Re: Keeping files away from users - THANKS!!
From: Luis Gomez - InfoEmergencias [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Keeping files away from users - THANKS!! Date: Thu, 5 Jun 2003 20:58:43 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([146.82.138.6]) by mc5-f31.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 5 Jun 2003 12:37:03 -0700 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 592B11F68B; Thu, 5 Jun 2003 14:15:46 -0500 (CDT) Received: from marianela.infoemergencias.com (221.Red-213-96-93.pooles.rima-tde.net [213.96.93.221])by murphy.debian.org (Postfix) with ESMTP id EB5001FB7Afor [EMAIL PROTECTED]; Thu, 5 Jun 2003 13:56:39 -0500 (CDT) Received: from adelita.infoemergencias.com (unknown [192.168.1.7])by marianela.infoemergencias.com (Postfix) with ESMTP id 840801323for [EMAIL PROTECTED]; Thu, 5 Jun 2003 20:58:39 +0200 (CEST) X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Organization: InfoEmergencias User-Agent: KMail/1.5.2 References: [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-Spam-Status: No, hits=-17.7 required=4.0tests=BAYES_20,IN_REP_TO,REFERENCES,SIGNATURE_SHORT_SPARSE, USER_AGENT_KMAILautolearn=ham version=2.53-lists.debian.org_2003_04_28 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53-lists.debian.org_2003_04_28 (1.174.2.15-2003-03-30-exp) Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/12214 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Thu, 5 Jun 2003 14:15:46 -0500 (CDT) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Jun 2003 19:37:03.0897 (UTC) FILETIME=[D751F890:01C32B99] Good evening (here in Spain) to all of you. I want to sincerely thank you all for the great feedback received on this topic. I would never have expected to receive some 20 answers in such a short time! Let me take my time to write your names, because you deserve it: Thank you Dariush, Adam, Marcel, Lars, Thomas, Peter, Harry, Koba, Ross, Adrian, and all the others who read the mail. We've seen lots of interesting points, some of which I'll comment now: - REMOTE PASSWORD SERVER. It avoids me from having to hardcode the cipher key somewhere in the filesystem, but presents two handicaps: What if they lose connection to the Net? and What if they put the HD in another machine, remove the root password, and put it back in the original machine? By doing this, the system would boot normally, would get the cipher key and mount the protected contents, and later they could login as root and access those contents. - CIPHER KEY BASED ON THE HARDWARE. They can still remove the root password and boot the drive again with its original hardware. Moreover it has the disadvantage of having to recalculate the password and recipher the container if any hardware component changes. I still have to study Marcel's point about Palladium. - MANUALLY ENTER THE PASSWORD LOGGING REMOTELY WHEN SYSTEM BOOTS UP. This one introduces the sixth sense of the sysadmin (i.e., me) who could take a look around before entering the pass (check that /etc/passwd is untouched, noone is logged in...). Even in that case the machine could have been trojanized, although we could check that point with software packages such as Tiger or Samhain (eh Javier!! ;D ) making it more difficult for a potential intruder to neutralize all of our monitoring tools. You could just make md5 checksums of the whole system and store the checksums on another machine/floppy disk or something of that nature. Then when you would like to remount the filesystem you could always verify the checksums to see if you are trojaned or not. - TEMPORARILY MOUNT, LET PROGRAMS READ FILES INTO MEMORY, THEN UNMOUNT. Unfortunately this one isn't possible, as the protected data won't be config files for services, but rather .html and .php pages which need to be accessed very often. It was a good point, I must say. Other interesting things to look at: - LICENSING ISSUES. As Peter Cordes commented, the kernel is GPL so if we integrate code into it, we cannot provide a binary-only version, we should also give away the sources (or use modules, but we want a monolythic kernel for obvious security reasons). However I don't see the problem in thinking of something like this, implementing it, documenting, giving away to the community... and later configuring it for our particular needs, so that a client cannot (initially, at least) break it. I have to leave right now, and I'm taking a copy of this mail to discuss it with my colleagues. Will continue writing on the topic later or tomorrow, probably. Again, thanks to all for your great pieces of advice
Re: Keeping files away from users - THANKS!!
