Re: Security issue

2018-11-06 Thread Doug


On 11/06/2018 08:49 PM, finn via users wrote:
Why wouldn't you regular review your task manager, system settings 
etc. to confirm your machine has been not comprised ? (Here, few 
things which you can do to confirm there isn't a breach in your system).

1. Failed logins: /var/log/messages
2. last, w, uptime
3. /etc/passwd changed?
4. fuser for ports
5. portscans in server report
6. weird processing hogging CPU?

Switching between different distro in six month is really a big pain. 
Isnt't it ?


‐‐‐ Original Message ‐‐‐
On Tuesday, November 6, 2018 10:57 PM, William Oliver 
 wrote:


I jump around a lot. I usually reinstall my OS every five or six 
months. I do it primarily as a security issue -- if my machine has 
been compromised and I don't know it, at least every few months I 
*know* I'm clean. What I've found is that the "pain" of installation 
varies from release to release, and is not a fedora/debian/arch/suse 
issue per se. I've had some cases where fedora installed like a dream 
and debian/mint/ubuntu had problems, some cases where debian 
installed easy and fedora crumped, and some cases where arch/manjaro 
was great and everything else had problems.


A few weeks ago, I went to Manjaro, not because I'm an Arch fan, but 
because I downloaded fedora, kubuntu, and KDE neon and it was the 
*only* one that installed without a problem. Before that, KDE neon 
installed without a hitch. Before that Fedora installed without a hitch.


In a few months, I'll do it again, and it will be a different distro 
that works...


Usually, I start with Fedora KDE spin, then try KDE neon, then try 
Manjaro, then try SUSE.



billo


Have you tried PCLinuxOS? I've been running that for quite a few years 
without any serious problems, except some years ago when Master PDF 
Editor refused to print to US Letter size. That seems to have
been fixed, but not before I was banned for complaining about it. I run 
PCLOS anyway, having seen so many problems reported on other distro 
lists. And it's a revolving system--the only time it had to be
reinstalled was when KDE5 was introduced. It is continuously updated, 
usually every Sunday night. (By the user--it doesn't arbitrarily access 
your system.)


--doug
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org


Security issue

2018-11-06 Thread finn via users
Why wouldn't you regular review your task manager, system settings etc. to 
confirm your machine has been not comprised ? (Here, few things which you can 
do to confirm there isn't a breach in your system).
1. Failed logins: /var/log/messages
2. last, w, uptime
3. /etc/passwd changed?
4. fuser for ports
5. portscans in server report
6. weird processing hogging CPU?

Switching between different distro in six month is really a big pain. Isnt't it 
?

‐‐‐ Original Message ‐‐‐
On Tuesday, November 6, 2018 10:57 PM, William Oliver  
wrote:

> I jump around a lot. I usually reinstall my OS every five or six months. I do 
> it primarily as a security issue -- if my machine has been compromised and I 
> don't know it, at least every few months I *know* I'm clean. What I've found 
> is that the "pain" of installation varies from release to release, and is not 
> a fedora/debian/arch/suse issue per se. I've had some cases where fedora 
> installed like a dream and debian/mint/ubuntu had problems, some cases where 
> debian installed easy and fedora crumped, and some cases where arch/manjaro 
> was great and everything else had problems.
>
> A few weeks ago, I went to Manjaro, not because I'm an Arch fan, but because 
> I downloaded fedora, kubuntu, and KDE neon and it was the *only* one that 
> installed without a problem. Before that, KDE neon installed without a hitch. 
> Before that Fedora installed without a hitch.
>
> In a few months, I'll do it again, and it will be a different distro that 
> works...
>
> Usually, I start with Fedora KDE spin, then try KDE neon, then try Manjaro, 
> then try SUSE.
>
> billo___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org


Re: [OT] Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Tim
Allegedly, on or about 16 October 2017, Patrick O'Callaghan sent:
> Note that in all cases the problem is limited to nodes sharing the
> same wireless access point, i.e. it's not going to bite you over the
> Internet.

Though that, rather obviously, means that using public WiFi is unsafe
(not that it ever really was), but I think the more likely problem for
the average home user will be neighbours (the houses next door, and
apartments above and below you, or drive-by hackers).

