portscans and sniffing

2002-01-21 Thread kuepper
Hi all. I have startet a Security Company in Germany an now i have e few questions. Are ftp anonymous scans illegal? if it is, can i get an license to do penetrations test? thx for help, thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact

Re: portscans and sniffing

2002-01-21 Thread Mark Janssen
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote: > Hi all. > > I have startet a Security Company in Germany an now i have e few questions. First try learning how to write :) > > Are ftp anonymous scans illegal? That depends on what country the system is located in, but genera

Mail server anti-virus software?

2002-01-21 Thread Mikko Kilpikoski
Hi. I am setting up a (updating an existing) mail server at our company and would like to get some recommendations on what anti-virus software to run on the server. Currently I'm only looking for an on-demand mail scanner. (Maybe also with some kind of HTTP proxy support too. On-access scanni

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]: > If the use of switch user has remote security implications I want to > be able to understand them. The same as I want to be able to > understand if leaving a root console open has remote security > implications. Don't worry abo

Re: Re: How do I disable (close) ports?

2002-01-21 Thread Rob Weir
On Wed, Jan 16, 2002 at 12:36:21PM -0500, Noah L. Meyerhans wrote: > On Wed, Jan 16, 2002 at 12:25:34PM -0500, Chris Hilts wrote: > > >> It seems to. The above ports were closed just by commenting them out > > >> of /etc/services and then rebooting. > > > An init 1, init 3 would have worked as we

RE: Mail server anti-virus software?

2002-01-21 Thread Antropov Anton
> I've tried to check a few websites for info on the commercial products, > but I find them mostly confusing. Many have like one to a billion > different 'products' or 'solutions' listed and I can't find the magic > word linux anywhere either... :/ > > Well, here's my list of questions: > Are

Re: Mail server anti-virus software?

2002-01-21 Thread Mirko Wollenberg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Am Montag, 21. Januar 2002 11:17 schrieb Mikko Kilpikoski: > Hi. > > I am setting up a (updating an existing) mail server at our company and > would like to get some recommendations on what anti-virus software to > run on the server. Currently I'

Re: Mail server anti-virus software?

2002-01-21 Thread martin f krafft
also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]: > > Also, which mailserver would you recommend? (I have to learn one > > anyway.) > I'd recommend QMail. Why? - Read some mailing lists... And this is commonly > the question of religion. and i'd recommend postfix. tryin

Re: Mail server anti-virus software?

2002-01-21 Thread Tarjei
> > >and i'd recommend postfix. > I run postfix + kavcheck + avcheck (do a google and you'll probably find it). kavcheck's postfix implementation isn't very good, but the avcheck program comes complete with a howto do set it up chroot. Very nice. Combine this with crontab and you can update twi

Re: su - user question

2002-01-21 Thread Adam Warner
On Mon, 2002-01-21 at 23:40, martin f krafft wrote: > nevertheless, leave a root console open on a production machine really > just calls for trouble. imagine you are about to head for lunch with a > friend, but you decide to check something in the server room quickly. > while you stare at your

RE: Mail server anti-virus software?

2002-01-21 Thread Antropov Anton
> > > Also, which mailserver would you recommend? (I have to learn one > > > anyway.) > > I'd recommend QMail. Why? - Read some mailing lists... And this > is commonly > > the question of religion. > > and i'd recommend postfix. > > trying hard to stay away from a religious war, i am keeping t

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread Phillip Hofmeister
Please, everyone flame me if this is a blatant security hole Make your shell script secure, non-interuptable set the permission on it to 4750 (Setuid bit) with GROUP Being the group of people you want to run it and OWNER being the person you want to run it as. Phil -Original Messa

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > Martin, it's a server in my spare room :-) The only person installing a > backdoor on the server would be an unlawful intruder. Or a cat who can > type ;-) Your points are well taken and I would follow the same security > pract

securid logins

2002-01-21 Thread martin f krafft
assuming i have SecurID tokens with licenses, can i make linux authenticate based on these *without* the use of external or commercial software (like ACE/Server)? any experience anyone? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread martin f krafft
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]: > Please, everyone flame me if this is a blatant security hole consider yourself flamed. > Make your [setuid] shell script secure, non-interuptable good luck. there is *a lot* of insecurity in a shell script. yo