From: Luis Gomez - InfoEmergencias [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: Keeping files away from users - THANKS!! Date: Thu, 5 Jun 2003 20:58:43 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([146.82.138.6]) by mc5-f31.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 5 Jun 2003 12:37:03 -0700 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 592B11F68B; Thu, 5 Jun 2003 14:15:46 -0500 (CDT) Received: from marianela.infoemergencias.com (221.Red-213-96-93.pooles.rima-tde.net [213.96.93.221])by murphy.debian.org (Postfix) with ESMTP id EB5001FB7Afor debian-security@lists.debian.org; Thu, 5 Jun 2003 13:56:39 -0500 (CDT) Received: from adelita.infoemergencias.com (unknown [192.168.1.7])by marianela.infoemergencias.com (Postfix) with ESMTP id 840801323for debian-security@lists.debian.org; Thu, 5 Jun 2003 20:58:39 +0200 (CEST) X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Organization: InfoEmergencias User-Agent: KMail/1.5.2 References: [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-Spam-Status: No, hits=-17.7 required=4.0tests=BAYES_20,IN_REP_TO,REFERENCES,SIGNATURE_SHORT_SPARSE, USER_AGENT_KMAILautolearn=ham version=2.53-lists.debian.org_2003_04_28 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53-lists.debian.org_2003_04_28 (1.174.2.15-2003-03-30-exp) Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/12214 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Thu, 5 Jun 2003 14:15:46 -0500 (CDT) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Jun 2003 19:37:03.0897 (UTC) FILETIME=[D751F890:01C32B99] Good evening (here in Spain) to all of you. I want to sincerely thank you all for the great feedback received on this topic. I would never have expected to receive some 20 answers in such a short time! Let me take my time to write your names, because you deserve it: Thank you Dariush, Adam, Marcel, Lars, Thomas, Peter, Harry, Koba, Ross, Adrian, and all the others who read the mail. We've seen lots of interesting points, some of which I'll comment now: - REMOTE PASSWORD SERVER. It avoids me from having to hardcode the cipher key somewhere in the filesystem, but presents two handicaps: What if they lose connection to the Net? and What if they put the HD in another machine, remove the root password, and put it back in the original machine? By doing this, the system would boot normally, would get the cipher key and mount the protected contents, and later they could login as root and access those contents. - CIPHER KEY BASED ON THE HARDWARE. They can still remove the root password and boot the drive again with its original hardware. Moreover it has the disadvantage of having to recalculate the password and recipher the container if any hardware component changes. I still have to study Marcel's point about Palladium. - MANUALLY ENTER THE PASSWORD LOGGING REMOTELY WHEN SYSTEM BOOTS UP. This one introduces the sixth sense of the sysadmin (i.e., me) who could take a look around before entering the pass (check that /etc/passwd is untouched, noone is logged in...). Even in that case the machine could have been trojanized, although we could check that point with software packages such as Tiger or Samhain (eh Javier!! ;D ) making it more difficult for a potential intruder to neutralize all of our monitoring tools. You could just make md5 checksums of the whole system and store the checksums on another machine/floppy disk or something of that nature. Then when you would like to remount the filesystem you could always verify the checksums to see if you are trojaned or not. - TEMPORARILY MOUNT, LET PROGRAMS READ FILES INTO MEMORY, THEN UNMOUNT. Unfortunately this one isn't possible, as the protected data won't be config files for services, but rather .html and .php pages which need to be accessed very often. It was a good point, I must say. Other interesting things to look at: - LICENSING ISSUES. As Peter Cordes commented, the kernel is GPL so if we integrate code into it, we cannot provide a binary-only version, we should also give away the sources (or use modules, but we want a monolythic kernel for obvious security reasons). However I don't see the problem in thinking of something like this, implementing it, documenting, giving away to the community... and later configuring it for our particular needs, so that a client cannot (initially, at least) break it. I have to leave right now, and I'm taking a copy of this mail to discuss it with my
Re: updated sendmail package: config error
