Re: Is this a hacking attempt?

[Marko Randjelovic]

On Tue, 20 Jan 2015 17:52:05 +0100
Vincent Deffontaines  wrote:

> Le 2015-01-20 12:40, Marko Randjelovic a écrit :
> > I was running Wheezy Iceweasel with vanilla 3.14 kernel with grsec. I
> > tried to play video on YouTube with gnash plugin but Iceweasel 
> > crashed
> > with alike messages
> >
> > execution attempt in ...
> > Terminating task /usr/lib/iceweasel/iceweasel
> >
> > Full log can be found on http://paste.lisp.org/+343V
> >
> 
> 
> Hi,
> 
> 
> My understanding from the grsec logs you pasted is that gnash tried to 
> allocate more memory than your RLIMIT-MEMLOCK limit (65536), and this is 
> the reason why gnash crashed.
> I wouldn't hint this is sufficient to conclude in hacking. Flash is 
> known well enough for eating a lot of memory at times.
> I would suggest either to try playing "similar" flash from trusted 
> sources (good luck finding them though, maybe @adobe.com - One might 
> also believe youtube.com is a trusted source ) and see if the plugin 
> crashes on them too ; or maybe to raise limit progressively to see where 
> it is accepted.

I tried to raise limit some time ago, but I was unsuccessful. Do you
know how to do it?

> 
> As a side note, youtube supports HTML5, and if your browser had no 
> flash support at all but HTML5 support, then you, your grsec kernel, and 
> all kittens in the world could just be delighted and still have youtube 
> content played fine.

Fortunately, this works, but there are sites where doesn't. 

> 
> Cheers,
> 
> Vincent
> 
> 
> 

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150120194203.1380e...@eunet.rs

Is this a hacking attempt?

[Marko Randjelovic]

I was running Wheezy Iceweasel with vanilla 3.14 kernel with grsec. I
tried to play video on YouTube with gnash plugin but Iceweasel crashed
with alike messages

execution attempt in ...
Terminating task /usr/lib/iceweasel/iceweasel

Full log can be found on http://paste.lisp.org/+343V

Kind regards

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150120124007.06ee2...@eunet.rs

Re: about bash and Debian Lenny

[Marko Randjelovic]

On Mon, 06 Oct 2014 03:25:27 +0200
Carlos Alberto Lopez Perez  wrote:

> >>
> >> I have built patched packages for lenny. You can download them from here:
> >>
> >> http://people.igalia.com/clopez/bash-shellshock-lenny/
> >>
> >> If you are not willing to use the binaries, you can rebuild it from the
> >> sources that I also made available.
> >>
> > 
> > Why is your bash_3.2-4+deb5u1.dsc gziped?
> > 
> 
> It isn't.
> 
> Maybe your http client is unable to understand Content-Encoding: gzip ?
> 

I downloaded the files from the provided location with Links2 web
browser. The file bash_3.2-4+deb5u1.dsc was a gzipped file. After
decompressing it became standard .dsc file.

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


signature.asc
Description: PGP signature

Re: about bash and Debian Lenny

[Marko Randjelovic]

On Wed, 01 Oct 2014 17:30:11 +0200
Carlos Alberto Lopez Perez  wrote:

> On 01/10/14 13:28, Nikolay Hristov wrote:
> > Hello there,
> > 
> > I know that this is outdated debian release and it is in the archives
> > but I still have 6 servers running Lenny and I don't want to upgrade
> > them to newer versions for several reasons.
> > Any chance that we will get official debian package for Lenny? I'm sure
> > that I'm not the only one with such problem. I don't want to use deb
> > packages from different sources because I cannot trust them.
> > 
> > Shellshock has such big impact on the internet so please give us Lenny
> > package.
> > 
> > Nikolay Hristov
> > 
> > 
> > 
> 
> I have built patched packages for lenny. You can download them from here:
> 
> http://people.igalia.com/clopez/bash-shellshock-lenny/
> 
> If you are not willing to use the binaries, you can rebuild it from the
> sources that I also made available.
> 

Why is your bash_3.2-4+deb5u1.dsc gziped?

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


signature.asc
Description: PGP signature

Re: goals for hardening Debian: ideas and help wanted

[Marko Randjelovic]

On Tue, 29 Apr 2014 11:52:14 +
Patrick Schleizer  wrote:

> Marko Randjelovic:
> > I was thinking about some kind
> > of wizard:
> > 
> > - create a chroot if doesn't already exist
> > - create a launcher for your DE
> > - create a shell script to run a program from terminal or a simple WM
> > 
> > hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
> 
> chroot is not a security feature?
> 
> As far I understand, chroots in Debian/Fedora aren't jails.
> 
> Source:
> https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/
> 
> 

> it is not really a security feature, it is closer to what we would call a 
> hardening feature.

Well, we have the word "hardening" in the subject, I'm not sure
what OP meant, probably he ment more "security" then "hardening",
but grsecurity which is mentioned in wiki[1] contains features to
prevent breaking out of chroot, so combined with grsecurity chroot
might be called a security feature?

