Re: [SECURITY] [DSA 3431-2] ganeti regression update

[Milan P. Stanic]

On Fri, 2016-01-15 at 11:05, Milan Mogin wrote:
> please unsubscribe me

Go to https://lists.debian.org/debian-security-announce/
where you can unsubscribe yourself.

Detailed info about Debian mailing lists can be found at:
https://www.debian.org/MailingLists

> On 15/01/2016 10:53 a.m., Salvatore Bonaccorso wrote:
> >-BEGIN PGP SIGNED MESSAGE-
> >Hash: SHA512
> >
> >- -
> >Debian Security Advisory DSA-3431-2   secur...@debian.org
> >https://www.debian.org/security/ Salvatore Bonaccorso
> >January 14, 2016  https://www.debian.org/security/faq
> >- -
[...]

Re: finding a process that bind a spcific port

[Milan P. Stanic]

On Wed, 2014-01-22 at 13:37, Nico Angenon wrote:
 the same...no output

Maybe you can be lucky with: 
ss -ulp

But, if you are really hacked it would be better to shutdown machine,
move disk to clean machine and try some forensic tools.

 -Message d'origine- From: Andika Triwidada
 Sent: Wednesday, January 22, 2014 1:33 PM
 To: Nico Angenon
 Cc: debian security
 Subject: Re: finding a process that bind a spcific port
 On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote:
 Hello,
 
 i think i’ve been hacked on one of my boxes...
 
 I try to find with process bind a specific port :
 
 # netstat -anpe |grep udp
 gives me
 udp0  0 0.0.0.0:10001   0.0.0.0:*
 0  5950269 -
 
 
 but
 # lsof |grep 10001
 doesn’t show me anything
 
 lsof -i -n | grep 10001


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122124234.ga17...@arvanta.net

Re: finding a process that bind a spcific port

[Milan P. Stanic]

On Wed, 2014-01-22 at 14:26, Nico Angenon wrote:
 File /tmp/a and tmp/b gives me the same numberlist...
 
 I'll fromat the box, it'll go faster...

True!

But if there is vulnerability (security hole) in your system it's just
a question of time when you'll have this situation again.

 -Message d'origine- From: Matias Mucciolo
 Sent: Wednesday, January 22, 2014 2:14 PM
 To: debian-security@lists.debian.org
 Cc: Nico Angenon
 Subject: Re: finding a process that bind a spcific port
 
 
 You can try something like:
 
 cd /proc/  ls -d1 [0-9]* | sort -n   /tmp/a   ps ax -o pid |
 grep [0-9] | tr -d   | sort -n  /tmp/b
 
 and check with ip exits in /proc dir but not in ps
 example in my box:
 
 ..
 46154615
 46244624
 46474647
 4702  | 4704
 4703  | 4705
   4706
   4707
 
 in my case i have difference but is because the grep/etc  pid
 
 
 
 -- 
 
 Matias
 
 
 On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote:
 Same : No output...
 
 Nico
 
 -Message d'origine- From: johan A. van Zanten
 Sent: Wednesday, January 22, 2014 1:56 PM
 To: n...@creaweb.fr
 Cc: debian-security@lists.debian.org
 Subject: Re: finding a process that bind a spcific port
 
 
 Nico Angenon n...@creaweb.fr wrote:
  nope... never used this service...
  Still looking for an explanation, try chrootkit and rkhunter right
  now
 
 Try fuser:
 
 fuser -n udp 10001
 
 -johan
 
 
 -- 
 To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org
 Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
 
 
 
 
 -- 
 To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org
 Archive:
 http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar
 
 
 -- 
 To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC
 

-- 
Kind regards,  Milan
--
Arvanta,http://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122135637.ga18...@arvanta.net

Re: NSA software in Debian

[Milan P. Stanic]

On Wed, 2014-01-22 at 15:01, Marko Randjelovic wrote:
 On Sun, 19 Jan 2014 21:17:03 -0800
 Andrew Merenbach and...@merenbach.com wrote:
  I just decided to try this out the other day on my Wheezy 7.3 install.  
  It wasn't that painful and I haven't noticed any performance impact or 
  misbehaving (read: broken) programs, at least not yet.  Then again, I 
  haven't done real benchmarks.
 Yes, most features doesn't make significant performance impact.
  It appears that this patch is available in the apt repos under the 
  kernel section (sensibly enough) as:
  
   linux-patch-grsecurity2
  
  Once it's downloaded, it patches the kernel in an automated fashion and 
  doesn't force a reboot (although I believe you still need one to make it 
  effective, I suppose).
 AFAIK, it's for kernel 3.2.21, I don't see how could it work with
 Wheezy kernel - 3.2.51.