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread Peter Wiersig
Am Montag, 21. Januar 2002 15:21 schrieb martin f krafft: > don't run shellscripts setuid or setgid. AFAIK Linux doesn't support setuid or setgid scripts, if you want to achieve things like this, you'll have to use an setgid or setuid interpreter (a.k.a. suidperl). Good Luck writing a secure

tcl, tk and tix

2002-01-21 Thread Mathias Palm
The Tcl 8.3, Tk 8.3 and Tix 41 packages are not tuned to work ivery well with each other in woody. Using it out of box I get and starting tclsh % package require Tk couldn't load file "/usr/lib/tk8.3/libtk8.3.so.1": /usr/lib/tk8.3/libtk8.3.so.1: cannot open shared object file: No such file or d

Re: tcl, tk and tix

2002-01-21 Thread Junichi Uekawa
Mathias Palm <[EMAIL PROTECTED]> cum veritate scripsit: > I am not sure if the packagers of tcl are reading this list. If somebody > knows a better way to reach them, please write me or even better, > forward it to the appropriate place. Write to [EMAIL PROTECTED], and proceed to filing bugs aga

the su - user thread

2002-01-21 Thread martin f krafft
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or may not have been, be, or will be applicable to Debian Linux or Linux in general. you have been warned. properly. http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en -- martin; (greetings from th

Re: portscans and sniffing

2002-01-21 Thread Thiemo Nagel
Hi, AFAIK port scans are legal in Germany. It is even legal to break into a system, as long as you don't damage anything (which would be computer sabotage; but pay attention, killing a process with an exploit would already be "damaging the system") or look at anything (which would be spying). An

Re: su - user question

2002-01-21 Thread Federico Grau
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote: > Hi everyone, > ... > The question I have is if I "su - username" and then browse the web, > etc. is it impossible for a remote user who managed to gain access to > that user session to be

root's home world readable

2002-01-21 Thread eim
Hallo debian-sec folks, While I was checking up some configurations, I've noticed that the root's home directory /root is world readable... $ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root This seems to be Debian's default configuration, because also on other Potato boxes I've fou

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: > > Why has Debian choosen to let users access root's home ? Why not? Debian doesn't put any sensitive files there. In fact, it doesn't put anything notable there at all. > Let me say I "chmod 0700 /root", will I encounter any > problems th

Re: tcl, tk and tix

2002-01-21 Thread Mathias Palm
Oops, wrong thread, sorry about this Mathias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: root's home world readable

2002-01-21 Thread Chris Francy
At 11:03 AM 1/21/2002, you wrote: >On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: > > > > Why has Debian choosen to let users access root's home ? > >Why not? Debian doesn't put any sensitive files there. In fact, it >doesn't put anything notable there at all. There is at least one packa

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 01:34:31PM -0800, Chris Francy wrote: > > There is at least one package in Debian that requires you to put sensitive > information in /root. The mysql server package needs you to have a .my.cnf > in the /root if you want the logs to rotate. The my.cnf contains the clea

Re: root's home world readable

2002-01-21 Thread Tim Haynes
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: >> I have changed /root to 0700 on all my installations because I am running >> mysql server. It hasn't broken anything. > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > case? Clearly there are individual files that you d

Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Chris Francy <[EMAIL PROTECTED]> writes: > There is at least one package in Debian that requires you to put > sensitive information in /root. The mysql server package needs you to > have a .my.cnf in the /root if you want the logs to rotate. The > my.cnf contains the clear text version of the r

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > > case? Clearly there are individual files that you don't want > > world-readable, but that's true for normal users' home dirs as well. > > Why do you want folks

Re: root's home world readable

2002-01-21 Thread Tim Haynes
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that >> > case? Clearly there are individual files that you don't want >> > world-readable, but that's true for norma

Re: su - user question

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 03:11, martin f krafft wrote: > also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > > Martin, it's a server in my spare room :-) The only person installing a > > backdoor on the server would be an unlawful intruder. Or a cat who can > > type ;-) Your points

Re: su - user question

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 07:41, Federico Grau wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote: > > Hi everyone, > > > ... > > The question I have is if I "su - username" and then browse the web, > > etc. is it impossible for a

Re: Mail server anti-virus software?