[1] https://wiki.debian.org/Hardening/Goals

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140429184222.3296b...@eunet.rs

Re: goals for hardening Debian: ideas and help wanted

[Marko Randjelovic]

On Tue, 29 Apr 2014 11:35:26 +0800
Paul Wise  wrote:

> On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
> 
> > - security patches should be clearly marked as such in every *.patch
> >   file
> 
> That sounds like a good idea, could you add it to the wiki page?

I added this:

"Debian policy should require that in every source package all security
packages should be clearly marked as such in standard and easily
parsable way with optional further references."

> 
> > - easy create and run programs from chroot and alternate users
> 
> Could you detail what you mean by this? It sounds like you want either
> virtual machines or something like docker.io:
> 
> https://packages.debian.org/sid/docker.io

Cencerely, I never heard about Docker before, I didn't mean
about VMs and I meant about chrooting. I was thinking about some kind
of wizard:

- create a chroot if doesn't already exist
- create a launcher for your DE
- create a shell script to run a program from terminal or a simple WM

hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"

> 
> > - apt-get should automaticaly check checksums
> 
> That happens now, if you find an instance where it does not, please
> file a severity serious bug report on apt with enough detail for the
> maintainers to debug and fix it.
> 
> https://www.debian.org/Bugs/Reporting
> 

I didn't know it, does apt-get/aptitude/synaptic do complete checks?

1. verify Release file signature
2. verify checksums of repo files
3. verify checksums of individual .deb files

I remmember some time ago I edited a file with hexedit (after apt-get
downloaded it) and tried to install it with apt-get and it didn't
complain.

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140429122053.2c7a5...@eunet.rs

Re: goals for hardening Debian: ideas and help wanted

[Marko Randjelovic]

On Thu, 24 Apr 2014 10:57:39 +0800
Paul Wise  wrote:

> Hi all,
> 
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
> 
> https://wiki.debian.org/Hardening/Goals
> 
> If you have more ideas, please add them to the wiki page.
> 
> If you have more information, please add it to the wiki page.
> 
> If you would like to help, please choose an item and start work.
> 

- security patches should be clearly marked as such in every *.patch
  file 
- easy create and run programs from chroot and alternate users 
- apt-get should automaticaly check checksums

-- 
http://markorandjelovic.hopto.org

One should not be afraid of humans.
Well, I am not afraid of humans, but of what is inhuman in them.
Ivo Andric, "Signs near the travel-road"


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140429020744.26376...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Thu, 23 Jan 2014 15:41:57 +0100
Kevin Olbrich  wrote:

> >> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec 
> >> featureset to Debian kernels":
> >> 
> >>
> > 
> > This would of course be the real solution.
> 
> I would also like this. Yesterday I started compiling 3.2.54 with grsec and 
> PaX. A ready debian kernel(-source) with grsec and PaX would be fine.
> Currently I am distributing my special packages via my own repository - is 
> there any concern when making it public (copyright, etc.)?

I managed to do it from official kernel 3.2.51-1. I removed all
features/* patches without consideration because there were to many of
them (905). Than I had to remove many other patches to resolve
conflicts. If patch file f is patched consequently by patches p1, p2,
if patch p1 is removed, then p2 may fail. 

1. If p2 fails, then probably it's not needed, but it may, and it may
be a security patch. Thus it is very important all security patches be
clearly marked as such.
2. If p2 doesn't fail, then probably it's needed, but it's possible it's
not, and even that it makes a bug, and even that it makes a security
bug.

Thus, my opinion is that features patches make more problems than
benefit. There are newer kernels from backports repo. Currently,
among other patches, kernel 3.2.51-1 contains drm-3.4 patch, by which
you get something from kernel 3.4, and on the other hand you can simply
choose one of backported kernels: 3.9.6-1~bpo70+1, 3.10.5-1~bpo70+1,
3.10.11-1~bpo70+1, 3.11.10-1~bpo70+1, 3.12.6-2~bpo70+1.

-- 
Education is a process of making people see what is advanced and not
obvious, but it can also make us not see what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140124114101.02727...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On 22 Jan 2014 20:40:12 +0100
"Andreas Kuckartz"  wrote:

> Marko Randjelovic:
> > Octavio Alvarez  wrote:
> >> I wouldn't worry about SELinux specifically.
> > 
> > As I already pointed out, there is something:
> > http://lists.debian.org/20140120005556.612de...@eunet.rs
> 
> And Russel Coker carefully explained in his reply to your mail why that
> approach does not help to improve security.
> 
> Cheers,
> Andreas

He didn't say this approach doesn't help improve security. I answered
his post, so there is to look for details.

-- 
Education is a process of making people see what is advanced and not
obvious, but also not see what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140124104503.3c382...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Wed, 22 Jan 2014 12:24:27 +1100
Russell Coker  wrote:

> The possibility of LSM hooks being used to hide a kernel rootkit is widely 
> cited.  But most sysadmins aren't going to find a kernel rootkit anyway so 
> using a non-LSM security system for that reason is trading off the real 
> benefit of being able to save time and effort in maintaining systems for the 
> probably impossible theoretical benefit of not using LSM.