Going from what I read, it's not so much nodes sharing the same point
(i.e. what could be interpreted as people *already* on the same
network), but vulnerable to anybody who tries to access it.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 4.13.5-200.fc26.x86_64 #1 SMP Thu Oct 5 16:53:13 UTC 2017 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted.
There is no point trying to privately email me, I only get to see
the messages posted to the mailing list.

This email has been brought to you by beetwix.  Mmm, spewy!
Get some into you today.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: [OT] Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Patrick O'Callaghan
On Mon, 2017-10-16 at 17:51 +0100, Patrick O'Callaghan wrote:
> wpa_supplicant (used in Linux and Android) is particularly bad.

Just in case this point isn't getting enough emphasis: the specific
vulnerability in wpa_supplicant allows the adversary to force the use
of an all-0's encryption key. That could legitimately be called
disastrous. Patched versions of wpa_supplicant should be installed as
soon as they are available.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread stan
On Mon, 16 Oct 2017 16:15:26 +0100
Patrick O'Callaghan  wrote:

> On Mon, 2017-10-16 at 16:00 +0100, Ron Leach wrote:
 
> > Is there any longer-term security support for earlier versions?
> > We've a few devices still running F24 or F23.  
> 
> As has been reiterated innumerable times, Fedora does NOT provide
> security updates for EOLed versions, i.e. currently anything earlier
> than F25. If you aren't prepared to update at least every other
> release, you should consider using a different distro.

In general, Patrick is right.  However, if you are desperate, you can
go to the link below and get the src.rpm, and build it on the obsolete
systems.  You might have to do some fiddling with requirements, and
there could be dependencies you will also have to install, but it will
give you a package for your earlier fedora distribution.

https://koji.fedoraproject.org/koji/buildinfo?buildID=984997

You are becoming a pseudo packager, and it can be a lot of work with a
significant learning curve if you haven't built packages from src.rpms
before. Upgrading is probably the better answer if at all possible.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: [OT] Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Patrick O'Callaghan
On Mon, 2017-10-16 at 08:54 -0700, Jonathan Ryshpan wrote:
> I am about 97% ignorant about encryption.  However...
> 
> It seems that these attacks are directed at clients rather than
> servers.  Is this correct?  

No.

> If so, it's a good thing for me, since I use an old Belkin wireless
> router whose firmware will surely never be upgraded.

The attack is against *anything* using WPA2 encryption. The severity of
the vulnerability depends on implementation details. wpa_supplicant
(used in Linux and Android) is particularly bad. Ironically, recent
versions of Windows and IOS are less vulnerable because they implement
WPA2 incorrectly. Note that in all cases the problem is limited to
nodes sharing the same wireless access point, i.e. it's not going to
bite you over the Internet.

That said, a cursory reading of the actual paper (rather than the
rather sensational press release) shows that although there is a
problem with the protocol handshake allowing certain kinds of relay
attack, the potential issues depend on what actual (local) encryption
protocol is used after establishing the connection.

And of course using a higher-level secure protocol such as HTTPS or
OpenVPN makes all this irrelevant.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Matthew Miller
On Mon, Oct 16, 2017 at 04:00:46PM +0100, Ron Leach wrote:
> (We hadn't updated these devices to F25 because there had seemed to
> be some difficulties reported on the lists, but that would be option
> we still have.  I've downloaded the paper to understand better the
> risks at (i) coffee shops etc, and (ii) whether the 'trick' can be
> used to gain access to a password-protected AP - such as here at our
> premises - in the first place.  I'm concerned about both those
> scenarios.)

I would recommend updating to Fedora 26, unless you have a specific problem
listed on https://fedoraproject.org/wiki/Common_F26_bugs. If you judge
by difficulties seen online, you get a biased view, because a lot
fewer people will comment "hey, this worked fine".

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: [OT] Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Jonathan Ryshpan
I am about 97% ignorant about encryption.  However...

It seems that these attacks are directed at clients rather than
servers.  Is this correct?  

If so, it's a good thing for me, since I use an old Belkin wireless
router whose firmware will surely never be upgraded.

jon

On Mon, 2017-10-16 at 07:32 -0400, Mark C. Allman wrote:
> I figure that this is being addressed but hopefully it doesn't hurt to ask.
> 
> https://www.krackattacks.com/
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Patrick O'Callaghan
On Mon, 2017-10-16 at 16:00 +0100, Ron Leach wrote:
> On 16/10/2017 15:21, Michael Cronenworth wrote:
> 
> > F25: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12e76e8364
> > F27: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f45e844a85
> > Rawhide: (just run a dnf update)
> > ___
> 
> Is there any longer-term security support for earlier versions?  We've 
> a few devices still running F24 or F23.