I updated mine using apt-get and didn't run into a problem. Everything seems to be working correctly on my side. From: Markus Wennrich [EMAIL PROTECTED] To: Miek Gieben [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: updated sendmail package: config error Date: Fri, 4 Apr 2003 17:36:56 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f36.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 4 Apr 2003 08:42:56 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 271581FE4C; Fri, 4 Apr 2003 09:55:54 -0600 (CST) Received: from yori.schoko.org (yori.schoko.org [62.109.128.56])by murphy.debian.org (Postfix) with ESMTP id BE5421FE24for [EMAIL PROTECTED]; Fri, 4 Apr 2003 09:37:00 -0600 (CST) Received: from yori.schoko.org ([EMAIL PROTECTED] [127.0.0.1])by yori.schoko.org (8.12.9/8.12.9) with ESMTP id h34Fau16012525(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);Fri, 4 Apr 2003 17:36:56 +0200 (CEST)(envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED])by yori.schoko.org (8.12.9/8.12.9/Submit) id h34FauX4012524;Fri, 4 Apr 2003 17:36:56 +0200 (CEST) X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-3.0 required=4.0tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11468 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Fri, 4 Apr 2003 09:55:54 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 04 Apr 2003 16:42:57.0279 (UTC) FILETIME=[3F0A10F0:01C2FAC9] On Fri, Apr 04, 2003 at 05:01:07PM +0200, Miek Gieben wrote: I'm trying to install the updated sendmail packages that fix the latest security hole. But after the installation I get this: see below. 8.12.3-6.2. didn't work Same here, with the same error-messages. Markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: updated sendmail package: config error
I updated mine using apt-get and didn't run into a problem. Everything seems to be working correctly on my side. From: Markus Wennrich [EMAIL PROTECTED] To: Miek Gieben [EMAIL PROTECTED] CC: debian-security@lists.debian.org Subject: Re: updated sendmail package: config error Date: Fri, 4 Apr 2003 17:36:56 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f36.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 4 Apr 2003 08:42:56 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 271581FE4C; Fri, 4 Apr 2003 09:55:54 -0600 (CST) Received: from yori.schoko.org (yori.schoko.org [62.109.128.56])by murphy.debian.org (Postfix) with ESMTP id BE5421FE24for debian-security@lists.debian.org; Fri, 4 Apr 2003 09:37:00 -0600 (CST) Received: from yori.schoko.org ([EMAIL PROTECTED] [127.0.0.1])by yori.schoko.org (8.12.9/8.12.9) with ESMTP id h34Fau16012525(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);Fri, 4 Apr 2003 17:36:56 +0200 (CEST)(envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED])by yori.schoko.org (8.12.9/8.12.9/Submit) id h34FauX4012524;Fri, 4 Apr 2003 17:36:56 +0200 (CEST) X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-3.0 required=4.0tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11468 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Fri, 4 Apr 2003 09:55:54 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 04 Apr 2003 16:42:57.0279 (UTC) FILETIME=[3F0A10F0:01C2FAC9] On Fri, Apr 04, 2003 at 05:01:07PM +0200, Miek Gieben wrote: I'm trying to install the updated sendmail packages that fix the latest security hole. But after the installation I get this: see below. 8.12.3-6.2. didn't work Same here, with the same error-messages. Markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
anti-ptrace
Has anyone else beside me tried this anti-ptrace script? I downloaded it from packetstormsecurity.com and ran and loaded the module and it works like a charm. If anyone tries to use ptrace besides root it echo's that event to the root terminal, and denies it. Well here is a copy of the script #!/bin/sh # MAKE ME EXECUTABLE !!! # # [EMAIL PROTECTED]:/home/sacrine/TEST# chmod +x anti-ptrace # [EMAIL PROTECTED]:/home/sacrine/TEST# ./anti-ptrace # [+] making anti-ptrace.c: OK # [+] compiling the script: OK # [+] loading the module : OK # echo -n [+] making anti-ptrace.c: cat anti-ptrace.c NETRIC /* * Noodoplossing voor de ptrace race vuln * anti-ptrace.c by sacrine * netric.org */ #define __KERNEL__ #define MODULE #define LINUX #include linux/module.h #include linux/kernel.h #include linux/types.h #include linux/version.h #include linux/slab.h #include linux/sched.h #include linux/fs.h #include linux/ctype.h #include linux/tty.h #include sys/syscall.h #include linux/ptrace.h long (*o_ptrace) ( pid_t pid, void *addr, void *data ); extern void* sys_call_table[]; int anti_ptrace( pid_t pid, uid_t uid, void *addr, void *data ) { uid_t o_uid; if(current-uid == 0) { return(o_ptrace(pid,addr,data)); } printk(warning: ptrace(); violation\n pid=[%i] uid=[%i]\n ,current-pid ,current-uid); console_print(warning: non-root users are not allowed to use ptrace();\n); return EPERM; } int init_module(void) { o_ptrace=sys_call_table[SYS_ptrace]; sys_call_table[SYS_ptrace]=anti_ptrace; printk(anti-ptrace kernel module loaded with pid=[%i]\n, current-pid); return(0); } void cleanup_module(void) { sys_call_table[SYS_ptrace]=o_ptrace; printk(anti-ptrace kernel module ended with pid=[%i]\n, current-pid); } NETRIC echo OK; echo -n [+] compiling the script: ; gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include echo OK; echo -n [+] loading the module : ; /sbin/insmod anti-ptrace.o /dev/null echo OK; # sacrine [Netric Security] _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
anti-ptrace
Has anyone else beside me tried this anti-ptrace script? I downloaded it from packetstormsecurity.com and ran and loaded the module and it works like a charm. If anyone tries to use ptrace besides root it echo's that event to the root terminal, and denies it. Well here is a copy of the script #!/bin/sh # MAKE ME EXECUTABLE !!! # # [EMAIL PROTECTED]:/home/sacrine/TEST# chmod +x anti-ptrace # [EMAIL PROTECTED]:/home/sacrine/TEST# ./anti-ptrace # [+] making anti-ptrace.c: OK # [+] compiling the script: OK # [+] loading the module : OK # echo -n [+] making anti-ptrace.c: cat anti-ptrace.c NETRIC /* * Noodoplossing voor de ptrace race vuln * anti-ptrace.c by sacrine * netric.org */ #define __KERNEL__ #define MODULE #define LINUX #include linux/module.h #include linux/kernel.h #include linux/types.h #include linux/version.h #include linux/slab.h #include linux/sched.h #include linux/fs.h #include linux/ctype.h #include linux/tty.h #include sys/syscall.h #include linux/ptrace.h long (*o_ptrace) ( pid_t pid, void *addr, void *data ); extern void* sys_call_table[]; int anti_ptrace( pid_t pid, uid_t uid, void *addr, void *data ) { uid_t o_uid; if(current-uid == 0) { return(o_ptrace(pid,addr,data)); } printk(warning: ptrace(); violation\n pid=[%i] uid=[%i]\n ,current-pid ,current-uid); console_print(warning: non-root users are not allowed to use ptrace();\n); return EPERM; } int init_module(void) { o_ptrace=sys_call_table[SYS_ptrace]; sys_call_table[SYS_ptrace]=anti_ptrace; printk(anti-ptrace kernel module loaded with pid=[%i]\n, current-pid); return(0); } void cleanup_module(void) { sys_call_table[SYS_ptrace]=o_ptrace; printk(anti-ptrace kernel module ended with pid=[%i]\n, current-pid); } NETRIC echo OK; echo -n [+] compiling the script: ; gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include echo OK; echo -n [+] loading the module : ; /sbin/insmod anti-ptrace.o /dev/null echo OK; # sacrine [Netric Security] _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for [EMAIL PROTECTED]; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11161 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11159 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.S Thu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp $29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq $30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu
Re: ptrace vulnerability?
Does anyone know the ETA of the official patch? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for debian-security@lists.debian.org; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for debian-security@lists.debian.org; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: debian-security@lists.debian.org References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11161 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for debian-security@lists.debian.org; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11159 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN
Security on an old machine
I have an old 486 without a cdrom in it. If I pull the hard drive and stick it in another machine to perform the install will this work? And if it does work will it make the system any less secure? _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security on an old machine
I have an old 486 without a cdrom in it. If I pull the hard drive and stick it in another machine to perform the install will this work? And if it does work will it make the system any less secure? _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Re: Uh-oh. Cracked allready. I think...