I found it a lot easier to go with vanilla kernel and grsec/pax patch
instead of using Debian kernels.

  That said, since it's a kernel patch, /caveat emptor/... your mileage 
  may vary.  And maybe some prefer to customize the options for the patch 
  being applied. ;)

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122140839.gb18...@arvanta.net

Re: New rootkit targetting Debian squeeze (amd64 only)

[Milan P. Stanic]

On Fri, 2012-11-23 at 02:22, Jordon Bedwell wrote:
 On Fri, Nov 23, 2012 at 12:31 AM, Mike Mestnik
 cheako+debian-secur...@mikemestnik.net wrote:
  On 11/22/12 11:33, Laurentiu Pancescu wrote:
  More likely: a vulnerability in their web service (some form of
  execution of attacker-provided code), combined with a local privilege
  elevation exploit (the Linux kernel had quite many such bugs, some are
  probably yet undiscovered).  I find it interesting that the rootkit was
  written or customized specifically for squeeze.
 
 I think this was a test of greater things to come.  I would assume
 (mostly because to me it's ignorant not to assume this) that the
 author of the malware might have built it to target his preferred OS
 first and then would have expanded it later.  It's much easier to
 build small and then work to greater things then to build big and
 possibly fail.

Two days passed and no one say anything about infection vector.
Expect gibberish babble about Russian hackers.

To me, it looks like some 'unknown entity' spread FUD about Linux and
especially Debian.

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121123121425.ga27...@arvanta.net

Re: New rootkit targetting Debian squeeze (amd64 only)

[Milan P. Stanic]

On Thu, 2012-11-22 at 12:32, Laurentiu Pancescu wrote:
 http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html

Nothing about infection vector, so it is non-issue, probably.

Yes, root can be faked to install it from some third party module or
even DKMS, but root shouldn't do such things without careful checking
everything about third party modules.

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121122131343.ga11...@arvanta.net

Re: idea: switch default MTA from exim4 to postfix (wheezy+1)

[Milan P. Stanic]

On Thu, 2012-11-01 at 22:48, Hideki Yamane wrote:
 Hi,
 
  Now we are using Exim as default MTA, but I doubt whether it'd be best
  choice since several critical security vulnerabilities has found this
  two or three years.
 
  Yes, it's often that such vulnerability has been found for software (of
  course), however, other MTA like postfix has less vulnerabilities than
  Exim.
 
  So I suggest switch from Exim to Postfix for default MTA.
 
 
 Pros)
  - Postfix has less vulnerabilities than Exim during years
If we choose postfix for default,  probably it's more secure than using
Exim ***by default***. It's good for our users.
 
Exim: 8 DSAs and 13 CVEs and some high and remote vulns as NVD severity
  http://security-tracker.debian.org/tracker/source-package/exim4 
  and http://security-tracker.debian.org/tracker/source-package/exim
  
Postfix: 3 DSAs and 10 CVEs and no high vulns since its first release
  http://security-tracker.debian.org/tracker/source-package/postfix
 
 
 Cons)
  - well, maybe I didn't get it ;) If you want to continue to use Exim, you
can do it via apt-get.
 
  Please let me know your idea for this.

Should be done 10 years ago, IMHO. Why wait?

OT: and same for bind and use dbndns (djbdns).

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121101145318.ga11...@arvanta.net

Re: idea: switch default MTA from exim4 to postfix (wheezy+1)

[Milan P. Stanic]

On Thu, 2012-11-01 at 12:03, Axel Caspard wrote:
 I am curious to know why you would like to see bind replaced with dbndns?

The same as for exim: security records.
 