As has been reiterated innumerable times, Fedora does NOT provide
security updates for EOLed versions, i.e. currently anything earlier
than F25. If you aren't prepared to update at least every other
release, you should consider using a different distro.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Ron Leach

On 16/10/2017 15:21, Michael Cronenworth wrote:


F25: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12e76e8364
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f45e844a85
Rawhide: (just run a dnf update)
___


Is there any longer-term security support for earlier versions?  We've 
a few devices still running F24 or F23.


If there is not a security release, is it even likely that the source 
for the revised versions of the affected packages might compile on 
F24, and might the objects even run on F24 or F23?  (I imagine it is 
fairly unlikely, but I'd like to ask.)


(We hadn't updated these devices to F25 because there had seemed to be 
some difficulties reported on the lists, but that would be option we 
still have.  I've downloaded the paper to understand better the risks 
at (i) coffee shops etc, and (ii) whether the 'trick' can be used to 
gain access to a password-protected AP - such as here at our premises 
- in the first place.  I'm concerned about both those scenarios.)


Thanks for the expanded update list,

regards, Ron
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Michael Cronenworth

On 10/16/2017 08:30 AM, Matthew Miller wrote:

On Mon, Oct 16, 2017 at 07:32:32AM -0400, Mark C. Allman wrote:

I figure that this is being addressed but hopefully it doesn't hurt to ask.
https://www.krackattacks.com/

https://bodhi.fedoraproject.org/updates/FEDORA-2017-60bfb576b7



Which is for Fedora 26.

F25: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12e76e8364
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f45e844a85
Rawhide: (just run a dnf update)
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Mark C. Allman
On 10/16/2017 09:30 AM, Matthew Miller wrote:
> On Mon, Oct 16, 2017 at 07:32:32AM -0400, Mark C. Allman wrote:
>> I figure that this is being addressed but hopefully it doesn't hurt to ask.
>> https://www.krackattacks.com/
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-60bfb576b7
>

Perfect.  I figured as much.  That's exactly what I, and I'd expect lots
of us, wanted to know.

Thanks!


*Mark C. Allman, PMP, CSM*
Founder, See How You Ski, www.seehowyouski.com 
Sr. Project Manager, Allman Professional Consulting, Inc.,
www.allmanpc.com 
617-947-4263, Twitter: @allmanpc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Matthew Miller
On Mon, Oct 16, 2017 at 07:32:32AM -0400, Mark C. Allman wrote:
> I figure that this is being addressed but hopefully it doesn't hurt to ask.
> https://www.krackattacks.com/

https://bodhi.fedoraproject.org/updates/FEDORA-2017-60bfb576b7

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread George N. White III
On 16 October 2017 at 08:32, Mark C. Allman  wrote:

> I figure that this is being addressed but hopefully it doesn't hurt to ask.
>
> https://www.krackattacks.com/
>
>
Many organizations either don't allow (WPA2) wireless or require VPN when
not using the internal wired network.

Many of us have older WPA2 devices that are no longer being updated (ebook
readers, pads, smart phones).  It
will be interesting to see if vendors provide patches to older "no longer
supported" devices.

-- 
George N. White III 
Head of St. Margarets Bay, Nova Scotia
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Question on the WIFI security issue Key Reinstallation Attack ("krack" attack)

2017-10-16 Thread Mark C. Allman
I figure that this is being addressed but hopefully it doesn't hurt to ask.

https://www.krackattacks.com/

Thanks,
-- 

*Mark C. Allman, PMP, CSM*
Founder, See How You Ski, www.seehowyouski.com 
Sr. Project Manager, Allman Professional Consulting, Inc.,
www.allmanpc.com 
617-947-4263, Twitter: @allmanpc

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-19 Thread Suvayu Ali
On Wed, Aug 19, 2015 at 12:31:19PM +0100, Patrick O'Callaghan wrote:
 On Wed, 2015-08-19 at 09:55 +0900, Scott Mattan wrote:
  Is there a better way of viewing this list without having to copy 
  paste titles and contents?
 
