Re: Question about Debian security policy
Hi everybody. I hope this question won't be too stupid. When I perform a standard installation (i.e minimal), the installer installs many servers, and launches them (like portmap, ssh, exim, etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all, or at least prompt you before doing that. There must be a reason, but I don't see it (I'm not a networking/security guru, so please forgive me if the answer is obvious). I think you'll find OpenBSD launches at least sshd and sendmail in the default install (although sendmail only listens on loopback interface by default). I've always wondered about portmap in debian myself - I presume it's to do with NFS. Perhaps it has to be part of the base system to support network installs. -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's Diaspora. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
security.debian.org
FTP server on security.debian.org down? [EMAIL PROTECTED] ~] date -u Thu Aug 29 18:32:02 UTC 2002 [EMAIL PROTECTED] ~] ftp security.debian.org ftp: connect: Connection refused ftp quit [EMAIL PROTECTED] ~] ping security.debian.org PING security.debian.org (130.89.175.34): 56 data bytes 64 bytes from 130.89.175.34: icmp_seq=0 ttl=235 time=478.3 ms 64 bytes from 130.89.175.34: icmp_seq=1 ttl=235 time=488.2 ms --- security.debian.org ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 478.3/483.2/488.2 ms [EMAIL PROTECTED] ~] -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's Diaspora.
Re: security.debian.org
Yep - back up now. Must have hit it at a bad time. :) It's working from Vietnam... May be some filter in your network? -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's Diaspora.
Re: DSA-134-1
Previously Anthony DeRobertis wrote: $VENDOR says it's broken $VENDOR won't provide details $VENDOR says upgrade two minor releases $VENDOR says upgrading doesn't actually fix the problem $VENDOR says upgrading will break things Woody security update comes out before potato one. Lovely situation, isn't it? Doesn't OpenBSD have a full-disclosure policy anyway? -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's Diaspora. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updated Apache packages for testing?
Updated packages for testing/woody are up. I ran apt-get this morning and there they were. :) I'm worried about the serious bug found in Apache reciently. Debian currently has only provided a patch for the stable version. Anybody knows were I can get preliminar packages or something like that of apache 1.3.26? I have been trying to patch a source deb from the 1.3.24-3, but I have some problems. 1.3.24-3 is vulnerable. Isn't? (And exploits for i386 machines are starting to fly arround :( ) Thanks -- .,,, Guillermo Pérez-=] 22/06/2002 [=- _' .- bisho@ ( onirica.com | eurielec.etsit.upm.es ) ·)/ ,'' ( \/:: Onírica: Desarrollo de aplicaciones informáticas a :: bisho! ``\\ :: medida :: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's Diaspora. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How can I change my domainname on my server
You'll want to edit /etc/resolv.conf too. On Thu, 10 Jan 2002 02:02:00 +1300 (NZDT) Patrick Mackey [EMAIL PROTECTED] wrote: Edit '/etc/hostname' to reflect the change. Then run: hostname -F /etc/hostname That should do it. You might also want to edit /etc/mailname -- .--=-=-=-=--=---=-=-=. /David Barclay HarrisAut agere, aut mori. \ \Clan Barclay Either action, or death./ `---==-=-=-=-===-=---=--=' -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
Re: How can I change my domainname on my server
You'll want to edit /etc/resolv.conf too. On Thu, 10 Jan 2002 02:02:00 +1300 (NZDT) Patrick Mackey [EMAIL PROTECTED] wrote: Edit '/etc/hostname' to reflect the change. Then run: hostname -F /etc/hostname That should do it. You might also want to edit /etc/mailname -- .--=-=-=-=--=---=-=-=. /David Barclay HarrisAut agere, aut mori. \ \Clan Barclay Either action, or death./ `---==-=-=-=-===-=---=--=' -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
mail's priviledges so giving mail access to any necessary directories is enough for exim to function - unless there are issues with the permissions of /var/spool/mail/insert your favourite username here. Now another question: are there? As long as /var/spool/mail/* is writable/owned by the 'mail' user I do not see a problem here. Also check /var/spool/mqueue... if also using outgoing e-mail Well, lets try it shall we: [paul@marge ~] cd /usr/sbin [paul@marge sbin] su Password: [marge /usr/sbin]# ls -l exim -rwsr-xr-x1 root mail 430740 Jun 9 07:21 exim [marge /usr/sbin]# chmod 2755 exim [marge /usr/sbin]# ls -l exim -rwxr-sr-x1 root mail 430740 Jun 9 07:21 exim [marge /usr/sbin]# exit exit [paul@marge sbin] mail paul Subject: Test Does this work? . Cc: [paul@marge sbin] 2001-11-21 22:41:42 166Vl8-00017q-00 = [EMAIL PROTECTED] U=paul P=local S=327 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 It appears there is a problem, although arguably in the implementation. Source code anyone? -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