 - Original Message -
 From: Milan P. Stanic m...@arvanta.net
 To: debian-security@lists.debian.org
 Sent: Thursday, 1 November, 2012 10:53:19 AM
 Subject: Re: idea: switch default MTA from exim4 to postfix (wheezy+1)
 
 On Thu, 2012-11-01 at 22:48, Hideki Yamane wrote:
  Hi,
  
   Now we are using Exim as default MTA, but I doubt whether it'd be best
   choice since several critical security vulnerabilities has found this
   two or three years.
  
   Yes, it's often that such vulnerability has been found for software (of
   course), however, other MTA like postfix has less vulnerabilities than
   Exim.
  
   So I suggest switch from Exim to Postfix for default MTA.
  
  
  Pros)
   - Postfix has less vulnerabilities than Exim during years
 If we choose postfix for default,  probably it's more secure than using
 Exim ***by default***. It's good for our users.
  
 Exim: 8 DSAs and 13 CVEs and some high and remote vulns as NVD severity
   http://security-tracker.debian.org/tracker/source-package/exim4 
   and http://security-tracker.debian.org/tracker/source-package/exim
   
 Postfix: 3 DSAs and 10 CVEs and no high vulns since its first release
   http://security-tracker.debian.org/tracker/source-package/postfix
  
  
  Cons)
   - well, maybe I didn't get it ;) If you want to continue to use Exim, you
 can do it via apt-get.
  
   Please let me know your idea for this.
 
 Should be done 10 years ago, IMHO. Why wait?
 
 OT: and same for bind and use dbndns (djbdns).

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121101163557.ga11...@arvanta.net

Re: how to fix rootkit?

[Milan P. Stanic]

On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote:
 I think you're talking about syscall interceptions and related stuff.
 You're right, we can't trust, but it in this case we're talking about
 a very specialized malware and I don't see any fast action to bypass
 it. Maybe the conclusion is that we can't trust anything, so we can't
 do anything, but something need to be done, right?
 
 An option is load another kernel with kexec but we can't trust kexec.
 What we do?

What about device which can be tapped to the CPU of running machine and
then 'take over' CPU. Such device could then read RAM, block devices and
peripherals to save data for post mortem analysis.

Although some secret agencies could already have something like that
I'm not sure that it is commercially available or it will in the near
future.
If someone think that hardware manufacturer could design and put on the
market computers with such option built in, I suspect that it will be
suppressed by legislator.

 Sometimes we need to assume some risks otherwise we can't proceed. ;-)

That is. We live in risky world and we cannot achieve perfect security.
As in real world, computer security is trade off between usability and
risk.

 BR,
 
 Fernando Mercês
 Linux Registered User #432779
 www.mentebinaria.com.br
 softwarelivre-rj.org
 @MenteBinaria
 
 II Hack'n Rio - 23 e 24/11
                  hacknrio.org
 
 
 
 
 On Wed, Feb 8, 2012 at 5:15 PM, Michael Stummvoll mich...@stummi.org wrote:
  Am 08.02.12 19:51, schrieb Jutta Zalud:
  Michael Stummvoll wrote:
 
  And who says, that the new binarys don't work in compromized
  mode, e.g. with a LD_PRELOAD? ;)
 
  you can't trust a compromized system, not even when you running
  (or think you are running) own binaries. Who knows, what the
  kernel does.
 
  What exactly do you mean by system?
 
  The Operating System.
 
  As I understand Fernando he suggested to run extern self-compiled
  binaries withing the compromized OS to be sure, and what i want to say
  is that you can't be sure in this case.
 
  Kind Regards,
  Michael
 
 
 
  --
  To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
  with a subject of unsubscribe. Trouble? Contact 
  listmas...@lists.debian.org
  Archive: http://lists.debian.org/4f32c9d7.30...@stummi.org
 
 
 
 --
 To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: 
 http://lists.debian.org/cam7p17mntcwytrsgok9vjkwo6onwtoy9srdyaadcno5im5c...@mail.gmail.com
 

-- 
Kind regards,  Milan
--
Arvanta, IT Securityhttp://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120209120714.gb5...@arvanta.net

Re: how to fix rootkit?