 Don't use digests (they are a waste of time in this day and age), or if
 you do then use a mailer that supports direct replying to a digest
 message (not to the digest itself). Evolution can do this and I think
 Thunderbird also. Cutting and pasting subject lines does not preserve
 proper threading and should be avoided.

Actually, afaiU, there is one more step involved.  Replying in thread
works only with MIME digests, not plain text.  It is a separate option
in the mailman settings page.

  Set Digest Mode

  If you turn digest mode on, you'll get posts bundled together (usually
  one per day but possibly more on busy lists), instead of singly when
  they're sent. If digest mode is changed from on to off, you may
  receive one last digest.

  Get MIME or Plain Text Digests?

  Your mail reader may or may not support MIME digests. In general MIME
  digests are preferred, but if you have a problem reading them, select
  plain text digests. )

Cheers,

-- 
Suvayu

Open source is the future. It sets us free.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-19 Thread Patrick O'Callaghan
On Wed, 2015-08-19 at 09:55 +0900, Scott Mattan wrote:
 Is there a better way of viewing this list without having to copy 
 paste titles and contents?

Don't use digests (they are a waste of time in this day and age), or if
you do then use a mailer that supports direct replying to a digest
message (not to the digest itself). Evolution can do this and I think
Thunderbird also. Cutting and pasting subject lines does not preserve
proper threading and should be avoided.

poc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-19 Thread Patrick O'Callaghan
On Wed, 2015-08-19 at 15:04 +0200, Suvayu Ali wrote:
  Don't use digests (they are a waste of time in this day and age),
 or if
  you do then use a mailer that supports direct replying to a digest
  message (not to the digest itself). Evolution can do this and I
 think
  Thunderbird also. Cutting and pasting subject lines does not
 preserve
  proper threading and should be avoided.
 
 Actually, afaiU, there is one more step involved.  Replying in thread
 works only with MIME digests, not plain text.  It is a separate
 option
 in the mailman settings page.

This is true, however I'm assuming this list's digests are MIME
-formatted.

poc
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-19 Thread Rick Stevens

On 08/19/2015 09:02 AM, Patrick O'Callaghan wrote:

On Wed, 2015-08-19 at 15:04 +0200, Suvayu Ali wrote:

Don't use digests (they are a waste of time in this day and age),

or if

you do then use a mailer that supports direct replying to a digest
message (not to the digest itself). Evolution can do this and I

think

Thunderbird also. Cutting and pasting subject lines does not

preserve

proper threading and should be avoided.


Actually, afaiU, there is one more step involved.  Replying in thread
works only with MIME digests, not plain text.  It is a separate
option
in the mailman settings page.


This is true, however I'm assuming this list's digests are MIME
-formatted.


Only if you request them as MIME-formatted. The list can send plaintext
digests as well. Not sure what the default is (if there is a default...
I don't use digests :-p ).
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
- The Schizophrenic: An Unauthorized Autobiography -
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Ed Greshko
On 08/18/15 15:09, Scott Mattan wrote:

 I am seeing some disparity between (two distributions granted) CentOS 6.6 and 
 Fedora22 in their use of the su utility.  I cannot figure out the cause, so I 
 cannot fix it.

 In CentOS there is no way to script login to root... this is of course a 
 desirable trait.
 for instance,
 [ user@localhost user ]$ su root EOF
  password
  echo 
  id
  EOF
 standard in must be a tty

 However, Fedora22 allows this action... where is the file which I must edit 
 to enable this security setting?
 { (^-^) user /home/user } su root EOF
  password
  echo 
  id
  EOF
 uid=0(root) gid=0(root) groups=0(root) 
 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

 Thanks for the help in advance.

My first thought is to check for differences between /etc/pam.d/su on each OS.

-- 
It seems most people that say they are done talking about it never really are 
until given the last word.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Fedora22 Security Issue.

2015-08-18 Thread Scott Mattan
Hello,

I am seeing some disparity between (two distributions granted) CentOS 6.6
and Fedora22 in their use of the su utility.  I cannot figure out the
cause, so I cannot fix it.

In CentOS there is no way to script login to root... this is of course a
desirable trait.
for instance,
[ user@localhost user ]$ su root EOF
 password
 echo 
 id
 EOF
standard in must be a tty

However, Fedora22 allows this action... where is the file which I must edit
to enable this security setting?
{ (^-^) user /home/user } su root EOF
 password
 echo 
 id
 EOF
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Thanks for the help in advance.