If I cannot prove there is a rootkit, then I cannot be sure there is a
rootkit, but neither can I be sure the is *not* a rootkit. And merely
because you cannot know you are secure, you *feel* insecure.
Furthermore, your computer may be abused to attack other computers,
even to make a botnet. And though you cannot know the attacker is doing
against your interests, neither you can know the opposite and again,
this generates feeling of insecurity. And if you neglect this, you are
unconsciously submitting to the aggressor.

-- 
Education is a process of making people see what is advanced and not
obvious, but also not see what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140124104237.35d80...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Wed, 22 Jan 2014 16:16:21 -0800
Andrew Merenbach  wrote:

> I installed the i386 architecture and installed the `paxtest' suite.  My 
> results were fairly disappointing, to be honest:

> > $ sudo paxtest blackhat
> > Executable anonymous mapping (mprotect)  : Vulnerable
> > Executable bss (mprotect): Vulnerable
> > Executable data (mprotect)   : Vulnerable
> > Executable heap (mprotect)   : Vulnerable
> > Executable stack (mprotect)  : Vulnerable
> > Executable shared library bss (mprotect) : Vulnerable
> > Executable shared library data (mprotect): Vulnerable
> > Writable text segments   : Vulnerable

It's a good idea to configure the kernel (grsec options) before
recompiling. Probably MPROTECT feature is not enabled in kernel, or your
CPU doesn't have NX bit feature.

> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec 
> featureset to Debian kernels":
> 
> 

This would of course be the real solution.

-- 
Education is a process of making people see what is advanced and not
obvious, but also not see what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140123133150.71dbc...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Wed, 22 Jan 2014 15:08:39 +0100
"Milan P. Stanic"  wrote:

> I found it a lot easier to go with vanilla kernel and grsec/pax patch
> instead of using Debian kernels.

Of course, but then secret services won't see you are using Debian :)

-- 
Education is a process of making people see what is advanced and not
obvious, but also not seeing what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122151300.72162...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Mon, 20 Jan 2014 09:22:04 -0800
Octavio Alvarez  wrote:

> On 01/20/2014 05:29 AM, Marco Saller wrote:
> > I have read that the NSA proposed to include SELinux in linux 2.5. (Linux 
> > Kernel Summit 2001)
> > Don't you think that may be one of their fancy tricks to gain access to 
> > computers running linux? Some news websites also mention vulnerabilities 
> > similar to this one.
> > It would be a great idea to include malicious software to kernel modules.
> 
> It is easy to come up with that idea, and it's easy to fear to it. It's
> easy to write about it and to popularize it and cause mass-delusion.
> It's difficult to prove, though.
> 
> If you consider that SELinux code available and with so many auditing
> humans and tools it's not as easy as it sounds. It can happen, but it's
> not as easy as "they can, therefore they are".
> 
> As others have said, the NSA doesn't need specific backdoors. There are
> many vulnerabilities in all software already available which are already
> being exploited.
> 
> The more general problem is that not all programmers like or know
> formality and that not all developers like strict code and algorithm
> correctness. *That* is something to worry about.
> 
> I wouldn't worry about SELinux specifically.

As I already pointed out, there is something:
http://lists.debian.org/20140120005556.612de...@eunet.rs

-- 
Education is a process of making people see what is advanced and not
obvious, but also not seeing what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122151053.60f20...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On Sun, 19 Jan 2014 21:17:03 -0800
Andrew Merenbach  wrote:

> I just decided to try this out the other day on my Wheezy 7.3 install.  
> It wasn't that painful and I haven't noticed any performance impact or 
> misbehaving (read: broken) programs, at least not yet.  Then again, I 
> haven't done real benchmarks.

Yes, most features doesn't make significant performance impact.

> It appears that this patch is available in the apt repos under the 
> "kernel" section (sensibly enough) as:
> 
>  linux-patch-grsecurity2
> 
> Once it's downloaded, it patches the kernel in an automated fashion and 
> doesn't force a reboot (although I believe you still need one to make it 
> effective, I suppose).

AFAIK, it's for kernel 3.2.21, I don't see how could it work with
Wheezy kernel - 3.2.51.

> That said, since it's a kernel patch, /caveat emptor/... your mileage 
> may vary.  And maybe some prefer to customize the options for the patch 
> being applied. ;)

-- 
Education is a process of making people see what is advanced and not
obvious, but also not seeing what is basic and obvious.

http://markorandjelovic.hopto.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122150147.0b1b3...@eunet.rs

Re: NSA software in Debian

[Marko Randjelovic]

On 19 Jan 2014 12:16:25 +0100
"Andreas Kuckartz"  wrote:

> Bjoern Meier:
> > http://en.wikipedia.org/wiki/Security-Enhanced_Linux
> 
> I proposed this Debian Release Goal:
> https://wiki.debian.org/ReleaseGoals/SELinux
> 
> Cheers,
> Andreas
> 
> 

SELinux security benefits are vague because it makes possible to use
it's hooks to add a backdoor which would be nearly impossible to detect:

https://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm
https://grsecurity.net/lsm.php

Consider alternatives like PaX/grsecurity and RSBAC.

