udp packet not reach application
HI I have following issue ( kernel 3.2.28): a device sending udp traffic to UDP Port x -> my udp app ( listen on port x) at first, it was working. my app did get udp traffic. after a while, strace showed that my app stuck at recvfrom, no udp traffic but tcpdump showed the udp traffic still coming. Even if I restart my app, strace showed that no udp traffic at my app. it seems the kernel did not deliver the udp packet to my app. I have to restart NIC interface, then I could see udp traffic received at my app. What could be wrong? thanks. min
About default init umask , and kernel umask, cron umask
HI Could any one tell what is the default umask for kernel, init, cron? is it configurable? google around , I could not find a clear answer. assuming: kernel --- > init --- > spawned tasks so the kernel will set default umask , then the pass it to init? what the default umask? where is the configure location? or not configurable? Init will spawn those tasks, those tasks will inherint the umask from init, right? what is the cron default umask? thanks min -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50bf7647.3080...@gmail.com
Re: About audit2allow generated rules
HI Russell thanks a lot. Another dummy question: in the debian leeny there is polgen pkg, http://packages.debian.org/lenny/polgen but in sqeeze there is no polgen. where does it go? I guess I installed all related selinux pkg, but could not find polgen I am assuming polgen is simiar to polgengui, but just a command line. http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ min On 04/26/2012 09:47 PM, Russell Coker wrote: On Fri, 27 Apr 2012, Min Wang wrote: just wondering where is the tclass=sock_file defined? In the refpolicy source it is in policy/flask/access_vectors . basically i have apache mod_tile want to access /var/run/renderd/renderd.sock ( from renderd) ls -lZ /var/run/renderd/ -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.pid srwxrwxrwx. apache apache system_u:object_r:var_run_t:s0 renderd.sock -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.stats how can I change /define tclass=sock_file sock_file is the class of the object, other classes include "file" and "dir". These are not things you change, these are human readable names for things that are part of the OS. What you want to do is to have the daemon run as renderd_t and use renderd_var_run_t as the type for the socket fike. what I want to do is just granting the permission that is needed? or generally is there a simple way to how to define/write a policy that only give the needed permission ( there are some howto seems still complicated??) ? not just rely on aduit2allow to do the magic blindly? As I said before, you can just grant that access and and it will work. But if the renderd is running as root then it is a security risk (I guess that renderd is running as initrc_t or unconfined_t and is not being restricted by SE Linux). Even if renderd is not given excessive privs then it's not ideal to allow httpd_t access to sock_file:var_run_t due to the possibility of other daemons being able to create such objects. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f9c9c60.8010...@gmail.com
Re: About audit2allow generated rules
HI Russell
thanks a lot. that is really helpful.
just wondering where is the tclass=sock_file defined?
basically i have apache mod_tile want to access
/var/run/renderd/renderd.sock ( from renderd)
ls -lZ /var/run/renderd/
-rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.pid
srwxrwxrwx. apache apache system_u:object_r:var_run_t:s0 renderd.sock
-rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0
renderd.stats
how can I change /define
tclass=sock_file
to something like tclass=renderd_sock_file?
or change /var/run/renderd/renderd.sock to some something like:
var_run_renderd_t?
what I want to do is just granting the permission that is needed?
or generally is there a simple way to how to define/write a policy
that only give the needed permission ( there are some howto seems still
complicated??) ?
not just rely on aduit2allow to do the magic blindly?
min
On 04/26/2012 12:00 AM, Russell Coker wrote:
On Thu, 26 Apr 2012, Min Wang wrote:
I have something in /var/log/audit/audit.log like:
avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock"
dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
use audit2allow it generates something like this:
allow httpd_t var_run_t:sock_file write;
Is the rule too liberal? that means httpd_t can write any var_run_t 's
sock_file?
Or I miss-understand something?