Scott
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Ed Greshko
On 08/19/15 00:10, Patrick O'Callaghan wrote:
 On Wed, 2015-08-19 at 00:13 +0900, Scott Mattan wrote:
 I havent tried comparing yet but ive verified that disabling various
 combinations on the cent machine does not produce the same results.
 Same results as what? Is this part of some other thread?

Yes, the OP sent a new message with the same subject in response to an answer 
that I gave.

-- 
It seems most people that say they are done talking about it never really are 
until given the last word.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-18 Thread Ed Greshko
On 08/19/15 08:55, Scott Mattan wrote:
 Sorry about the other post, this one may not come in correctly either...

 In anycase, I will explain this after the main issue...

 I have the following differences in my /etc/pam.d/su file:

 Fedora22:
 #%PAM-1.0
 authsufficient  pam_rootok.so
 # Uncomment the following line to implicitly trust users in the wheel group.
 #auth   sufficient  pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the wheel group.
 #auth   requiredpam_wheel.so use_uid
 authsubstacksystem-auth
 authinclude postlogin
 account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
 account include system-auth
 passwordinclude system-auth
 session include system-auth
 session include postlogin
 session optionalpam_xauth.so

 CentOS6.6:

 #%PAM-1.0
 authsufficient  pam_rootok.so
 # Uncomment the following line to implicitly trust users in the wheel group.
 #auth   sufficient  pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the wheel group.
 #auth   requiredpam_wheel.so use_uid
 authincludesystem-auth
 account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
 account include system-auth
 passwordinclude system-auth
 session include system-auth
 session optionalpam_xauth.so

 When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this 
 is the cause I become unable to open sockets.

 [ root@localhost ~ ]# su user
 could not open session

Use the original file in pam.d for su and try adding this after the 
pam_rootok.so line...

auth required pam_securetty.so





 Now for my lack of understanding of the mailing list. 

 On the computer, I don't understand how to reply without having to copy 
 information from multiple sources.  The entire list comes in a single post 
 (very difficult to read) and replying to one means replying to all. 

Sounds like you've picked digest for the list messages and your mailer 
doesn't quite know how to handle them.


 Additionally, operating on my phone doesn't even permit me to view the posts, 
 and I must manually go to the archives to read any of the new additions.

 Is there a better way of viewing this list without having to copy paste 
 titles and contents?

Modify your settings to not get a digest.


-- 
It seems most people that say they are done talking about it never really are 
until given the last word.
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fwd: Fedora22 Security Issue.

2015-08-18 Thread Scott Mattan
I have changed my settings from digest.

I will additionally try to add the pam_securetty.so to my su file when I
get home tonight (JST)

Thanks

On Wed, Aug 19, 2015 at 11:04 AM, Ed Greshko ed.gres...@greshko.com wrote:

 On 08/19/15 08:55, Scott Mattan wrote:
  Sorry about the other post, this one may not come in correctly either...
 
  In anycase, I will explain this after the main issue...
 
  I have the following differences in my /etc/pam.d/su file:
 
  Fedora22:
  #%PAM-1.0
  authsufficient  pam_rootok.so
  # Uncomment the following line to implicitly trust users in the wheel
 group.
  #auth   sufficient  pam_wheel.so trust use_uid
  # Uncomment the following line to require a user to be in the wheel
 group.
  #auth   requiredpam_wheel.so use_uid
  authsubstacksystem-auth
  authinclude postlogin
  account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
  account include system-auth
  passwordinclude system-auth
  session include system-auth
  session include postlogin
  session optionalpam_xauth.so
 
  CentOS6.6:
 
  #%PAM-1.0
  authsufficient  pam_rootok.so
  # Uncomment the following line to implicitly trust users in the wheel
 group.
  #auth   sufficient  pam_wheel.so trust use_uid
  # Uncomment the following line to require a user to be in the wheel
 group.
  #auth   requiredpam_wheel.so use_uid
  authincludesystem-auth
  account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
  account include system-auth
  passwordinclude system-auth
  session include system-auth
  session optionalpam_xauth.so
 
  When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if
 this is the cause I become unable to open sockets.
 
  [ root@localhost ~ ]# su user
  could not open session

 Use the original file in pam.d for su and try adding this after the
 pam_rootok.so line...

 auth required pam_securetty.so


 
 
 
  Now for my lack of understanding of the mailing list.
 