-- 
Education is a process of making people see what is advanced and not
obvious, but also not seeing what is basic and obvious.

http://markorandjelovic.hopto.org


signature.asc
Description: PGP signature

Re: NSA software in Debian

[Marko Randjelovic]

On Sat, 18 Jan 2014 15:04:48 -0500
Noah Meyerhans  wrote:

> On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote:
> > i am not sure if this question has been asked or answered yet, please do 
> > not mind if i would ask it again.
> > Is it possible that the NSA or other services included investigative 
> > software in some Debian packages?

They don't need to do it. Software is full of security bugs. Most
suitable are web browsers. NSA controls Internet backbone routers. Just
check CVE records for Internet Explorer, Firefox or Chrome. Firefox ESR
is meant for security, but 17 ESR had 11 updates, which means before
bugs were corrected you were vulnerable. And probably there are still,
but 17 ESR is not anymore supported and you have to go to 24 ESR which
certainly brings new bugs and so on.

> 
> It is absolutely possible. It's even possible that you yourself have
> added such software to Debian! Can you prove that you haven't?
> 
> That line of thinking leads to madness. The only rational conclusion,
> once you start down that path, is to turn off your computers and move to
> a remote cabin in the wilderness. 

What would make you highly suspicious.

> It will never be possible to prove
> that there is no malicious software in Debian or in any other OS. Beyond
> that, it will never be possible to prove that there is no malicious
> *hardware* running executing your OS.
> 
> We can and do take care to ensure that all changes to Debian are made by
> people authorized to make those changes. (Package uploads must be signed
> by a Debian developer.) We can and do take care to ensure that that the
> packages you download have not been modified in transmission (signing of
> Release files, checksums on Packages files and on packages themselves.)
> Etc. If deficiencies are found in our mechanisms or policies, then we
> take steps to improve them. If violations are found, then we take steps
> to audit for impact and resolve any potentially malicious actions that
> we identify. We take great care to minimize the likelihood of any sort
> of backdoor or malicious code in Debian, but none of this can provide
> 100% proof that such a thing doesn't exist.

But Debian doesn't support grsecurity and similar security enhancements
for linux kernel[1], though PaX[2] is a serious protection from
exploiting security bugs in software. I needed a lots of time in order
to successfully patch Debian kernel with grsecurity, though I
immediately removed all features/* patches. It's because patch B can
assume patch A is applied and when patch A is not applied, than patch B
fails. But it is possible patch B is still needed. For that reason, and
the reason of availability of newer kernel in backports repo, my
opinion is features patches are unneeded and make more problems than
benefit.

> Anybody that claims that
> they can prove otherwise, for Debian or any other OS, is either lying or
> ignorant.
> 
> noah
> 

[1] https://lists.debian.org/debian-devel/2003/09/msg01133.html
[2] https://en.wikipedia.org/wiki/PaX

-- 
Education is a process of making people see what is advanced and not
obvious, but also not seeing what is basic and obvious.

http://markorandjelovic.hopto.org


signature.asc
Description: PGP signature

Re: There is Pidgin in security updates with same version but different checksum

[Marko Randjelovic]

On Fri, 4 Oct 2013 01:52:44 +0200
Cyril Brulebois  wrote:

> Marko Randjelovic  (2013-10-04):
> > The package from security looks like error because it does not appear
> > in apt-cache show, but exists in lists file and in
> > http://security.debian.org/pool/updates/main/p/pidgin/.
> 
> Can you please elaborate? The above has got: 2.7.3-1+squeeze3
> 
> Current status across distributions is:
> kibi@arya:~$ rmadison pidgin -a source
> pidgin | 2.7.3-1+squeeze3 | oldstable | source
> pidgin | 2.10.6-3~bpo60+1 | squeeze-backports | source
> pidgin | 2.10.6-3 |stable | source
> pidgin | 2.10.7-2 |   testing | source
> pidgin | 2.10.7-2 |  unstable | source
> 
> so the 2.7.3-1+squeeze3 upload available through security for oldstable
> got merged into oldstable proper during a point release.
> 
> What version are you chasing, for which distribution?
> 
> Mraw,
> KiBi.

Distribution is Squeeze.

# grep -A 30 "^Package: pidgin$" 
ftp.nluug.nl_pub_os_Linux_distr_debian_dists_squeeze_main_binary-amd64_Packages 
| grep -E "(SHA256|Version:)"
Version: 2.7.3-1+squeeze3
SHA256: 4e9c6cdb16b9b6b324664ed584d3e675f353a3d87dadba7ea29c56caab282dfd
# grep -A 30 "^Package: pidgin$" 
security.debian.org_dists_squeeze_updates_main_binary-amd64_Packages | grep -E 
"(SHA256|Version:)"
Version: 2.7.3-1+squeeze3
SHA256: d5306e41dda5884bed09272c438f24ac6f1daddc10e737d7094db984187be8c5
# pwd
/var/lib/apt/lists


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131004021019.5cc1d...@eunet.rs

There is Pidgin in security updates with same version but different checksum

[Marko Randjelovic]

The package from security looks like error because it does not appear in 
apt-cache show, but exists in lists file and in 
http://security.debian.org/pool/updates/main/p/pidgin/.