[Milan P. Stanic]

On Thu, 2012-02-09 at 23:19, Russell Coker wrote:
 On Thu, 9 Feb 2012, Milan P. Stanic m...@arvanta.net wrote:
  On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote:
   I think you're talking about syscall interceptions and related stuff.
   You're right, we can't trust, but it in this case we're talking about
   a very specialized malware and I don't see any fast action to bypass
   it. Maybe the conclusion is that we can't trust anything, so we can't
   do anything, but something need to be done, right?
   
   An option is load another kernel with kexec but we can't trust kexec.
   What we do?
  
  What about device which can be tapped to the CPU of running machine and
  then 'take over' CPU. Such device could then read RAM, block devices and
  peripherals to save data for post mortem analysis.
 
 There are devices which use firewire to directly access system RAM.  It is 

AFAIK firewire must be enabled by kernel (CPU) to have access to RAM via
DMA controller settings. Hacked kernel could disable DMA access to
firewire (or any) controller.

 also possible to design a PCI/PCIe card which does bus-mastering on external 
 control to dump RAM contents.  I've seen a live demonstration of the use of 
 firewire to directly access system RAM, a system was compromised by having 
 some memory altered, dumping the RAM would be trivial by comparison.

I'm not sure for modern computer architecture does CPU have to enable bus
mastering for device on the bus? If so, malware could disable bus
mastering for peripheral devices.

 It has also been demonstrated that if you chill RAM to a low temperature then 
 you can extract it from the system with most of it's contents intact.

Fifteen (maybe twenty) years ago I wrote small Forth interpreter which
could run from 486 CPU cache, and at that time 486 have had 4KB cache.
Theoretically, new generation malware could be designed to run from the
CPU cache completely.

-- 
Kind regards,  Milan
--
Arvanta, IT Securityhttp://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120209141629.ga6...@arvanta.net

Re: how to fix rootkit?

[Milan P. Stanic]

On Wed, 2012-02-08 at 19:39, Michael Stummvoll wrote:
 Am 08.02.12 18:46, schrieb Fernando Mercês:
  Reading memory after turning off? There are a easy way to it?
  
  When I said your own binaries, I mean get fresh copies of
  binaries and use in system with a USB stick or something like that.
  Do not use the compromised system binaries. That's it. ;-)
 
 And who says, that the new binarys don't work in compromized mode,
 e.g. with a LD_PRELOAD? ;)

What about statically linked binaries on the external media (CD, DVD,
USB ...) which is write protected with 'execute in place' mode?
 
 you can't trust a compromized system, not even when you running (or
 think you are running) own binaries. Who knows, what the kernel does.

If the kernel is changed to circumvent external (or all) binaries then
the solution could be to use some tool (I can't remember right now if
that exists) which could 'take over' the complete system (even kernel)
and than do a snapshot or whatever is appropriate in that situation.

-- 
Kind regards,  Milan
--
Arvanta, IT Securityhttp://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120208193713.ga16...@arvanta.net

Re: AUTO: Steve Bownas is out of the office. (returning 06/09/2011)

[Milan P. Stanic]

On Sat, 2011-06-04 at 23:41, Jim Popovitch wrote:
 On Sat, Jun 4, 2011 at 23:08, Steven Bownas sbow...@us.ibm.com wrote:
 
  I am out of the office until 06/09/2011.
 
 
 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on liszt.debian.org
 X-Spam-Level: *
 X-Spam-Status: No, score=1.1 required=4.0 tests=AUTOGENERATE,AUTOREBOD,FOURLA,
   LDO_WHITELIST,OUTOFOFFICE,RCVD_IN_DNSWL_MED autolearn=no version=3.2.5

And it have 'Auto-Submitted: auto-generated' header.
Mails with such header should not pass mailing list filter, IMHO.

 Somebody has some work to do tweaking the rules I volunteer if
 nobody else steps forward.
 
 -Jim P.