  On the computer, I don't understand how to reply without having to copy
 information from multiple sources.  The entire list comes in a single post
 (very difficult to read) and replying to one means replying to all.

 Sounds like you've picked digest for the list messages and your mailer
 doesn't quite know how to handle them.

 
  Additionally, operating on my phone doesn't even permit me to view the
 posts, and I must manually go to the archives to read any of the new
 additions.
 
  Is there a better way of viewing this list without having to copy paste
 titles and contents?
 
 Modify your settings to not get a digest.


 --
 It seems most people that say they are done talking about it never
 really are until given the last word.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread inode0
On Tue, Aug 18, 2015 at 2:09 AM, Scott Mattan s-mat...@niscom.co.jp wrote:
 Hello,

 I am seeing some disparity between (two distributions granted) CentOS 6.6
 and Fedora22 in their use of the su utility.  I cannot figure out the cause,
 so I cannot fix it.

 In CentOS there is no way to script login to root... this is of course a
 desirable trait.
 for instance,
 [ user@localhost user ]$ su root EOF
 password
 echo 
 id
 EOF
 standard in must be a tty

$ (sleep 1; echo password) | python -c import pty;
pty.spawn(['/bin/su','-c','id']);

Some programs require stdin on a tty, su has gone back and forth on
it. It really doesn't stop anything.

John
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Patrick O'Callaghan
On Wed, 2015-08-19 at 04:05 +0800, Ed Greshko wrote:
 On 08/19/15 00:10, Patrick O'Callaghan wrote:
  On Wed, 2015-08-19 at 00:13 +0900, Scott Mattan wrote:
   I havent tried comparing yet but ive verified that disabling
   various
   combinations on the cent machine does not produce the same
   results.
  Same results as what? Is this part of some other thread?
  
 Yes, the OP sent a new message with the same subject in response to
 an answer that I gave.

And without quoting any context.

poc

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Scott Mattan
I just tried the non-login-shell with those settings, and it didn't offer
any change from the previous response.

(I primarily work with CentOS6.6 at work but am testing Fedora at home and
would like to implement similar security settings)

[ user@localhost ~]$ su - EOF
 password
 echo 
 id
 EOF
standard in must be a tty

I'm going to look into PAM to check for related files, please let me know
if you have more advice on this issue as technically this allows for
scripted access to root (good for initial setup of production environments
provided you lock it down afterwords, however it could also be exploited by
intelligent malware).

Thanks, and I look forward to hearing from you.


On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan s-mat...@niscom.co.jp wrote:

 Sorry about the other post, this one may not come in correctly either...

 In anycase, I will explain this after the main issue...

 I have the following differences in my /etc/pam.d/su file:

 Fedora22:
 #%PAM-1.0
 authsufficient  pam_rootok.so
 # Uncomment the following line to implicitly trust users in the wheel
 group.
 #auth   sufficient  pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the wheel
 group.
 #auth   requiredpam_wheel.so use_uid
 authsubstacksystem-auth
 authinclude postlogin
 account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
 account include system-auth
 passwordinclude system-auth
 session include system-auth
 session include postlogin
 session optionalpam_xauth.so

 CentOS6.6:

 #%PAM-1.0
 authsufficient  pam_rootok.so
 # Uncomment the following line to implicitly trust users in the wheel
 group.
 #auth   sufficient  pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the wheel
 group.
 #auth   requiredpam_wheel.so use_uid
 authincludesystem-auth
 account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
 account include system-auth
 passwordinclude system-auth
 session include system-auth
 session optionalpam_xauth.so

 When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if
 this is the cause I become unable to open sockets.

 [ root@localhost ~ ]# su user
 could not open session

 So while this may be the issue, I have to believe that it is not the sole
 issue and there must be another cause.
 I hadn't tested the su-l file for differences yet, but it is primarily for
 login-shells... which admittedly my CenOS6.6 connection is through a
 login-shell as it is through ssh, whereas the Fedora22 is through a
 non-login-shell from the GUI.

 Luckily this CentOS6.6 system is also has a GUI so I will try to replicate
 from a non-login-shell and get back to you with more information.

 Now for my lack of understanding of the mailing list.

 On the computer, I don't understand how to reply without having to copy
 information from multiple sources.  The entire list comes in a single post
 (very difficult to read) and replying to one means replying to all.