Regards


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131004014611.6be5f...@eunet.rs

Re: Security updates realized by new releases, case for backports?

[Marko Randjelovic]

On Thu, 03 Oct 2013 21:08:28 +0200
Paul van der Vlis  wrote:

> So far I know browsers like Konqueror, Epiphany and Midory do not have
> real security support in Debian. See:
> http://www.debian.org/releases/wheezy/amd64/release-notes/ch-information.en.html#browser-security

I have taken a look at CVE database for Firefox/Chrome. The number of bugs is 
enormous. I doubt they can ever find/correct all of them. An attacker has to 
big chance to find zero-day bugs. So, looks like we can choose between Elinks 
and no security.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131003225208.4c7f8...@eunet.rs

Re: Security updates realized by new releases, case for backports?

[Marko Randjelovic]

On Thu, 03 Oct 2013 18:46:33 +0300
Riku Valli  wrote:

> Konqueror isn't solution, because most websites check you browser
> strings and uses flash, javascript and so on. Yes, i know at i can
> change these strings, but most in cases this isn't enough if i like
> use this website.

Unfortunately, there are not much free software web browsers that
support all new features. AFAIK Mozilla and probably Chromium (I haven't
been using it). 

$ apt-cache search web.browser | grep -i "web.browser" | grep -vE 
"(^lib|amule|addon|plugin|man 
pages|net|extension|unit|Perl|intro|IRC|Myth|-(data|dbg|common|dev))" | sort
arora - simple cross platform web browser
chimera2 - Web browser for X
chromium - Google's open source chromium web browser
conkeror - keyboard focused web browser with Emacs look and feel
dillo - Small and fast web browser
epiphany-browser - Intuitive GNOME web browser
ezmlm-browse - Web browser for ezmlm-idx archives
hv3 - Lightweight web browser
iceweasel - Web browser based on Firefox
konqueror - advanced file manager, web browser and document viewer
links2 - Web browser running in both graphics and text mode
links - Web browser running in text mode
luakit - A fast and small web browser extensible by Lua
midori - fast, lightweight graphical web browser
rekonq - KDE web browser based on Webkit
surf - simple web browser
wapua - Web browser for WAP WML pages
xxxterm - Minimalist's web browser

> When you used backports i think lot of peoples are quite confused,
> because apt-cache show package shows 2 and sometimes 3 (user used 3
> party repo exm. deb-multimedia) same programs and only difference is
> version number

Well. yes, it's a bit confusing. To really find out which repo contains
which version you have to extract versions
from /var/lib/apt/lists/*Packages.

> How ordinary user can handle this? apt-get install package refuses
> install latest version and when they understand how to install latest
> version. They installed lot of packages from backports and broke their
> installation.

I am not a Debian developer, but this looks to me like a bad backport.
If backporter didn't lower versions of dependencies to versions from
stable, then such conditions may occur.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131003225154.278ea...@eunet.rs

Re: Security updates realized by new releases, case for backports?

[Marko Randjelovic]

On Thu, 03 Oct 2013 14:37:22 +0200
Paul van der Vlis  wrote:

> Hello,
> 
> In some cases security updates for packages in main are realized by
> new releases, e.g. Iceweasel and Wordpress. Such packages can give
> problems, e.g. in Wordpress there are missing themes.
> 
> In my opinion such packages should be added to backports and then
> declared "end of live" in main. I think it's common to take extra care
> with backports.
> 
> Backports could be enabled by default in a new release, e.g. to have
> Iceweasel in a fresh install.
> 
> What's your opinion?
> 
> With regards,
> Paul van der Vlis.
> 
> 
> 
> 
> 

Obviously, web browser and web applications are critical for security because 
they are exposed to eventual attacks. Hence, I agree they should not be updated 
to new upstream version but instead only backported with security patches. But 
with web browser situation is even more complicated because web sites are 
constantly using newer features, support for old browsers is dropped and old 
browser gradually become less and less usable. It is not the problem with 
Debian, but with relevant web sites, i.e their way of development, but we must 
provide people who need it new web browsers and I agree it should be via 
backports. But probably we could also provide some intermediary solution, e.g 
Konqueror backport that will not be newest, but newer than in stable?

-- 
It is not important what I am, it is important to what purpose do I serve, and 
my whole existance.

http://mr.flossdaily.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131003164457.46dfc...@eunet.rs

Re: How secure is an installation with with no non-free packages?

[Marko Randjelovic]

> I can't speak to those packages specifically but I think the answer
> you'll get from most people, especially in this community, is that
> non-free software is inherently insecure because you can't know
> exactly what it is doing. Thus, a fully free system such as Debian
> with only main enabled or Trisquel or so is, in principle, more
> trustworthy than any system running non-free code.

There is a fairy tail called "Dark County". Some travelers came into
dark county where nothing could be seen. They felt stones on the ground
and heard a voice: "it you take you will regret, if you do not take
you will regret". Some of them took the stones, some of them did not.
After they got out, they saw it was precious stones and those who
didn't take regretted because they didn't take and those that took
regretted they didn't take more.