There is a good chance if you have been rooted, that the attacker installed a rootkit to cover his tracks. I saw a good rootkit detecter on http://freshmeat.net/ . Just do a search for it on there. From: Tim Haynes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Kjetil Kjernsmo [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Uh-oh. Cracked allready. I think... Date: 23 May 2002 17:11:26 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700 Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 - Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 - Received: from potato.vegetable.org.uk (195.149.39.120) by murphy.debian.org with SMTP; 23 May 2002 16:11:41 - Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 (Debian))id 17AvBW-oa-00; Thu, 23 May 2002 17:11:26 +0100 X-Envelope-Sender: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] References: Pine.OSF.3.96.1020523151454.501518E-10@alnair In-Reply-To: Pine.OSF.3.96.1020523151454.501518E-10@alnair Message-ID: [EMAIL PROTECTED] Lines: 78 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01 Resent-Message-ID: F_v_bC.A.qXE.LTR78@murphy Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/7361 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED]?subject=help List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe List-Unsubscribe: mailto:[EMAIL PROTECTED]?subject=unsubscribe Precedence: list Resent-Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) FILETIME=[1C308510:01C2027B] Kjetil Kjernsmo [EMAIL PROTECTED] writes: To address this first: It is the gnutella server that causes alarm, so is there anything I could have done that would install gnutella but escape my attention? I certainly never did apt-get install gnutella (I tried apt-get remove gnutella yesterday, with no effect). Is it likely that if I don't know how it got there, has been installed by a cracker? I've tried to telnet 217.77.32.186 6346 but get no connection. Well if something's got on there that you don't remember installing, can I have some of what you're taking? ;) It's at this point that you should start debugging what's really listening on your box from what a scanner says you are. I suggest you nmap yourself to see what ports you really have open, and compare against netstat -plant | grep LIST (here's your first potential clue: if netstat complains about `-p', it's been trojanned.) Next, if you've got a socket listener or 6346 (IIRC, the most frequently used gnutella port), try telnetting into it and see what banner, if any, it presents. At some stage you should probably run _chkrootkit_ on the blighter, too. Do you have an original AIDE database from immediately after it was installed? I tried to set the suggested PermitRootLogin for ssh to no, but ssh gave me some messsage that I thought meant it did't recognize it. That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and see if you get any syntax errors there. Here's another idea: | zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh* | /usr/sbin/sshd | 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb | a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd I complied in IPtables in the kernel, but I haven't read up on how to use it. I have also installed some of the harden packages. Last night, I thought my system was running quite well, though I had noticed gnutella running. I figured it was time to run nessus, so I did. It seems to report many holes, some holes that I guess would be exploitable. I put the report on URL: http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html Bear in mind two things: a) Debian apply patches in stable as/when required, we don't follow upstream version#s regardlessly b) testing is a strange halfway-house between stable and unstable; you can expect a security fix to make it into Unstable pretty soon (as it tracks upstream versions) but it'll be at least a fortnight after that it hits Testing. That said, you probably want to check the Changelog(.Debian.gz) for ssh - I'd be surprised if the patches required hadn't made it down into Testing. If it has been cracked, what should I do? I could run up to my hosts and have them turn it off, I guess. But then what? I have really no clue what happened, and while I could turn off some more services, it seems like the biggest security problems are with ssh and smtp, that is, OpenSSH and Exim, so would a clean reinstall help a lot? http://www.cert.org/tech_tips/win-UNIX-system_compromise.html. First assess
Re: Uh-oh. Cracked allready. I think...