Ideally there should be no sock_file objects with type var_run_t, every Unix
domain socket should have a type which is derived from the domain of the
process which creates it. So having one such socket is an indication of your
configuration not being ideal. If you only have one daemon with policy that
allows such sockets then it's probably not a big deal to grant access to
httpd_t.
Think of var_run_t being similar to the nobody UID in this case. Having
exactly one daemon running as nobody theoretically isn't a security problem,
but having two daemons running with that UID probably is. The problem is that
people tend not to stop at one, if they have one daemon running in that manner
then they may end up with two (through a repeat of the same choices) - so it's
best to stick with zero!
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f996fcc.2090...@gmail.com
About audit2allow generated rules
HI
I have something in /var/log/audit/audit.log like:
avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock"
dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
use audit2allow it generates something like this:
allow httpd_t var_run_t:sock_file write;
Is the rule too liberal? that means httpd_t can write any var_run_t 's
sock_file?
Or I miss-understand something?
Should it only allow httpd_t to write this specific render.sock file?
If so, what's the right way to do?
Thanks.
min
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f98c4ca.40...@gmail.com
Re: debian 6.0: About ipsec tunnel: outgoing traffic not encrypted
hi thanks. I used the tshark -i eth0 to see the traffic. It is my typo in the postrouting nat table cause the issue. After fix it, all are good. min On 08/03/2011 01:57 AM, Yves-Alexis Perez wrote: On mar., 2011-08-02 at 14:32 -0400, Min Wang wrote: But it still does NOT use IPsec to send out the outgoing traffic. How exactly are you mesuring that? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e39543f@gmail.com
debian 6.0: About ipsec tunnel: outgoing traffic not encrypted
Hi I tried to setup ipsec tunnel on debian 6.0, following http://www.ipsec-howto.org/x304.html using setkey/racoon (ipsec-tools/racoon 0.7.3-12) The diagram is like: local-gw remote-gw a.0/25 ---(a.126, xxx.3)(yyy.5, b.254) --->b.0/24 The /etc/ipsec-tools.conf on left side is: spdadd a.0/25 b.0/24 any -P out ipsec esp/tunnel/xxx.3-yyy.5/unique; spdadd b.0/24 a.0/25 any -P in ipsec esp/tunnel/yyy.5-xxx.3/unique; The the racoon log showed the SA established OK INFO: IPsec-SA established: ESP/Tunnel yyy.5[0]->xxx.3[0] spi=217278943(0xcf369df) IPsec-SA established: ESP/Tunnel xxx.3[500]->yyy.5[500] spi=1868651708(0x6f615cbc) But however the outgoing traffic from a.0/25 network seems go out without using IPSec. ( incoming traffic from remote site is ok, using the tshark it showed that ping from b.0/24 to a.0/25 use ESP ) according to: http://ipsec-tools.sourceforge.net/checklist.html gateway's traffic goes from secure interface This could be achieved by routing local traffic via internal (secure) interface: ip route add other.network/mask via default.gw src gateway's.private.addr or alternatively, it is possible to set up extra policies for gateway-remote_networks, gateway-gateway and local_networks-gateway traffic. so I add ip route add b.0/24 via xxx.3 src a.126 ip route show: a.0/25 dev eth1 proto kernel scope link src a.126 b.0/24 via xxx.3 dev eth0 src a.126 default via xxx.1 dev eth0 But it still does NOT use IPsec to send out the outgoing traffic. Anything could be wrong? thanks Min
Re: Number of apache2 process > MaxClients ?
# prefork MPM StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 30 MaxRequestsPerChild 0 Mine "/etc/apache2/apache2.conf" (on Lenny) contains this section: so may be you should try adjusting the IfModule argument? The Apache page [1] also lists "mpm_prefork_module" under "module identifier". 1. http://httpd.apache.org/docs/2.0/mod/prefork.html Hi: Thanks for pointing it out. that old apache2.conf may be dated back to 2004. while upgrade, this config file was kept. anyway I updated to use new style of apache2.conf. Let's see if it works :) -- Kind regards / Mit freundlichen Grüßen Min Wang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ccb044e.4060...@gmail.com
Number of apache2 process > MaxClients ?