I am not telling this story because I think Intel/AMD microcode is
precious, but to stress how bad is when you do not know what you are
dealing with.

-- 
http://mr.flossdaily.org


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131002163841.0729e...@eunet.rs

Re: Script to System Check Integrity against Debian Package Repository

[Marko Randjelovic]

On Wed, 18 Sep 2013 09:47:27 +0200
Paul Wise  wrote:

> On Wed, Sep 18, 2013 at 9:36 AM, Török Edwin wrote:
> 
> > Why not just reinstall from a trusted source, then
> > restore /etc, /home and /var from backups and audit the changes
> > introduced by that only?
> 
> That is a slightly short-sighted way to do it; if you restore from
> scratch without doing any forensics you won't know which methods your
> attackers used and how you can defend yourself from them after you
> have restored the system from scratch. Perhaps they will attack you
> again soon afterwards.
> 

And say there are no traces how they did it. Then what are your options?

-- 
Marko Ranđelović, B.Sc.
Software Developer
Niš, Serbia
marko...@eunet.rs
http://mr.flossdaily.org

Note: If you see a nonsense enclosed between lines

BEGIN PGP SIGNATURE
END PGP SIGNATURE

then this message is digitally signed using OpenPGP compliant software.
You need an appropriate plugin for your email client or other OpenPGP
compliant software in order to verify the signature. However, the concept
of computer insecurity implies digital signature is not absolute proof of
identity.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130920110243.1d700...@eunet.rs

Re: Script to System Check Integrity against Debian Package Repository

[Marko Randjelovic]

On Wed, 18 Sep 2013 09:47:27 +0200
Paul Wise  wrote:

> On Wed, Sep 18, 2013 at 9:36 AM, Török Edwin wrote:
>   
> > Why not just reinstall from a trusted source, then
> > restore /etc, /home and /var from backups and audit the changes
> > introduced by that only?  
> 
> That is a slightly short-sighted way to do it; if you restore from
> scratch without doing any forensics you won't know which methods your
> attackers used and how you can defend yourself from them after you
> have restored the system from scratch. Perhaps they will attack you
> again soon afterwards.
>   

And say there are no traces how they did it. Then what are your options?

-- 
Marko Ranđelović, B.Sc.
Software Developer
Niš, Serbia
marko...@eunet.rs
http://mr.flossdaily.org

Note: If you see a nonsense enclosed between lines

BEGIN PGP SIGNATURE
END PGP SIGNATURE

then this message is digitally signed using OpenPGP compliant software.
You need an appropriate plugin for your email client or other OpenPGP
compliant software in order to verify the signature. However, the concept
of computer insecurity implies digital signature is not absolute proof of
identity.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130922181858.78922...@eunet.rs

Opinion on this, password changed, nothing suspicious in logs

[Marko Randjelovic]

* I logged in my normal account on desktop PC last time successfuly saturday 
evening and turned off the computer 2 hours after midnight.
* At Sunday morning I went for a walk.
At 16 pm I turned on the computer but my password did not work.
* I checked the logs and found no trace of intrusion, but also no entry about 
password change.

I have Debian 6 desktop and firewall computers. I apply security pathes 
regulary, have active firewall and SELinux. The only problem I see could be the 
custom kernel 3.2 that is not completely patched.

I have logged in several times successfuly with that password, including 
immidiately after power on when there is no possibility of alternative keyboard 
layout and no need to touch caps lock.

For me it is obvious my account was compromised, but don't know if root 
privileges were acquired.

What do you think?

-- 
Marko Ranđelović, B.Sc.
Software Developer
Niš, Serbia
marko...@eunet.rs
marko.m...@gmail.com
GnuPG Key: 11FF 0703 1C7A 8FB1 48C0  B63E 4D1C 0D3F 7281 F4B7


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fc38274.4030...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

Fortunately, I had already made some efforts towards backporting kernel
3.1.5 from unstable, so I successfully booted this kernel several
minutes ago and 'su' in virtual console was working.

I am considering whether to switch to this new kernel, and will also try
to find cause of problem with 2.6.39.

So, as they say we should give back to the community, I can provide new
kernel to someone who needs it, but since my Internet connection is only
384kbps upwards, I am really not sure if I can post a link.

Best regards


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eecc910.7020...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

I don't think it's related in that way, gnome-terminal runs in pts and
su works.

Thanks for you help, anyway. This problem is interesting to me, since I
don't know what I can expect from certain kind of people.

Best regards

On 12/17/2011 12:39 PM, Hermann Kaiser wrote:
>
> On Dec 16, 2011, at 9:49 PM, Marko Randjelovic wrote:
>
>> devpts is mounted:
>>
>> devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
>
> if you are on pts, the nosuid and noexec will prevent execution
>
> ciao,
> Hermann
>
>
>
>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eecba1c.6090...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

yes, it does.