-- 
Kind regards,  Milan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110605133105.ga26...@arvanta.net

Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

[Milan P. Stanic]

On Sun, 2008-07-20 at 14:04, Florian Weimer wrote:
 * John Elliot:
  Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3)
  that appear to be vulnerable to the DNS cache poisoning issue(Looks
  like port randomization was only introduced in bind9.3?) - As the
  servers cannot be upgraded at this time to etch, what is the
  recommended course of action? Backports and upgrade to 9.3?
 Install one or more etch boxes, put BIND 9 onto it, and configure the
 sarge machines to use them as forwarders.  This is sufficient if the
 network between them is trusted.  You could also forward requests to
 your ISP's resolvers (subject to the same constraint).

Simpler and more secure (and easier) solution is the installation of the
djbdns.
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Selinux targeted policy postfix remove fail in etch

[Milan P. Stanic]

Hi!

In etch semodule -r postfix fails with next message:
libsepol.expand_module: Error while indexing out symbols
libsemanage.semanage_expand_sandbox: Expand module failed

Does someone know what is the problem and how the postfix module can be
removed?

TIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1232-1] New clamav packages fix denial of service

[Milan P. Stanic]

On Sat, Dec 09, 2006 at 03:43:33PM +0100, Moritz Muehlenhoff wrote:
 Package: clamav
 Vulnerability  : missing sanity checks
 Problem-Type   : remote
 Debian-specific: no
 CVE ID : CVE-2006-5874
[...]
 For the upcoming stable distribution (etch) this problem has been
 fixed in version 0.86-1.
 ^^ 
 For the unstable distribution (sid) this problem has been fixed in
 version 0.86-1.
^^
Clamav in testing and unstable is version 0.88.6


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: handling private keys

[Milan P. Stanic]

On Tue, Jun 28, 2005 at 10:51:40PM +0200, Sven Mueller wrote:
 Anyway, for the kind of use you would like to put your smartphone to,
 you also need some interface for the host application to contact the
 smartphone by and to transmit the data in both directions, some UI on
 the smartphone to present the data to you (which would need to be smart
 enough to handle at least some of the more common data types) etc

But smartphone is possibly always-on connected to net (GPRS, I think),
isn't it?

I wouldn't put my valuable private key on device which is connected
with anything out of my control.


signature.asc
Description: Digital signature

Re: Compromised system - still ok?

[Milan P. Stanic]

On Mon, Feb 07, 2005 at 06:25:19PM +1100, Matthew Palmer wrote:
 Obviously you've never done this.  Good luck finding someone who even knows
 what TCP/IP is, let alone sufficient knowledge to be able to track a cracker
 in real time with no warning.

How smart they are can be seen at:
http://www.boingboing.net/2005/01/27/jailed_for_using_a_n.html

In short: A man used lynx to donate to tsunami victims but webmaster
at british telekom called the police and the charitable man is
arrested.

I don't know should I cry or should I laugh.


signature.asc
Description: Digital signature

Re: running services in their own little world

[Milan P. Stanic]

On Mon, Jul 26, 2004 at 01:36:37PM +1000, Russell Coker wrote:

 LIDS used to be in the LSM kernel patch, but got removed before LSM
 was merged into 2.6.x because it wasn't being maintained.

 Is LIDS being maintained again?

It is maintained and developed actively again, for now.
On the http://www.lids.org/ are patches for 2.4 and 2.6 series.

 If so when will the patch be submitted to Linus?

Who knows? These days patches doesn't get accepted so easy :-(

Note: Russell, I'm subscribed to all mailing lists where we meet, so
you shouldn't CC'ing to me.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: running services in their own little world

[Milan P. Stanic]

On Mon, Jul 26, 2004 at 11:21:24PM +1000, Russell Coker wrote:
 Adding a new LSM module is like adding a new device driver, people who choose 
 not to use it will not even notice it's there, so there's nothing stopping 
 Linus from adding them at any time.

LIDS patch is actually LSM module and it is not to intrusive, but I'm
not Linus :-)

 It would be good if SE Linux wasn't the only security module in the
 kernel.org kernel tree.

Nice to hear from most active SE Linux developer these days.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: running services in their own little world

[Milan P. Stanic]

On Sun, Jul 25, 2004 at 11:02:54AM +1000, Russell Coker wrote:
 On Sun, 25 Jul 2004 02:43, hanasaki [EMAIL PROTECTED] wrote:
  The idea is to run bind, http and other servers in a jail.  I am just
  getting started and know little about it, for now.  I was hoping that
  there were Debian packages that already provided the jail(s) to run
  these services in.
 