Hi
I have apache2.conf using prefork with MaxClient setting to 30 ( on Lenny)
but on system I saw more than 100 apache2 processes
Isn't the MaxClients supposed to limit total apache2 processes to be 30?
Something may be wrong/security issue?
# pstree
init-+-apache2-+-94*[apache2---{apache2}]
| `-7*[apache2]
/etc/apache2.conf
# prefork MPM
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 30
MaxRequestsPerChild 0
Thanks
--
Kind regards
Min Wang
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4ccaf11b.9010...@gmail.com
Re: About how to protect network resources in LDAP environment?
Hi Thank you all! I am trying to setup testing kerberos /nfs4 server. (1) is it production ready on Debian Lenny? While trying to config/setup, it seems sometimes I got some kernel errors with 2.6.26-2-686 #1 SMP see the error log at the end. (2) questions regarding: ktadd keytab kadmin: addprinc -randkey nfs/myclient.mydomain kadmin: ktadd nfs/myclient.mydomain addprinc add some private-keys for services in kerberos db as I understands, why/where/which hosts do we need this keytab? what's relationship between the data in db and data in keytab? are the same private-key data? /// error log Aug 30 11:48:49 debian-lenny-clone1 kernel: [248050.911934] NFSD: starting 90-second grace period Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.948376] [ cut here ] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.948985] kernel BUG at include/linux/module.h:386! Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.949280] invalid opcode: [#1] SMP Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.949553] Modules linked in: rpcsec_gss_krb5 nfs nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs ipv6 loop snd_pcsp snd_pcm snd_timer serio_raw snd soundcore i2c_piix4 snd_page_alloc psmouse i2c_core evdev ext3 jbd mbcache ide_disk ide_cd_mod cdrom ide_pci_generic piix ide_core ata_generic uhci_hcd libata ne2k_pci usbcore floppy 8390 scsi_mod dock thermal processor fan thermal_sys [last unloaded: scsi_wait_scan] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Pid: 5001, comm: nfsd Not tainted (2.6.26-2-686 #1) Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] EIP: 0060:[] EFLAGS: 0246 CPU: 0 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] EIP is at svc_recv+0x38d/0x64a [sunrpc] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] EAX: EBX: d0a57d40 ECX: d0a57d40 EDX: 0100 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] ESI: cec2b000 EDI: c15bbf9c EBP: ccf3e000 ESP: c15bbf8c Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] DS: 007b ES: 007b FS: 00d8 GS: SS: 0068 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Process nfsd (pid: 5001, ti=c15ba000 task=c3a3aae0 task.ti=c15ba000) Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Stack: 000dbba0 cfa7c000 cfa642e0 cec09960 c3a3aae0 c011b73c 00100100 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] 00200200 cf42a260 d0a76b0f ccf3e000 d0a5d696 feff Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] fef8 d0a5d5c0 c01044f7 ccf3e000 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Call Trace: Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] [] default_wake_function+0x0/0x8 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] [] nfsd+0xd6/0x268 [nfsd] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] [] nfsd+0x0/0x268 [nfsd] Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] [] kernel_thread_helper+0x7/0x10 Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] === Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] Code: 01 00 00 8b 44 24 04 8b 50 04 ff 52 04 85 c0 89 c6 0f 84 25 01 00 00 8b 00 8b 58 04 85 db 74 1f 89 d8 e8 b8 8a 6f ef 85 c0 75 04 <0f> 0b eb fe 64 a1 04 40 3b c0 c1 e0 05 ff 84 18 00 01 00 00 8b Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.952170] EIP: [] svc_recv+0x38d/0x64a [sunrpc] SS:ESP 0068:c15bbf8c Aug 30 11:49:49 debian-lenny-clone1 kernel: [248110.975160] ---[ end trace 18acc2f34cea2d1d ]--- Thanks. -- Kind Regards Min Wang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c7d590e.2040...@gmail.com
Re: About how to protect network resources in LDAP environment?