2002-01-21 Thread Volker Tanger
Greetings! On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote: > > Well, here's my list of questions: > Are there any free or no cost solutions (for corporate use)? For exim there is a filter which rejects all mail with directly executable files attached (ftp.exim.org/pub/filt

Re: su - user question

2002-01-21 Thread Dave Kline
martin f krafft wrote: >also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > >>Martin, it's a server in my spare room :-) The only person installing a >>backdoor on the server would be an unlawful intruder. Or a cat who can >>type ;-) Your points are well taken and I would follo

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]: > > as sad as it sounds, unlawful intruders happen. this being a true > > story, i have 11 machines in my spare room, and my house was broken > > in once. the *only* thing the intruder did was reboot one of the > > machines (that

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Christian Hammers
On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote: > > There is at least one package in Debian that requires you to put > > sensitive information in /root. The mysql server package needs you to > > have a .my.cnf in the /root if you want the logs to rotate. The > > my.cnf cont

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]: > Woah, that does sound a little far-fetched. I am assuming there is a > little more to this story? I would think most *physical* intruders > would try to nab DVD players, valuables, and money, not wander into a > spare room and

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Christian Hammers <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote: > > > There is at least one package in Debian that requires you to put > > > sensitive information in /root. The mysql server package needs you to > > > have a .my.cnf in the /ro

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]: > Federico, are you saying that if you su - to a user account (from root) > and then start X that you are running X as root? If so that is a major > problem. no, he actually says that with exec, you should theoretically be more

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Christian Hammers
Hi On Mon, Jan 21, 2002 at 03:23:15PM -0800, Thomas Bushnell, BSG wrote: > If it's a way to get "the logs" to rotate, that sure sounds like a > system-wide option. If it's a root password to a system-wide > database, then that's also a system-wide option. The password for the mysql root user i

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Christian Hammers <[EMAIL PROTECTED]> writes: > The password for the mysql root user is not property of the system wide > configuration as I can't force the user to change a file in /etc > every time they change the users password and, due to mysqls default to > use the mysql user of the same nam

Local exploit in courier-mta package

2002-01-21 Thread Stefan Hornburg (Racke)
Package: courier-mta Version: 0.36.1-2 Severity: critical A hand-crafted .courier file can be used to insert \r characters in the message queue file. A bug in the function that reads message queue files subsequently results in memory corruption. This exploit is fixed in 0.37.2 upstream, I'll up

mysql admin user (was: root's home world readable)

2002-01-21 Thread Christian Hammers
Hello On Mon, Jan 21, 2002 at 03:35:14PM -0800, Thomas Bushnell, BSG wrote: [cutted much to answer all below] > > So I end up with a debian specific user with shutdown/reload privileges > > that's created with a random (saved) password at installtime as the best > > solution, or? > > Nope. Pr

dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread Christian Jaeger
This can be a real security hole, at least when you are not aware of it (I have just discovered a working way to exploit it on one of my machines). dpkg-buildpackage makes a semi-real "make install" into a sub directory of the debian/ directory in the source dir, and then tar's the installed

Re: securid logins

2002-01-21 Thread Petro
On Mon, Jan 21, 2002 at 06:16:34AM -0800, martin f krafft wrote: > assuming i have SecurID tokens with licenses, can i make linux > authenticate based on these *without* the use of external or commercial > software (like ACE/Server)? any experience anyone? I don't think so. But I'd be i

Re: securid logins

2002-01-21 Thread Wichert Akkerman
Previously Petro wrote: > I don't think so. > But I'd be interested in the responses as well. There is some support in PAM and in OpenSSH. I have a cryptocard RB-1 token now which I intent to get working with OpenSSH at least once I have some free time to spent on it. Wichert. -- __

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread martin f krafft
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0111 +0100]: > Now you may say "don't build packages as root, use fakeroot instead". > Well I have always used it, and somehow thought I'm safe, but I'm > not: the permissions modes (like 4755) make it through to the real > filesystem

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread Christian Jaeger
At 1:19 Uhr +0100 22.01.2002, martin f krafft wrote: >why are your build directories accessible to the world? a simple >chmod 0700 ~/deb/build fixes all these problems for me, and >persistently... They were accessible, because I didn't realize that there was a risk, and because it's convenient w

Re: securid logins

2002-01-21 Thread martin f krafft
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.01.22.0122 +0100]: > There is some support in PAM and in OpenSSH. I have a cryptocard > RB-1 token now which I intent to get working with OpenSSH at least > once I have some free time to spent on it. yeah, but that's OpenSSH only (which *is*

Re: securid logins

2002-01-21 Thread Robert van der Meulen
Hi, Quoting martin f krafft ([EMAIL PROTECTED]): > yeah, but that's OpenSSH only (which *is* 99% of what you'd use it for). > but i'd love a PAM-based solution. maybe i should port it. if openssh > can do it, then the code is open-source, then pam should be able to do > it too. There are open sou