On 12/16/2011 10:06 PM, frederic ollivier wrote:
> sudo -s
>
> works ?
>
>
>
> 2011/12/16 Bart-Jan Vrielink :
>   
>> On 12/16/11 21:53, Freddy Spierenburg wrote:
>> 
>>> Hi (first message) Bart-Jan and (second) Marko,
>>>
>>> On Fri, Dec 16, 2011 at 09:32:05PM +0100, Bart-Jan Vrielink wrote:
>>>
>>>   
 You shouldn't be able to strace suid programs.

 
>>> Please enlighten me, why not?
>>>
>>>   
>>
>> suid/setuid means that the program runs as another user. Being able to trace
>> system calls for another user is a security risk. When strace is asked to
>> run a setuid program, it will ignore the setuid bit, which is not what you
>> want.
>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmas...@lists.debian.org
>> Archive: http://lists.debian.org/4eebb135.6060...@vrielink.net
>>
>> 
>
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebc24f.1040...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

fsck found no errors on relevant fs, though when scanning it as mounted
it looked like there are errors (it couldn't repair since I chouse
correct read only option).

Also, memtest86+ found no errors

On 12/16/2011 09:54 PM, Marko Randjelovic wrote:
> Looks like there are filesystem errors. I have to reboot.
>   
>> so try a disk fsck and also a RAM check
>>
>> I have had problems like these when a RAM was damaged
>>
>> Ciao
>> Davide
>>
>> 
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebc231.5020...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

Looks like there are filesystem errors. I have to reboot.
> so try a disk fsck and also a RAM check
>
> I have had problems like these when a RAM was damaged
>
> Ciao
> Davide
>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebafed.8050...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

Not sure I understood. :(

On 12/16/2011 09:34 PM, Davide Prina wrote:
> but you use top posting... this is bad! ;-)
>
>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebaf12.5000...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

devpts is mounted:

devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)

$TTY is empty but the same is on another machine where this is working.

On 12/16/2011 09:41 PM, Noah Meyerhans wrote:
> On Fri, Dec 16, 2011 at 09:34:40PM +0100, Marko Randjelovic wrote:
> 
>   
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff98fbd270) = -1 ENOTTY 
>> (Inappropriate ioctl for device)
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff98fbd3e0) = -1 ENOTTY 
>> (Inappropriate ioctl for device)
>> 
> 
>
> Those are the key bits.  What is $TTY set to?  Is /dev/pts mounted?
> Does the file referenced by $TTY exist?  Can you post the output of 
> "ls -l $TTY" ?
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebaee9.7040...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

All looks OK. Just there is a dot after permissions in "ls -l".

On 12/16/2011 09:32 PM, Bart-Jan Vrielink wrote:
> On 12/16/11 21:07, Freddy Spierenburg wrote:
>> Hi Marko,
>>
>> On Fri, Dec 16, 2011 at 08:51:58PM +0100, Marko Randjelovic wrote:
>>   
>>> su does not ask for a password, just exits imediately with exit
>>> status 1.
>>>  
>> Have you already tried to strace it, to possibly see what's going
>> on? And if so, where does it end?
>>
>
> You shouldn't be able to strace suid programs.
>
> Marko, I do not exactly know what the cause of this problem is, but I
> would inspect the /etc/login.defs file (and then especially the value
> of the CONSOLE variable) and also look around in /etc/pam.d/su (and
> included files) and the /etc/security directory (especially the
> access.conf file). These are some of the places where one could
> configure su to behave more or less like you describe.
>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eebae65.1060...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

Thanks for your suggestion, Freddy. Looks like I found something.

open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7febc61a5000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2570
read(3, "", 4096)   = 0
close(3)= 0
munmap(0x7febc61a5000, 4096)= 0
open("/usr/share/locale/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
write(2, "su: must be run from a terminal\n", 32) = 32
exit_group(1)   = ?

It's the end of the file. I attach whole file.

Looks like su thinks it's not a terminal, but obviously it is. I really
don't have an idea why. Any suggestions?

On 12/16/2011 09:07 PM, Freddy Spierenburg wrote:
> Hi Marko,
>
> On Fri, Dec 16, 2011 at 08:51:58PM +0100, Marko Randjelovic wrote:
>   
>> su does not ask for a password, just exits imediately with exit status 1.
>> 
> Have you already tried to strace it, to possibly see what's going
> on? And if so, where does it end?
>
>
>   
execve("/bin/su", ["/bin/su"], [/* 21 vars */]) = 0
brk(0)  = 0x6f6000
fcntl(0, F_GETFD)   = 0
fcntl(1, F_GETFD)   = 0
fcntl(2, F_GETFD)   = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7febc61a6000
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=97633, ...}) = 0
mmap(NULL, 97633, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7febc618e000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
open("/lib/libpam.so.0", O_RDONLY)  = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200%\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=49728, ...}) = 0
mmap(NULL, 2144864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7febc5d7f000
mprotect(0x7febc5d8b000, 2093056, PROT_NONE) = 0
mmap(0x7febc5f8a000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7febc5f8a000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
open("/lib/libpam_misc.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\20\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=11016, ...}) = 0
mmap(NULL, 2106272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7febc5b7c000
mprotect(0x7febc5b7e000, 2097152, PROT_NONE) = 0
mmap(0x7febc5d7e000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7febc5d7e000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)= 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\355\1\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1432968, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7febc618d000
mmap(NULL, 3541032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7febc581b000
mprotect(0x7febc5973000, 2093056, PROT_NONE) = 0
mmap(0x7febc5b72000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x157000) = 0x7febc5b72000
mmap(0x7febc5b77000, 18472, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7febc5b77000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY)   = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14696, ...}) = 0
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7febc5617000
mprotect(0x7febc5619000, 2097152, PROT_NONE) = 0
mmap(0x7febc5819000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7febc5819000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
open("/lib/libcrypt.so.1", O_RDONLY)= 3
re

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

The same as for hdparm. I reinstalled it and all looks OK. Also checked
md5sums in /var/lib/dpkg/info/login.md5sums.