 Additionally, operating on my phone doesn't even permit me to view the
 posts, and I must manually go to the archives to read any of the new
 additions.

 Is there a better way of viewing this list without having to copy paste
 titles and contents?

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Fwd: Fedora22 Security Issue.

2015-08-18 Thread Scott Mattan
Sorry about the other post, this one may not come in correctly either...

In anycase, I will explain this after the main issue...

I have the following differences in my /etc/pam.d/su file:

Fedora22:
#%PAM-1.0
authsufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the wheel
group.
#auth   sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the wheel group.
#auth   requiredpam_wheel.so use_uid
authsubstacksystem-auth
authinclude postlogin
account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
passwordinclude system-auth
session include system-auth
session include postlogin
session optionalpam_xauth.so

CentOS6.6:

#%PAM-1.0
authsufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the wheel
group.
#auth   sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the wheel group.
#auth   requiredpam_wheel.so use_uid
authincludesystem-auth
account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
passwordinclude system-auth
session include system-auth
session optionalpam_xauth.so

When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this
is the cause I become unable to open sockets.

[ root@localhost ~ ]# su user
could not open session

So while this may be the issue, I have to believe that it is not the sole
issue and there must be another cause.
I hadn't tested the su-l file for differences yet, but it is primarily for
login-shells... which admittedly my CenOS6.6 connection is through a
login-shell as it is through ssh, whereas the Fedora22 is through a
non-login-shell from the GUI.

Luckily this CentOS6.6 system is also has a GUI so I will try to replicate
from a non-login-shell and get back to you with more information.

Now for my lack of understanding of the mailing list.

On the computer, I don't understand how to reply without having to copy
information from multiple sources.  The entire list comes in a single post
(very difficult to read) and replying to one means replying to all.

Additionally, operating on my phone doesn't even permit me to view the
posts, and I must manually go to the archives to read any of the new
additions.

Is there a better way of viewing this list without having to copy paste
titles and contents?
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Martin Cigorraga
Hi,

I recently came up with this 'issue' (not really an issue in fact, please
read along) when I configured a Webmin panel on a CentOS 6.7 instance we
use at work.

Thing is that the sudo tool provides a configuration flag to deny a command
execution if it's not being invoked from a console. Originally this was
thought as an additional security layer but ultimately proved to be more a
nuisance than anything else and that's why Red Hat decided to switch it off
by default on newer releases starting with RHEL 7 (I don't know starting at
which Fedora release though).

To disable this check launch visudo, look for Defaultsrequiretty and
comment the line. I believe that you can accomplish the same by adding the
entry to a file in /etc/sudo.d/ but I didn't test it myself.

HTH

On Wed, Aug 19, 2015 at 1:31 AM inode0 ino...@gmail.com wrote:

 On Tue, Aug 18, 2015 at 2:09 AM, Scott Mattan s-mat...@niscom.co.jp
 wrote:
  Hello,
 
  I am seeing some disparity between (two distributions granted) CentOS 6.6
  and Fedora22 in their use of the su utility.  I cannot figure out the
 cause,
  so I cannot fix it.
 
  In CentOS there is no way to script login to root... this is of course a
  desirable trait.
  for instance,
  [ user@localhost user ]$ su root EOF
  password
  echo 
  id
  EOF
  standard in must be a tty

 $ (sleep 1; echo password) | python -c import pty;
 pty.spawn(['/bin/su','-c','id']);

 Some programs require stdin on a tty, su has gone back and forth on
 it. It really doesn't stop anything.

 John
 --
 users mailing list
 users@lists.fedoraproject.org
 To unsubscribe or change subscription options:
 https://admin.fedoraproject.org/mailman/listinfo/users
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
 Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 Have a question? Ask away: http://ask.fedoraproject.org

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Fedora22 Security Issue.

2015-08-18 Thread Scott Mattan
I havent tried comparing yet but ive verified that disabling various
combinations on the cent machine does not produce the same results.

I understand that this is not a perfect method and will take a look as soon
as i get home at the very latest by tomorrow JST, and then report back
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


Re: Fedora22 Security Issue.

2015-08-18 Thread Patrick O'Callaghan
On Wed, 2015-08-19 at 00:13 +0900, Scott Mattan wrote:
 I havent tried comparing yet but ive verified that disabling various
 combinations on the cent machine does not produce the same results.

Same results as what? Is this part of some other thread?

poc

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org