 SE Linux offers a good solution to your problem.  However SE Linux support in 
 Debian is lacking because I'm the only DD working on it.  At the moment SE 
 Linux support in Fedora is significantly better.

LIDS is more simpler.
SE Linux is overkill for simple servers for now, IMO.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Thu, Mar 11, 2004 at 08:25:15PM +0100, Norbert Tretkowski wrote:
 * Milan P. Stanic wrote:
  Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
  instead of libselinux1_1.6-0.1_i386.deb?
 
 Well, if 1.6-0.1 will be in our next stable release, your backport
 will not be replaced with the version from stable.
 
 I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.

OK. Packages are on the:
deb http://www.rns-nis.co.yu/~mps selinux/
deb-src http://www.rns-nis.co.yu/~mps selinux/

I don't have experience in making deb-src repositories but I hope it
is ok. If anything is wrong (is anything ok? :-) ) please, tell me.

There are packages which I'm using to test SELinux under UML and
woody.
SELinux packages depends on the attr and libattr from
http://www.backports.org

I'll try to make html page about it tomorrow.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Thu, Mar 11, 2004 at 08:25:15PM +0100, Norbert Tretkowski wrote:
 * Milan P. Stanic wrote:
  Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
  instead of libselinux1_1.6-0.1_i386.deb?
 
 Well, if 1.6-0.1 will be in our next stable release, your backport
 will not be replaced with the version from stable.
 
 I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead.

OK. Packages are on the:
deb http://www.rns-nis.co.yu/~mps selinux/
deb-src http://www.rns-nis.co.yu/~mps selinux/

I don't have experience in making deb-src repositories but I hope it
is ok. If anything is wrong (is anything ok? :-) ) please, tell me.

There are packages which I'm using to test SELinux under UML and
woody.
SELinux packages depends on the attr and libattr from
http://www.backports.org

I'll try to make html page about it tomorrow.

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
  If someone needs them I can put it on the net or post somewhere, or
  maybe help if the help is needed.
 
 If you could establish an apt repository for it then that would be very 
 useful.  Brian's SE Linux packages haven't been updated for a while.

Can I leave control and changelog files in packages as is they now,
i.e. original from respective DD's?
I don't like idea to rebuild all of them just to put my name, comments
and notes.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
 If you copy all files related to a package intact then you don't have to make 
 such changes.
 
 If you make any changes at all (even re-compiling with a different compiler 
 and/or libc) then you must update the changelog appropriately.

Is it enough to put note in changelog that the package is backported
to woody? I can do that for binary packages tomorrow but I don't have
enough time for sources until next week.
Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
instead of libselinux1_1.6-0.1_i386.deb?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
 If you copy all files related to a package intact then you don't have to make 
 such changes.
 
 If you make any changes at all (even re-compiling with a different compiler 
 and/or libc) then you must update the changelog appropriately.

Is it enough to put note in changelog that the package is backported
to woody? I can do that for binary packages tomorrow but I don't have
enough time for sources until next week.
Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
instead of libselinux1_1.6-0.1_i386.deb?

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote:
  I suspect that the problem can be with old glibc (2.2.5) but I'm not
  sure. Because that I'd like to ask should I backport glibc from sarge?
 
 There have been some changes to the way libxattr works.  From memory I think 
 that you needed an extra -l option on the link command line when compiling 
 with old libc6.  I can't remember whether it was linking the PAM module or 
 libselinux that needed it (or maybe both).

I already found that -lattr should be added to Makefiles in
policycoreutils-1.6 to build it and to Makefile for pam_unix module
into libpam. I also think that the same should be done in
libselinux1-1.6 and even looked through Makefiles there, but didn't
found where and how to link libattr to libselinux1. That because I
don't know how to build libraries i.e. I know ./configure  make
or fakeroot debian/rules binary for libraries but I don't know
low-level work.

So, the question: how can I link libattr to libselinux1?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote:
  So, the question: how can I link libattr to libselinux1?
 
 Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).

That is. I just rebuilt policycoreutils and pam with libselinux1
which is linked with libattr and it was smooth. 
Now I have to backport coreutils and sysvinit, huh.