mail's priviledges so giving mail access to any necessary directories is enough for exim to function - unless there are issues with the permissions of /var/spool/mail/insert your favourite username here. Now another question: are there? As long as /var/spool/mail/* is writable/owned by the 'mail' user I do not see a problem here. Also check /var/spool/mqueue... if also using outgoing e-mail Well, lets try it shall we: [EMAIL PROTECTED] ~] cd /usr/sbin [EMAIL PROTECTED] sbin] su Password: [marge /usr/sbin]# ls -l exim -rwsr-xr-x1 root mail 430740 Jun 9 07:21 exim [marge /usr/sbin]# chmod 2755 exim [marge /usr/sbin]# ls -l exim -rwxr-sr-x1 root mail 430740 Jun 9 07:21 exim [marge /usr/sbin]# exit exit [EMAIL PROTECTED] sbin] mail paul Subject: Test Does this work? . Cc: [EMAIL PROTECTED] sbin] 2001-11-21 22:41:42 166Vl8-00017q-00 = [EMAIL PROTECTED] U=paul P=local S=327 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 2001-11-21 22:41:42 166Vl8-00017q-00 Unable to get root to set uid and gid for local delivery to paul: uid=1000 euid=1000 It appears there is a problem, although arguably in the implementation. Source code anyone? -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
Re: MTAs
it is a Good Thing to have an MTA which does not run as root. I found the argument persuasive, and happily installed postifx. I do miss one thing from exim, however. Default debian installation of exim runs as mail: [paul@marge procmail] grep exim /etc/inetd.conf smtpstream tcp nowait mail/usr/sbin/exim exim -bs And let me just say that exim rocks. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
it is a Good Thing to have an MTA which does not run as root. I found the argument persuasive, and happily installed postifx. I do miss one thing from exim, however. Default debian installation of exim runs as mail: [EMAIL PROTECTED] procmail] grep exim /etc/inetd.conf smtpstream tcp nowait mail/usr/sbin/exim exim -bs And let me just say that exim rocks. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
Re: Does Debian need to enforce a better Security policy for packages?
The alternative is the ostrich method of security management. What's that kind of method? I never heared about that name. It was once a widespread belief that the ostrich's method of hiding from predators was to bury it's head in the sand. This is obviously untrue, but the concept has worked its way into the english language. It's an idiom for dealing with problems by pretending they aren't there. I don't feel the metaphor was particularly valid in this case however. If you want an audited O/S, use OpenBSD, but be prepared for a very small distribution by Debian standards. And even OpenBSD don't audit every single line of code in every package - they audit every critical software component. That word critical wouldn't be there if it didn't mean something. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
The alternative is the ostrich method of security management. What's that kind of method? I never heared about that name. It was once a widespread belief that the ostrich's method of hiding from predators was to bury it's head in the sand. This is obviously untrue, but the concept has worked its way into the english language. It's an idiom for dealing with problems by pretending they aren't there. I don't feel the metaphor was particularly valid in this case however. If you want an audited O/S, use OpenBSD, but be prepared for a very small distribution by Debian standards. And even OpenBSD don't audit every single line of code in every package - they audit every critical software component. That word critical wouldn't be there if it didn't mean something. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
Re: How to write a secure C program..
Besides not passing those arguments to printf( ), what C/C++ function(s) I should take extra care while using? All of them. No, seriously. Paul Haesler [EMAIL PROTECTED] icq: 74142604 We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect. Stanislaw Lem, The Cyberiad (Trurl's Prescription) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to write a secure C program..