There is a good chance if you have been rooted, that the attacker installed a rootkit to cover his tracks. I saw a good rootkit detecter on http://freshmeat.net/ . Just do a search for it on there. From: Tim Haynes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Kjetil Kjernsmo [EMAIL PROTECTED] CC: debian-security@lists.debian.org Subject: Re: Uh-oh. Cracked allready. I think... Date: 23 May 2002 17:11:26 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Thu, 23 May 2002 09:58:49 -0700 Received: (qmail 17912 invoked by uid 38); 23 May 2002 16:11:56 - Received: (qmail 17654 invoked from network); 23 May 2002 16:11:41 - Received: from potato.vegetable.org.uk (195.149.39.120) by murphy.debian.org with SMTP; 23 May 2002 16:11:41 - Received: from piglet by potato.vegetable.org.uk with local (Exim 3.35 #1 (Debian))id 17AvBW-oa-00; Thu, 23 May 2002 17:11:26 +0100 X-Envelope-Sender: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Lines: 78 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 X-Spam-Status: No, hits=-2.0 required=4.7 tests=IN_REP_TO version=2.01 Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/7361 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 23 May 2002 16:58:49.0697 (UTC) FILETIME=[1C308510:01C2027B] Kjetil Kjernsmo [EMAIL PROTECTED] writes: To address this first: It is the gnutella server that causes alarm, so is there anything I could have done that would install gnutella but escape my attention? I certainly never did apt-get install gnutella (I tried apt-get remove gnutella yesterday, with no effect). Is it likely that if I don't know how it got there, has been installed by a cracker? I've tried to telnet 217.77.32.186 6346 but get no connection. Well if something's got on there that you don't remember installing, can I have some of what you're taking? ;) It's at this point that you should start debugging what's really listening on your box from what a scanner says you are. I suggest you nmap yourself to see what ports you really have open, and compare against netstat -plant | grep LIST (here's your first potential clue: if netstat complains about `-p', it's been trojanned.) Next, if you've got a socket listener or 6346 (IIRC, the most frequently used gnutella port), try telnetting into it and see what banner, if any, it presents. At some stage you should probably run _chkrootkit_ on the blighter, too. Do you have an original AIDE database from immediately after it was installed? I tried to set the suggested PermitRootLogin for ssh to no, but ssh gave me some messsage that I thought meant it did't recognize it. That's weird. Try running an sshd from a terminal, to read /etc/ssh/*, and see if you get any syntax errors there. Here's another idea: | zsh/scr, potato 5:03PM piglet % md5sum /var/cache/apt/archives/*ssh* | /usr/sbin/sshd | 0c1ef2fb11aa02a3b6af95157038e71b ssh_1%3a3.0.2p1-9_i386.deb | a68ece0b46d2f42b655d0bf6434c317a /usr/sbin/sshd I complied in IPtables in the kernel, but I haven't read up on how to use it. I have also installed some of the harden packages. Last night, I thought my system was running quite well, though I had noticed gnutella running. I figured it was time to run nessus, so I did. It seems to report many holes, some holes that I guess would be exploitable. I put the report on URL: http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html Bear in mind two things: a) Debian apply patches in stable as/when required, we don't follow upstream version#s regardlessly b) testing is a strange halfway-house between stable and unstable; you can expect a security fix to make it into Unstable pretty soon (as it tracks upstream versions) but it'll be at least a fortnight after that it hits Testing. That said, you probably want to check the Changelog(.Debian.gz) for ssh - I'd be surprised if the patches required hadn't made it down into Testing. If it has been cracked, what should I do? I could run up to my hosts and have them turn it off, I guess. But then what? I have really no clue what happened, and while I could turn off some more services, it seems like the biggest security problems are with ssh and smtp, that is, OpenSSH and Exim, so would a clean reinstall help a lot? http://www.cert.org/tech_tips/win-UNIX-system_compromise.html. First assess whether you really have been breached; if you have, you *must*
restricting outbound access?
I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: RE:restricting outbound access?