Thank you, Russell.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote:
 That is. I just rebuilt policycoreutils and pam with libselinux1
 which is linked with libattr and it was smooth. 
 Now I have to backport coreutils and sysvinit, huh.

Hate to reply myself, but I'd like to inform you that I backported
libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
checkpolicy and selinux-policy-default to woody. It works under UML.

If someone needs them I can put it on the net or post somewhere, or
maybe help if the help is needed.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote:
  I suspect that the problem can be with old glibc (2.2.5) but I'm not
  sure. Because that I'd like to ask should I backport glibc from sarge?
 
 There have been some changes to the way libxattr works.  From memory I think 
 that you needed an extra -l option on the link command line when compiling 
 with old libc6.  I can't remember whether it was linking the PAM module or 
 libselinux that needed it (or maybe both).

I already found that -lattr should be added to Makefiles in
policycoreutils-1.6 to build it and to Makefile for pam_unix module
into libpam. I also think that the same should be done in
libselinux1-1.6 and even looked through Makefiles there, but didn't
found where and how to link libattr to libselinux1. That because I
don't know how to build libraries i.e. I know ./configure  make
or fakeroot debian/rules binary for libraries but I don't know
low-level work.

So, the question: how can I link libattr to libselinux1?

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote:
  So, the question: how can I link libattr to libselinux1?
 
 Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO).

That is. I just rebuilt policycoreutils and pam with libselinux1
which is linked with libattr and it was smooth. 
Now I have to backport coreutils and sysvinit, huh.

Thank you, Russell.

Re: Backporting SELinux to woody

[Milan P. Stanic]

On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote:
 That is. I just rebuilt policycoreutils and pam with libselinux1
 which is linked with libattr and it was smooth. 
 Now I have to backport coreutils and sysvinit, huh.

Hate to reply myself, but I'd like to inform you that I backported
libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit,
checkpolicy and selinux-policy-default to woody. It works under UML.

If someone needs them I can put it on the net or post somewhere, or
maybe help if the help is needed.

Backporting SELinux to woody

[Milan P. Stanic]

Hi!

[ Sorry, I'm not sure if this list is right place to ask this, but
  I can't remember better one ]

I'm trying to backport SELinux tools and libraries from unstable to
stable (woody). Well, actually I succeed to build all except coreutils
and sysvinit and installed all under UML and get to the point where
I cannot login in.
I've found problem with pam (backported one) which is compiled on the
woody platform.

Here is the syslog message:
-
Mar  9 19:29:44 [login] PAM adding faulty module: /lib/security/pam_unix.so
Mar  9 19:29:44 [login] PAM unable to dlopen(/lib/security/pam_selinux.so)
Mar  9 19:29:44 [login] PAM [dlerror: /lib/libselinux.so.1: undefined symbol: ls
etxattr]
-

I suspect that the problem can be with old glibc (2.2.5) but I'm not
sure. Because that I'd like to ask should I backport glibc from sarge?

Best regards,
Milan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Backporting SELinux to woody

[Milan P. Stanic]

Hi!

[ Sorry, I'm not sure if this list is right place to ask this, but
  I can't remember better one ]

I'm trying to backport SELinux tools and libraries from unstable to
stable (woody). Well, actually I succeed to build all except coreutils
and sysvinit and installed all under UML and get to the point where
I cannot login in.
I've found problem with pam (backported one) which is compiled on the
woody platform.

Here is the syslog message:
-
Mar  9 19:29:44 [login] PAM adding faulty module: /lib/security/pam_unix.so
Mar  9 19:29:44 [login] PAM unable to dlopen(/lib/security/pam_selinux.so)
Mar  9 19:29:44 [login] PAM [dlerror: /lib/libselinux.so.1: undefined symbol: ls
etxattr]
-

I suspect that the problem can be with old glibc (2.2.5) but I'm not
sure. Because that I'd like to ask should I backport glibc from sarge?

