 Jul 2003, Andreas Zeitz-Fehse wrote: > > > Hi, > > > > > > ich werd wohl heute mit dem Fahrad hochfahren. Kannst du mir bitte das > > ladegeraete fuers Handy mit auf den Berg bringen? > > > > > > mfg > > > > Andy > > -- > > --- > > Optel Informatik GmbH > > Rathausallee 10 > > 53757 St. Augustin > > Germany > > > > Tel.: +49 2241 9211020 > > Fax : +49 2241 9211029 > > Email: [EMAIL PROTECTED] > > --- > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
Re: Heute abend
> and in english? He will properly drive up with the bike. Can you bring the battery changer for the mobile with you onto the mountain. -- Wrong address i guess :D > > On Tue, 29 Jul 2003, Andreas Zeitz-Fehse wrote: > > > Hi, > > > > > > ich werd wohl heute mit dem Fahrad hochfahren. Kannst du mir bitte das > > ladegeraete fuers Handy mit auf den Berg bringen? > > > > > > mfg > > > > Andy > > -- > > --- > > Optel Informatik GmbH > > Rathausallee 10 > > 53757 St. Augustin > > Germany > > > > Tel.: +49 2241 9211020 > > Fax : +49 2241 9211029 > > Email: [EMAIL PROTECTED] > > --- > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: configure ssh-access
Hello! >-Original Message- >From: Anne Carasik [mailto:[EMAIL PROTECTED] >Sent: Monday, July 07, 2003 5:05 PM >To: [EMAIL PROTECTED] >Cc: debian-security@lists.debian.org >Subject: Re: configure ssh-access > > >Why not just limit the access through SSH public key? >It sounds like that would accomplish what you're trying >to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario > >-Anne > >[EMAIL PROTECTED] grabbed a keyboard and typed... >> Hi! >> >> I want to make ssh-access possible only from a restricted >> number of hosts - those that are named in /etc/hosts.allow. >> Users who want to login have a DynDNS host-name that shall >> be listed in hosts.allow to make it possible for users with >> a dial-up internet connection, too. >> >> BUT: >> The problem is that I can only login to the ssh-machine >> when I enter the IP-address to the hosts.allow file. >> Specifying the hosts DNS-name does not work! >> >> AND: >> I'd prefer to specify the rules for loggin into the machine >> in the sshd_config-file, not in hosts.allow/deny. >> But the AllowHosts/DenyHosts-options that could be used in >> /etc/sshd_config earlier seem to be not any >> longer available at the SSH-version I'm using. >> It's: openssh-3.4p1-80 on a SuSE 8.1 >> >> Has anybody ideas in this 2 problems? >> >> thx in advance, >> Klaus >>
RE: configure ssh-access
Hello! >-Original Message- >From: Anne Carasik [mailto:[EMAIL PROTECTED] >Sent: Monday, July 07, 2003 5:05 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: configure ssh-access > > >Why not just limit the access through SSH public key? >It sounds like that would accomplish what you're trying >to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario > >-Anne > >[EMAIL PROTECTED] grabbed a keyboard and typed... >> Hi! >> >> I want to make ssh-access possible only from a restricted >> number of hosts - those that are named in /etc/hosts.allow. >> Users who want to login have a DynDNS host-name that shall >> be listed in hosts.allow to make it possible for users with >> a dial-up internet connection, too. >> >> BUT: >> The problem is that I can only login to the ssh-machine >> when I enter the IP-address to the hosts.allow file. >> Specifying the hosts DNS-name does not work! >> >> AND: >> I'd prefer to specify the rules for loggin into the machine >> in the sshd_config-file, not in hosts.allow/deny. >> But the AllowHosts/DenyHosts-options that could be used in >> /etc/sshd_config earlier seem to be not any >> longer available at the SSH-version I'm using. >> It's: openssh-3.4p1-80 on a SuSE 8.1 >> >> Has anybody ideas in this 2 problems? >> >> thx in advance, >> Klaus >> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: chroot, su and sudo
Hi, >-Original Message- >From: Vincent Hanquez [mailto:[EMAIL PROTECTED] >Sent: Monday, June 16, 2003 10:46 AM >To: Mario Ohnewald >Cc: debian-security@lists.debian.org >Subject: Re: chroot, su and sudo > > >On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: >> Hello! >> I want to chroot a application/gameserver. >> >> What is the better/securest way? >> 1.) "Chroot /path" and then do a "su -s /bin/sh user -c start.sh" >> or >> 2.) "su -s /bin/sh user" and then do the "chroot /path" as >normal user and >> execute the "start.sh" in the chroot? >> >> Solution 2 does not need a root shell at all, why i think it is a little >> more secure. >> What do you think? WHat do u recommend? How would do solve this? > >You can't chroot as normal user. So solution 1. Not even with sudo? Cheers, Mario
chroot, su and sudo
Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) "Chroot /path" and then do a "su -s /bin/sh user -c start.sh" or 2.) "su -s /bin/sh user" and then do the "chroot /path" as normal user and execute the "start.sh" in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? Cheers, Mario
RE: chroot, su and sudo
Hi, >-Original Message- >From: Vincent Hanquez [mailto:[EMAIL PROTECTED] >Sent: Monday, June 16, 2003 10:46 AM >To: Mario Ohnewald >Cc: [EMAIL PROTECTED] >Subject: Re: chroot, su and sudo > > >On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: >> Hello! >> I want to chroot a application/gameserver. >> >> What is the better/securest way? >> 1.) "Chroot /path" and then do a "su -s /bin/sh user -c start.sh" >> or >> 2.) "su -s /bin/sh user" and then do the "chroot /path" as >normal user and >> execute the "start.sh" in the chroot? >> >> Solution 2 does not need a root shell at all, why i think it is a little >> more secure. >> What do you think? WHat do u recommend? How would do solve this? > >You can't chroot as normal user. So solution 1. Not even with sudo? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
chroot, su and sudo
Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) "Chroot /path" and then do a "su -s /bin/sh user -c start.sh" or 2.) "su -s /bin/sh user" and then do the "chroot /path" as normal user and execute the "start.sh" in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]