On 12/16/2011 08:57 PM, frederic ollivier wrote:
> You are sure that the original "su" ?
>
>
>
>
>
> 2011/12/16 Marko Randjelovic :
>   
>> main:~# ls -l /bin/su
>> -rwsr-xr-x. 1 root root 34024 Feb 15  2011 /bin/su
>>
>> So I guess this time it's not the case. :(
>>
>> su does not ask for a password, just exits imediately with exit status 1.
>>
>> On 12/16/2011 08:25 PM, Marcin Owsiany wrote:
>> 
>>> On Fri, Dec 16, 2011 at 06:26:08PM +0100, Marko Randjelovic wrote:
>>>
>>>   
>>>> I have very disturbing problem, so I hope someone will be in situation
>>>> to help me.
>>>>
>>>> As I said in title, su is not working in virtual console for any
>>>> combination of from-to users. In gnome-terminal it is working. sudo is
>>>> also working.
>>>>
>>>> When I type 'su', is't the same as I just typed RETURN without any
>>>> command, but exit status is 1.
>>>>
>>>> 
>>> Last time this happened for me it turned out that su was not SUID root
>>> :-)
>>>
>>>
>>>   
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>> Archive: http://lists.debian.org/4eeba15e.60...@gmail.com
>>
>> 
>
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eeba97a.2070...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

And in auth.log nothing appears. Also in other logs.
Only in
daemon.log:
Dec 16 21:01:42 n acpid: client 3039[0:0] has disconnected
Dec 16 21:01:43 n acpid: client connected from 3039[0:0]
Dec 16 21:01:43 n acpid: 1 client rule loaded

I ran rkhunter, but looks like fount nothing. Only warning about
/etc/init.d/hdparm.
But I reinstalled it and md5 checksum didn't change.

[21:06:14] Warning: Checking for possible rootkit strings[ Warning ]
[21:06:14]  Found string 'hdparm' in file
'/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
[21:06:14]  Found string 'hdparm' in file '/etc/init.d/hdparm'.
Possible rootkit: Xzibit Rootkit

The other file looks harmless and related to dependencies of boot scripts.

On 12/16/2011 08:25 PM, Marcin Owsiany wrote:
> On Fri, Dec 16, 2011 at 06:26:08PM +0100, Marko Randjelovic wrote:
>   
>> I have very disturbing problem, so I hope someone will be in situation
>> to help me.
>>
>> As I said in title, su is not working in virtual console for any
>> combination of from-to users. In gnome-terminal it is working. sudo is
>> also working.
>>
>> When I type 'su', is't the same as I just typed RETURN without any
>> command, but exit status is 1.
>> 
> Last time this happened for me it turned out that su was not SUID root
> :-)
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eeba8e2.6040...@gmail.com

Re: Command 'su' is not working in virtual console

[Marko Randjelovic]

main:~# ls -l /bin/su
-rwsr-xr-x. 1 root root 34024 Feb 15  2011 /bin/su

So I guess this time it's not the case. :(

su does not ask for a password, just exits imediately with exit status 1.

On 12/16/2011 08:25 PM, Marcin Owsiany wrote:
> On Fri, Dec 16, 2011 at 06:26:08PM +0100, Marko Randjelovic wrote:
>   
>> I have very disturbing problem, so I hope someone will be in situation
>> to help me.
>>
>> As I said in title, su is not working in virtual console for any
>> combination of from-to users. In gnome-terminal it is working. sudo is
>> also working.
>>
>> When I type 'su', is't the same as I just typed RETURN without any
>> command, but exit status is 1.
>> 
> Last time this happened for me it turned out that su was not SUID root
> :-)
>
>   


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eeba15e.60...@gmail.com

Command 'su' is not working in virtual console

[Marko Randjelovic]

I have very disturbing problem, so I hope someone will be in situation
to help me.

As I said in title, su is not working in virtual console for any
combination of from-to users. In gnome-terminal it is working. sudo is
also working.

When I type 'su', is't the same as I just typed RETURN without any
command, but exit status is 1.

Some time ago I had a problem when starting X applications with gksudo
that I solved by changing to --su-mode. But now it looks like working
again in sudo mode, but the problem I described appeared.

I tried to disable kdm, but didn't help.

I am running kernel 2.6.39 from unstable with some additional patches.

Any help is welcome.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4eeb7f30.1030...@gmail.com