Best regards,
Milan

Re: Big VPN

[Milan P. Stanic]

On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote:
  FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as
  such it does not work with 2.6.
  That is untrue. 
 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x

Right! I shouldn't write mail at 01:25 after midnight :-)
I used freeswan for years but I'm switching to racoon so I don't
follow freeswan (or openswan) anymore. Sorry for inconvenience.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Milan P. Stanic]

On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote:
  FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as
  such it does not work with 2.6.
  That is untrue. 
 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x

Right! I shouldn't write mail at 01:25 after midnight :-)
I used freeswan for years but I'm switching to racoon so I don't
follow freeswan (or openswan) anymore. Sorry for inconvenience.

Re: Big VPN

[Milan P. Stanic]

On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote:
 On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
  If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
  likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
  of security you're looking for in a VPN.
 
 And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
 daemon for initial key exchange? It does the same work as freeswan but
 it is still developped..

FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as
such it does not work with 2.6.
I'm not sure but I think that Herbert Xu (Debian kernel maintainer)
added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in
the kernel 2.6.x

Racoon is in FreeBSD for few years and is actively developed.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Big VPN

[Milan P. Stanic]

On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote:
 On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote:
  If you're looking for a VPN solution, by all means look at FreeS/WAN (or its
  likely successor, OpenSWAN). Just forget about OE. OE isn't about the type
  of security you're looking for in a VPN.
 
 And what about the ipsec system in the 2.6 kernel (KAME) and the racoon
 daemon for initial key exchange? It does the same work as freeswan but
 it is still developped..

FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as
such it does not work with 2.6.
I'm not sure but I think that Herbert Xu (Debian kernel maintainer)
added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in
the kernel 2.6.x

Racoon is in FreeBSD for few years and is actively developed.

Re: Security patches

[Milan P. Stanic]

On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
 It's a pity that the developers of other security systems didn't get 
 involved, it would be good to have a choice of LIDS, HP's system, DTE, and 
 others in the standard kernel.

LIDS uses LSM in 2.5/2.6 kernel series, IIRC. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Security patches

[Milan P. Stanic]

On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote:
 On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote:
  On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
   It's a pity that the developers of other security systems didn't get
   involved, it would be good to have a choice of LIDS, HP's system, DTE,
   and others in the standard kernel.
 
  LIDS uses LSM in 2.5/2.6 kernel series, IIRC.
 
 LIDS does not appear to be in 2.6 at all.

No, it doesn't. But the LIDS patch uses LSM hooks.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Security patches

[Milan P. Stanic]

On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
 It's a pity that the developers of other security systems didn't get 
 involved, it would be good to have a choice of LIDS, HP's system, DTE, and 
 others in the standard kernel.

LIDS uses LSM in 2.5/2.6 kernel series, IIRC. 

Re: Security patches

[Milan P. Stanic]

On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote:
 On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote:
  On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
   It's a pity that the developers of other security systems didn't get
   involved, it would be good to have a choice of LIDS, HP's system, DTE,
   and others in the standard kernel.
 
  LIDS uses LSM in 2.5/2.6 kernel series, IIRC.
 
 LIDS does not appear to be in 2.6 at all.

No, it doesn't. But the LIDS patch uses LSM hooks.

Re: On the security of e-mails

[Milan P. Stanic]

On 26-May-2000 Alexander Hvostov wrote:
 Bradley,
 
 Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some
 standard..? I seriously doubt the other endpoint has to be
 Sendmail; rather, I think it probably only needs to be running a proper
 SMTP-over-SSL implementation. If this is the case, then this can be done
 with stunnel and your favorite MTA. (mine being qmail... why doesn't
 everyone use qmail..?)

I think it is standard because I read the postfix TLS enhancement doc's and
here is snip from description:

Overview:
=
- This is an SSL/TLS enhancement package for postfix.
  It realizes (well, or at least should, once it is finished) the
  STARTTLS extension to SMTP as described in RFC2487 and used
  by Netscape 4.5x.

RFC2487 is SMTP Service Extension for Secure SMTP over TLS

So, all SMTP MTA's with SSL/TLS should cooperate, shouldn't they?

--
E-Mail: Milan P. Stanic [EMAIL PROTECTED]
Key fingerprint = EA81 54A6 7F35 5A38 FCE6  9EF6 9D24 E68E 5C1D AF15
--