Roberto De Oliveira wrote: 2010/8/27 Min Wang : Hi thanks. I guess root_squash is to provent local root to rm /home/user2 on NFS server. ( root_squash is default in /etc/exports ?) but can not provent user su -user2, then do damage. Kind regards Min Wang The big problem is the root user because he is "The Lord Of The System", maybe you will find some help with sudo-ldap instead give all rights with the root account. Hi Yes, isn't this root supposed to be the "Lord of its own system"? not Lord of other networked hosts/resources :). I know with sudo etc we can limit root account, but users seems to prefer to have the power of root on their own PC. Kind regards Min Wang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c77f713.6030...@gmail.com
Re: About how to protect network resources in LDAP environment?
Zaar Hai wrote: On Fri, Aug 27, 2010 at 7:06 PM, Min Wang wrote: user1 can log in as local root on Linux PC1, Even though as root, user1 can not rm /home/user2, but he can su - user2 on Linux PC1 then rm something. You need NFS4 with gssapi. This way to access someone's file you need an appropriate (his) credentials from KDC (which will be hosted near by your LDAP server). Hi thanks. I'm totally a newbie to this nfs4/gssapi/kerberos. (1) does this approach prevent user1-> root ( su-> ) user2? (2) Or we need to change to use Kerberos instead of LDAP/PAM? (3) And In the kerberosized environment,can the local root su to networked user2? kind regards Min Wang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c77f5ca.6030...@gmail.com
Re: About how to protect network resources in LDAP environment?
Hi
thanks.
I guess root_squash is to provent local root to rm /home/user2 on NFS
server.
( root_squash is default in /etc/exports ?)
but can not provent user su -user2, then do damage.
Kind regards
Min Wang
Yuan Ho wrote:
Hello,
Have you tried root_squash (export option)?
Regards,
Yuan G. Ho
On Fri, Aug 27, 2010 at 11:06 AM, Min Wang <mailto:ser.ba...@gmail.com>> wrote:
Hi Security Gurus:
I have following set up:
Multiple Linux PCs use OpenLdap to authenicate, and mount /home to
NFS server
The goals are:
(1) User have its own root passwd of their own Linux PC, and can
do whatever they want on their own Linux PC
(2) but can not damage any other network resources etc. e.g : rm
files on NFS server.
The issue is:
e.g:
on NFS server, there are: /home/user1, /home/user2 etc
user1 has root pw on its own Linux PC1,
user2 has root pw on its own Linux PC2
user1 can log in as local root on Linux PC1,
Even though as root, user1 can not rm /home/user2,
but he can su - user2 on Linux PC1 then rm something.
Any idea how to do it without give up (1) )?
Thanks
Sincerely
Min Wang
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
<mailto:debian-security-requ...@lists.debian.org>
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org <mailto:listmas...@lists.debian.org>
Archive: http://lists.debian.org/4c77e29a.70...@gmail.com
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c77ed98.5030...@gmail.com
About how to protect network resources in LDAP environment?
Hi Security Gurus: I have following set up: Multiple Linux PCs use OpenLdap to authenicate, and mount /home to NFS server The goals are: (1) User have its own root passwd of their own Linux PC, and can do whatever they want on their own Linux PC (2) but can not damage any other network resources etc. e.g : rm files on NFS server. The issue is: e.g: on NFS server, there are: /home/user1, /home/user2 etc user1 has root pw on its own Linux PC1, user2 has root pw on its own Linux PC2 user1 can log in as local root on Linux PC1, Even though as root, user1 can not rm /home/user2, but he can su - user2 on Linux PC1 then rm something. Any idea how to do it without give up (1) )? Thanks Sincerely Min Wang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c77e29a.70...@gmail.com