That has been done already the only problem is people compile there own executables. I run a server for kids at a local school and you know how some kids can be. I have already had to ban several users for compiling scripts to launch attacks on other machines. I strictly enforce there acceptable use agreement through the school but sometimes that just isn't enough. From: Howland, Curtis [EMAIL PROTECTED] To: Steve Meyer [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: restricting outbound access? Date: Thu, 16 May 2002 11:59:05 +0900 MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBEAC6C63003A40043197417D40860C4B0; Wed, 15 May 2002 20:03:01 -0700 Received: (qmail 624 invoked by uid 38); 16 May 2002 03:01:57 - Received: (qmail 589 invoked from network); 16 May 2002 03:01:57 - Received: from gw-jp101e.kvh.co.jp (61.120.193.20) by murphy.debian.org with SMTP; 16 May 2002 03:01:57 - Received: (from smtp@localhost)by gw-jp101e.kvh.co.jp (8.8.7/8.8.7) id MAA21397;Thu, 16 May 2002 12:01:28 +0900 (JST) Received: from jpkvhms1(192.168.0.210) by gw-jp101e via smap (V2.0)id xma021389; Thu, 16 May 02 12:01:23 +0900 Received: from jpkvhms2.tel.kvh.co.jp ([192.168.0.211]) by jpkvhms1.tel.kvh.co.jp with Microsoft SMTPSVC(5.0.2195.4453); Thu, 16 May 2002 12:01:33 +0900 From bounce-debian-security Wed, 15 May 2002 20:03:50 -0700 X-Envelope-Sender: [EMAIL PROTECTED] content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Message-ID: [EMAIL PROTECTED] Thread-Topic: restricting outbound access? Thread-Index: AcH8hB0bx6zNtQf+T+OgiE0K7RywbQAAHQ9Q X-OriginalArrivalTime: 16 May 2002 03:01:33.0254 (UTC) FILETIME=[FC0B6660:01C1FC85] Resent-Message-ID: zvJnNB.A.nJ.lEy48@murphy Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/7287 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED]?subject=help List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe List-Unsubscribe: mailto:[EMAIL PROTECTED]?subject=unsubscribe Precedence: list Resent-Sender: [EMAIL PROTECTED] How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
restricting outbound access?
I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: RE:restricting outbound access?
That has been done already the only problem is people compile there own executables. I run a server for kids at a local school and you know how some kids can be. I have already had to ban several users for compiling scripts to launch attacks on other machines. I strictly enforce there acceptable use agreement through the school but sometimes that just isn't enough. From: Howland, Curtis [EMAIL PROTECTED] To: Steve Meyer [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: restricting outbound access? Date: Thu, 16 May 2002 11:59:05 +0900 MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBEAC6C63003A40043197417D40860C4B0; Wed, 15 May 2002 20:03:01 -0700 Received: (qmail 624 invoked by uid 38); 16 May 2002 03:01:57 - Received: (qmail 589 invoked from network); 16 May 2002 03:01:57 - Received: from gw-jp101e.kvh.co.jp (61.120.193.20) by murphy.debian.org with SMTP; 16 May 2002 03:01:57 - Received: (from [EMAIL PROTECTED])by gw-jp101e.kvh.co.jp (8.8.7/8.8.7) id MAA21397;Thu, 16 May 2002 12:01:28 +0900 (JST) Received: from jpkvhms1(192.168.0.210) by gw-jp101e via smap (V2.0)id xma021389; Thu, 16 May 02 12:01:23 +0900 Received: from jpkvhms2.tel.kvh.co.jp ([192.168.0.211]) by jpkvhms1.tel.kvh.co.jp with Microsoft SMTPSVC(5.0.2195.4453); Thu, 16 May 2002 12:01:33 +0900 From bounce-debian-security Wed, 15 May 2002 20:03:50 -0700 X-Envelope-Sender: [EMAIL PROTECTED] content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Message-ID: [EMAIL PROTECTED] Thread-Topic: restricting outbound access? Thread-Index: AcH8hB0bx6zNtQf+T+OgiE0K7RywbQAAHQ9Q X-OriginalArrivalTime: 16 May 2002 03:01:33.0254 (UTC) FILETIME=[FC0B6660:01C1FC85] Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/7287 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help
Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers. From: Brian Furry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Help Date: Fri, 3 May 2002 18:14:15 -0400 (EDT) MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700 Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 - Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 - Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with SMTP; 3 May 2002 22:14:21 - Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 - Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net with SMTP; 3 May 2002 22:14:19 - Received: from brian (helo=localhost)by euler.nac.net with local-esmtp (Exim 3.12 #1 (Debian))id 173lJh-7l-00for [EMAIL PROTECTED]; Fri, 03 May 2002 18:14:17 -0400 From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: Brian Furry [EMAIL PROTECTED] X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01 Resent-Message-ID: uMdIKB.A.Yv.Gvw08@murphy Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/7106 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED]?subject=help List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe List-Unsubscribe: mailto:[EMAIL PROTECTED]?subject=unsubscribe Precedence: list Resent-Sender: [EMAIL PROTECTED] Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU
Re: Help
Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers. From: Brian Furry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Help Date: Fri, 3 May 2002 18:14:15 -0400 (EDT) MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700 Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 - Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 - Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with SMTP; 3 May 2002 22:14:21 - Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 - Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net with SMTP; 3 May 2002 22:14:19 - Received: from brian (helo=localhost)by euler.nac.net with local-esmtp (Exim 3.12 #1 (Debian))id 173lJh-7l-00for debian-security@lists.debian.org; Fri, 03 May 2002 18:14:17 -0400 From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: Brian Furry [EMAIL PROTECTED] X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01 Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/7106 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing
Re: world readable log files and /etc/ files
It is also important to remember not to chown log files. If you do this you could run into problems. The proccess that writes the file may not be able too. From: Wichert Akkerman [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: world readable log files and /etc/ files Date: Sun, 28 Apr 2002 21:06:35 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Sun, 28 Apr 2002 12:10:17 -0700 Received: (qmail 10946 invoked by uid 38); 28 Apr 2002 19:06:45 - Received: (qmail 10906 invoked from network); 28 Apr 2002 19:06:43 - Received: from cabal.xs4all.nl (HELO mx1.wiggy.net) ([EMAIL PROTECTED]) by murphy.debian.org with SMTP; 28 Apr 2002 19:06:43 - Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))id 171u0J-0003Ux-00for debian-security@lists.debian.org; Sun, 28 Apr 2002 21:06:35 +0200 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: debian-security@lists.debian.org References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.3.28i Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/7034 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 28 Apr 2002 19:10:18.0777 (UTC) FILETIME=[561ED890:01C1EEE8] Previously Ian Cumming wrote: I was quite alarmed. There seem to be many files with world readable permissions, which _shouldnt_. If you don't trust your local users on a server you have a different problem imho. What is the policy for log files? I understand that it doesnt do _that_ much harm allowing others to read, but it does disclose more than I want to reveal. World-readable except for files with sensitive information. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: world readable log files and /etc/ files
It is also important to remember not to chown log files. If you do this you could run into problems. The proccess that writes the file may not be able too. From: Wichert Akkerman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: world readable log files and /etc/ files Date: Sun, 28 Apr 2002 21:06:35 +0200 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Sun, 28 Apr 2002 12:10:17 -0700 Received: (qmail 10946 invoked by uid 38); 28 Apr 2002 19:06:45 - Received: (qmail 10906 invoked from network); 28 Apr 2002 19:06:43 - Received: from cabal.xs4all.nl (HELO mx1.wiggy.net) (?bLeNwgFcs5FDRoEhD37OqQvyE0lahofl?@213.84.101.140) by murphy.debian.org with SMTP; 28 Apr 2002 19:06:43 - Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))id 171u0J-0003Ux-00for [EMAIL PROTECTED]; Sun, 28 Apr 2002 21:06:35 +0200 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.3.28i Resent-Message-ID: FRsfk.A.0qC.FhEz8@murphy Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/7034 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED]?subject=help List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe List-Unsubscribe: mailto:[EMAIL PROTECTED]?subject=unsubscribe Precedence: list Resent-Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 28 Apr 2002 19:10:18.0777 (UTC) FILETIME=[561ED890:01C1EEE8] Previously Ian Cumming wrote: I was quite alarmed. There seem to be many files with world readable permissions, which _shouldnt_. If you don't trust your local users on a server you have a different problem imho. What is the policy for log files? I understand that it doesnt do _that_ much harm allowing others to read, but it does disclose more than I want to reveal. World-readable except for files with sensitive information. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]