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread martin f krafft
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0129 +0100]: > They were accessible, because I didn't realize that there was a risk, > and because it's convenient when other users on the system can grab > the finished .deb's from the build dir (to install them on their > machine) w

Re: su - user question

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 12:21, martin f krafft wrote: > also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]: > > Federico, are you saying that if you su - to a user account (from root) > > and then start X that you are running X as root? If so that is a major > > problem. > > no, he

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread Christian Jaeger
>yes, that's UNIX life. convenience ~ security^-1, I just wanted to point it out here, since I wasn't sure whether I should file a bug report against fakeroot for writing suid through, or one for the fakeroot manpage not mentioning the danger, or one for dpkg-buildpackage either for not mentio

RE: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread Howland, Curtis
For the non-mathmatical, or rather gramatical, style to say it, I use the phrase: "Security is Inconvenient." The first time I say it to someone, they usually pause for a moment, digest it, and it really helps in further discussions about "what to do about...". It's my answer, for instance, wh

Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

2002-01-21 Thread Daniel Jacobowitz
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote: > This can be a real security hole, at least when you are not aware of > it (I have just discovered a working way to exploit it on one of my > machines). And isn't that a bug in the package in question? :) -- Daniel Jacobowitz

Re: the su - user thread [Potential Debian Security Issue]

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 05:26, martin f krafft wrote: > this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or > may not have been, be, or will be applicable to Debian Linux or Linux in > general. you have been warned. properly. > > http://www.aerasec.de/security/index.html?id=ae-2

Re: the su - user thread [Potential Debian Security Issue]

2002-01-21 Thread Leo Howell
On Tue, Jan 22, 2002 at 05:11:45PM +1300, Adam Warner wrote: > Why does the KDE Control Center think the user is currently root? In > contrast the GNOME Control Center properly identifies the username. Perhaps KDE uses getlogin(2) ? -- Leo Howell M5AKW

portscans and sniffing

2002-01-21 Thread kuepper
Hi all. I have startet a Security Company in Germany an now i have e few questions. Are ftp anonymous scans illegal? if it is, can i get an license to do penetrations test? thx for help, thomas

Re: portscans and sniffing

2002-01-21 Thread Mark Janssen
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote: > Hi all. > > I have startet a Security Company in Germany an now i have e few questions. First try learning how to write :) > > Are ftp anonymous scans illegal? That depends on what country the system is located in, but general

Mail server anti-virus software?

2002-01-21 Thread Mikko Kilpikoski
Hi. I am setting up a (updating an existing) mail server at our company and would like to get some recommendations on what anti-virus software to run on the server. Currently I'm only looking for an on-demand mail scanner. (Maybe also with some kind of HTTP proxy support too. On-access scanni

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]: > If the use of switch user has remote security implications I want to > be able to understand them. The same as I want to be able to > understand if leaving a root console open has remote security > implications. Don't worry abou

Re: Re: How do I disable (close) ports?

2002-01-21 Thread Rob Weir
On Wed, Jan 16, 2002 at 12:36:21PM -0500, Noah L. Meyerhans wrote: > On Wed, Jan 16, 2002 at 12:25:34PM -0500, Chris Hilts wrote: > > >> It seems to. The above ports were closed just by commenting them out > > >> of /etc/services and then rebooting. > > > An init 1, init 3 would have worked as wel

RE: Mail server anti-virus software?

2002-01-21 Thread Antropov Anton
> I've tried to check a few websites for info on the commercial products, > but I find them mostly confusing. Many have like one to a billion > different 'products' or 'solutions' listed and I can't find the magic > word linux anywhere either... :/ > > Well, here's my list of questions: > Are t

Re: Mail server anti-virus software?

2002-01-21 Thread Mirko Wollenberg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Am Montag, 21. Januar 2002 11:17 schrieb Mikko Kilpikoski: > Hi. > > I am setting up a (updating an existing) mail server at our company and > would like to get some recommendations on what anti-virus software to > run on the server. Currently I'm

Re: Mail server anti-virus software?

2002-01-21 Thread martin f krafft
also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]: > > Also, which mailserver would you recommend? (I have to learn one > > anyway.) > I'd recommend QMail. Why? - Read some mailing lists... And this is commonly > the question of religion. and i'd recommend postfix. trying

Re: Mail server anti-virus software?