Besides not passing those arguments to printf( ), what C/C++ function(s) I should take extra care while using? All of them. No, seriously. Paul Haesler [EMAIL PROTECTED] icq: 74142604 We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect. Stanislaw Lem, The Cyberiad (Trurl's Prescription)
Re: Packet filtering help
I went to a talk by Paul "Rusty" Russell (who maintains the firewalling code in the Linux kernel) last year. Now I don't have my notes with me so I'm just going by my highly fallible memory here, but Rusty definitely said that blocking ICMP was evil and anti-social. I can't remember the exact reason, but I think it was something like: on very high latency links (like say between Europe and Australia on a bad day) TCP connections can use ICMP packets to verify that a host is still available before timing out (not all TCP implementations actually do this, but according to the RFC they can, and you should let them). Please don't flame me if I have got this hopelessly garbled. :) On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote: Ask yourself this: *Why* should ICMP be filtered? What are you gaining? Do you sleep better at night knowing that your machine won't respond to pings? It really doesn't make you any safer. What are you gaining by responding to them? A decent policy is to drop everything you don't need to respond to. Now, if you need to reply to pings, etc. for debugging purposes, or for availability monitoring, etc. then that is a valid reason. I don't feel like you gain any security by DENYing connections or by filtering ICMP. You do gain some "security through obscurity." Depending on how much you value this contributes to your subsequent choice. For instance, many script kiddies will not scan your entire box if you are undetected by a ping sweep. Granted, if you have other vulnerabilities that you are hiding then you have bigger problems. But it can buy you some time at least. I'm sure this is a perfectly flammable post, so discussion is encouraged. ;) -- Paul Haesler[EMAIL PROTECTED] Quidquid latine dictum sit, altum viditur -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet filtering help
I went to a talk by Paul Rusty Russell (who maintains the firewalling code in the Linux kernel) last year. Now I don't have my notes with me so I'm just going by my highly fallible memory here, but Rusty definitely said that blocking ICMP was evil and anti-social. I can't remember the exact reason, but I think it was something like: on very high latency links (like say between Europe and Australia on a bad day) TCP connections can use ICMP packets to verify that a host is still available before timing out (not all TCP implementations actually do this, but according to the RFC they can, and you should let them). Please don't flame me if I have got this hopelessly garbled. :) On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote: Ask yourself this: *Why* should ICMP be filtered? What are you gaining? Do you sleep better at night knowing that your machine won't respond to pings? It really doesn't make you any safer. What are you gaining by responding to them? A decent policy is to drop everything you don't need to respond to. Now, if you need to reply to pings, etc. for debugging purposes, or for availability monitoring, etc. then that is a valid reason. I don't feel like you gain any security by DENYing connections or by filtering ICMP. You do gain some security through obscurity. Depending on how much you value this contributes to your subsequent choice. For instance, many script kiddies will not scan your entire box if you are undetected by a ping sweep. Granted, if you have other vulnerabilities that you are hiding then you have bigger problems. But it can buy you some time at least. I'm sure this is a perfectly flammable post, so discussion is encouraged. ;) -- Paul Haesler[EMAIL PROTECTED] Quidquid latine dictum sit, altum viditur
Re: Proposal
All, Carlos wrote: Sorry to disturb you all, but I am not too interested in the huge threads that have appeared in debian-security lately. I subscribed to this list mostly to get noticed of security problems in the distribution itself, and it seems like people are using it to get answers now (like debian-user focused on security). Perhaps the listmaster could create debian-security-announce, as a moderated, security announcements-focused list, and leave debian-security for general discussion? Thanks. Gee, that sounds like a good idea. In fact, SUCH a good idea that it's been implemented for years. Seriously though, if there is anybody else on debian-security who is NOT also subscribed to debian-security-announce, you should probably do so. There have been a few debian-security posts recently asking about the status of something for which a fix was announced on debian-security-announce a couple of days previously. My understanding is that debian-security IS more or less a debian- user for security issues. :) Paul Haesler [EMAIL PROTECTED] We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect. Stanislaw Lem, The Cyberiad (Trurl's Prescription)
Re: Proposal
All, Carlos wrote: Sorry to disturb you all, but I am not too interested in the huge threads that have appeared in debian-security lately. I subscribed to this list mostly to get noticed of security problems in the distribution itself, and it seems like people are using it to get answers now (like debian-user focused on security). Perhaps the listmaster could create debian-security-announce, as a moderated, security announcements-focused list, and leave debian-security for general discussion? Thanks. Gee, that sounds like a good idea. In fact, SUCH a good idea that it's been implemented for years. Seriously though, if there is anybody else on debian-security who is NOT also subscribed to debian-security-announce, you should probably do so. There have been a few debian-security posts recently asking about the status of something for which a fix was announced on debian-security-announce a couple of days previously. My understanding is that debian-security IS more or less a debian- user for security issues. :) Paul Haesler [EMAIL PROTECTED] "We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect." Stanislaw Lem, The Cyberiad (Trurl's Prescription) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I want to try something for freedom.
Microsoft has never sued Tridge and co. over samba which would seem to be a closer analogy - A reverse engineered network protocol, as opposed to a cracked encryption algorithm. Mind you, I'm not a lawyer. (Mind you, I don't think anybody else who has contributed to date is either) Yes, but it is in every aspect similar to what the person who wrote the first letter in this thread wants to do or is advised to do, namely to reverse-engineer the operation of a working system which is developed only for win* and based on proprietary algorithms. That's exactly the same what the person writing the DeCSS has done. Hence the company creating the authentication software would probably sue the person writing the first letter and could expect that the result would be the same as the DeCSS lawsuit, and it is currently lost. If this happens before the DeCSS lawsuit is finished in the Supreme Court, then the result will be likely the same as the first stages of the DeCSS lawsuit, meaning probably lost. This is only my two-pence of course, but I could not stand not to point out the similarities between the two situation. Regards, Robert Varga On Thu, 2 Nov 2000, Alexander Hvostov wrote: Robert, Keep in mind that case is in appeal, and is quite likely to wind up in the Supreme Court. It is, in every way I can imagine, a Constitutional case, and has every reason to be heard by the Supreme Court. I hope the Supreme Court Justices agree... Regards, Alex. -- Paul Haesler[EMAIL PROTECTED] Quidquid latine dictum sit, altum viditur