2002-01-21 Thread Tarjei
and i'd recommend postfix. I run postfix + kavcheck + avcheck (do a google and you'll probably find it). kavcheck's postfix implementation isn't very good, but the avcheck program comes complete with a howto do set it up chroot. Very nice. Combine this with crontab and you can update twice d

Re: su - user question

2002-01-21 Thread Adam Warner
On Mon, 2002-01-21 at 23:40, martin f krafft wrote: > nevertheless, leave a root console open on a production machine really > just calls for trouble. imagine you are about to head for lunch with a > friend, but you decide to check something in the server room quickly. > while you stare at your

RE: Mail server anti-virus software?

2002-01-21 Thread Antropov Anton
> > > Also, which mailserver would you recommend? (I have to learn one > > > anyway.) > > I'd recommend QMail. Why? - Read some mailing lists... And this > is commonly > > the question of religion. > > and i'd recommend postfix. > > trying hard to stay away from a religious war, i am keeping th

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread Phillip Hofmeister
Please, everyone flame me if this is a blatant security hole Make your shell script secure, non-interuptable set the permission on it to 4750 (Setuid bit) with GROUP Being the group of people you want to run it and OWNER being the person you want to run it as. Phil -Original Messag

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > Martin, it's a server in my spare room :-) The only person installing a > backdoor on the server would be an unlawful intruder. Or a cat who can > type ;-) Your points are well taken and I would follow the same security > practi

securid logins

2002-01-21 Thread martin f krafft
assuming i have SecurID tokens with licenses, can i make linux authenticate based on these *without* the use of external or commercial software (like ACE/Server)? any experience anyone? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:";

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread martin f krafft
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]: > Please, everyone flame me if this is a blatant security hole consider yourself flamed. > Make your [setuid] shell script secure, non-interuptable good luck. there is *a lot* of insecurity in a shell script. you

Re: Re: [ot] how to create a user that can't log in?

2002-01-21 Thread Peter Wiersig
Am Montag, 21. Januar 2002 15:21 schrieb martin f krafft: > don't run shellscripts setuid or setgid. AFAIK Linux doesn't support setuid or setgid scripts, if you want to achieve things like this, you'll have to use an setgid or setuid interpreter (a.k.a. suidperl). Good Luck writing a secure

tcl, tk and tix

2002-01-21 Thread Mathias Palm
The Tcl 8.3, Tk 8.3 and Tix 41 packages are not tuned to work ivery well with each other in woody. Using it out of box I get and starting tclsh % package require Tk couldn't load file "/usr/lib/tk8.3/libtk8.3.so.1": /usr/lib/tk8.3/libtk8.3.so.1: cannot open shared object file: No such file or di

Re: tcl, tk and tix

2002-01-21 Thread Junichi Uekawa
Mathias Palm <[EMAIL PROTECTED]> cum veritate scripsit: > I am not sure if the packagers of tcl are reading this list. If somebody > knows a better way to reach them, please write me or even better, > forward it to the appropriate place. Write to debian-user@lists.debian.org, and proceed to filin

the su - user thread

2002-01-21 Thread martin f krafft
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or may not have been, be, or will be applicable to Debian Linux or Linux in general. you have been warned. properly. http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en -- martin; (greetings from the

Re: portscans and sniffing

2002-01-21 Thread Thiemo Nagel
Hi, AFAIK port scans are legal in Germany. It is even legal to break into a system, as long as you don't damage anything (which would be computer sabotage; but pay attention, killing a process with an exploit would already be "damaging the system") or look at anything (which would be spying). Any

Re: su - user question

2002-01-21 Thread Federico Grau
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote: > Hi everyone, > ... > The question I have is if I "su - username" and then browse the web, > etc. is it impossible for a remote user who managed to gain access to > that user session to bec

root's home world readable

2002-01-21 Thread eim
Hallo debian-sec folks, While I was checking up some configurations, I've noticed that the root's home directory /root is world readable... $ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root This seems to be Debian's default configuration, because also on other Potato boxes I've foun

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: > > Why has Debian choosen to let users access root's home ? Why not? Debian doesn't put any sensitive files there. In fact, it doesn't put anything notable there at all. > Let me say I "chmod 0700 /root", will I encounter any > problems thr

Re: tcl, tk and tix

2002-01-21 Thread Mathias Palm
Oops, wrong thread, sorry about this Mathias

Re: root's home world readable

2002-01-21 Thread Chris Francy
At 11:03 AM 1/21/2002, you wrote: On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: > > Why has Debian choosen to let users access root's home ? Why not? Debian doesn't put any sensitive files there. In fact, it doesn't put anything notable there at all. There is at least one package in

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 01:34:31PM -0800, Chris Francy wrote: > > There is at least one package in Debian that requires you to put sensitive > information in /root. The mysql server package needs you to have a .my.cnf > in the /root if you want the logs to rotate. The my.cnf contains the clear

Re: root's home world readable

2002-01-21 Thread Tim Haynes
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: >> I have changed /root to 0700 on all my installations because I am running >> mysql server. It hasn't broken anything. > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > case? Clearly there are individual files that you do

Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Chris Francy <[EMAIL PROTECTED]> writes: > There is at least one package in Debian that requires you to put > sensitive information in /root. The mysql server package needs you to > have a .my.cnf in the /root if you want the logs to rotate. The > my.cnf contains the clear text version of the ro

Re: root's home world readable

2002-01-21 Thread Noah L. Meyerhans
On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that > > case? Clearly there are individual files that you don't want > > world-readable, but that's true for normal users' home dirs as well. > > Why do you want folks t

Re: root's home world readable

2002-01-21 Thread Tim Haynes
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote: > > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that >> > case? Clearly there are individual files that you don't want >> > world-readable, but that's true for normal

Re: su - user question

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 03:11, martin f krafft wrote: > also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: > > Martin, it's a server in my spare room :-) The only person installing a > > backdoor on the server would be an unlawful intruder. Or a cat who can > > type ;-) Your points

Re: su - user question

2002-01-21 Thread Adam Warner
On Tue, 2002-01-22 at 07:41, Federico Grau wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote: > > Hi everyone, > > > ... > > The question I have is if I "su - username" and then browse the web, > > etc. is it impossible for a

Re: Mail server anti-virus software?

2002-01-21 Thread Volker Tanger
Greetings! On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote: > > Well, here's my list of questions: > Are there any free or no cost solutions (for corporate use)? For exim there is a filter which rejects all mail with directly executable files attached (ftp.exim.org/pub/filte

Re: su - user question

2002-01-21 Thread Dave Kline
martin f krafft wrote: also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]: Martin, it's a server in my spare room :-) The only person installing a backdoor on the server would be an unlawful intruder. Or a cat who can type ;-) Your points are well taken and I would follow the

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]: > > as sad as it sounds, unlawful intruders happen. this being a true > > story, i have 11 machines in my spare room, and my house was broken > > in once. the *only* thing the intruder did was reboot one of the > > machines (that

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Christian Hammers
On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote: > > There is at least one package in Debian that requires you to put > > sensitive information in /root. The mysql server package needs you to > > have a .my.cnf in the /root if you want the logs to rotate. The > > my.cnf conta

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]: > Woah, that does sound a little far-fetched. I am assuming there is a > little more to this story? I would think most *physical* intruders > would try to nab DVD players, valuables, and money, not wander into a > spare room and

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Christian Hammers <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote: > > > There is at least one package in Debian that requires you to put > > > sensitive information in /root. The mysql server package needs you to > > > have a .my.cnf in the /roo

Re: su - user question

2002-01-21 Thread martin f krafft
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]: > Federico, are you saying that if you su - to a user account (from root) > and then start X that you are running X as root? If so that is a major > problem. no, he actually says that with exec, you should theoretically be more s

Local exploit in courier-mta package

2002-01-21 Thread Stefan Hornburg Racke
Package: courier-mta Version: 0.36.1-2 Severity: critical A hand-crafted .courier file can be used to insert \r characters in the message queue file. A bug in the function that reads message queue files subsequently results in memory corruption. This exploit is fixed in 0.37.2 upstream, I'll upl

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Christian Hammers
Hi On Mon, Jan 21, 2002 at 03:23:15PM -0800, Thomas Bushnell, BSG wrote: > If it's a way to get "the logs" to rotate, that sure sounds like a > system-wide option. If it's a root password to a system-wide > database, then that's also a system-wide option. The password for the mysql root user is

Re: [d-security] Re: root's home world readable

2002-01-21 Thread Thomas Bushnell, BSG
Christian Hammers <[EMAIL PROTECTED]> writes: > The password for the mysql root user is not property of the system wide > configuration as I can't force the user to change a file in /etc > every time they change the users password and, due to mysqls default to > use the mysql user of the same name

mysql admin user (was: root's home world readable)

2002-01-21 Thread Christian Hammers
Hello On Mon, Jan 21, 2002 at 03:35:14PM -0800, Thomas Bushnell, BSG wrote: [cutted much to answer all below] > > So I end up with a debian specific user with shutdown/reload privileges > > that's created with a random (saved) password at installtime as the best > > solution, or? > > Nope. Pro

  1   2   >