Hi all.
I have startet a Security Company in Germany an now i have e few questions.
Are ftp anonymous scans illegal?
if it is, can i get an license to do penetrations test?
thx for help,
thomas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote:
> Hi all.
>
> I have startet a Security Company in Germany an now i have e few questions.
First try learning how to write :)
>
> Are ftp anonymous scans illegal?
That depends on what country the system is located in, but genera
Hi.
I am setting up a (updating an existing) mail server at our company and
would like to get some recommendations on what anti-virus software to
run on the server. Currently I'm only looking for an on-demand mail
scanner. (Maybe also with some kind of HTTP proxy support too. On-access
scanni
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]:
> If the use of switch user has remote security implications I want to
> be able to understand them. The same as I want to be able to
> understand if leaving a root console open has remote security
> implications. Don't worry abo
On Wed, Jan 16, 2002 at 12:36:21PM -0500, Noah L. Meyerhans wrote:
> On Wed, Jan 16, 2002 at 12:25:34PM -0500, Chris Hilts wrote:
> > >> It seems to. The above ports were closed just by commenting them out
> > >> of /etc/services and then rebooting.
> > > An init 1, init 3 would have worked as we
> I've tried to check a few websites for info on the commercial products,
> but I find them mostly confusing. Many have like one to a billion
> different 'products' or 'solutions' listed and I can't find the magic
> word linux anywhere either... :/
>
> Well, here's my list of questions:
> Are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Am Montag, 21. Januar 2002 11:17 schrieb Mikko Kilpikoski:
> Hi.
>
> I am setting up a (updating an existing) mail server at our company and
> would like to get some recommendations on what anti-virus software to
> run on the server. Currently I'
also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]:
> > Also, which mailserver would you recommend? (I have to learn one
> > anyway.)
> I'd recommend QMail. Why? - Read some mailing lists... And this is commonly
> the question of religion.
and i'd recommend postfix.
tryin
>
>
>and i'd recommend postfix.
>
I run postfix + kavcheck + avcheck (do a google and you'll probably find
it). kavcheck's postfix implementation isn't very good, but the avcheck
program comes complete with a howto do set it up chroot. Very nice.
Combine this with crontab and you can update twi
On Mon, 2002-01-21 at 23:40, martin f krafft wrote:
> nevertheless, leave a root console open on a production machine really
> just calls for trouble. imagine you are about to head for lunch with a
> friend, but you decide to check something in the server room quickly.
> while you stare at your
> > > Also, which mailserver would you recommend? (I have to learn one
> > > anyway.)
> > I'd recommend QMail. Why? - Read some mailing lists... And this
> is commonly
> > the question of religion.
>
> and i'd recommend postfix.
>
> trying hard to stay away from a religious war, i am keeping t
Please, everyone flame me if this is a blatant security hole
Make your shell script secure, non-interuptable
set the permission on it to 4750 (Setuid bit) with GROUP Being the group of people you
want to run it and OWNER being the person you want to run it as.
Phil
-Original Messa
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
> Martin, it's a server in my spare room :-) The only person installing a
> backdoor on the server would be an unlawful intruder. Or a cat who can
> type ;-) Your points are well taken and I would follow the same security
> pract
assuming i have SecurID tokens with licenses, can i make linux
authenticate based on these *without* the use of external or commercial
software (like ACE/Server)? any experience anyone?
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto:"
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]:
> Please, everyone flame me if this is a blatant security hole
consider yourself flamed.
> Make your [setuid] shell script secure, non-interuptable
good luck. there is *a lot* of insecurity in a shell script. yo
Am Montag, 21. Januar 2002 15:21 schrieb martin f krafft:
> don't run shellscripts setuid or setgid.
AFAIK Linux doesn't support setuid or setgid scripts, if you want to achieve
things like this, you'll have to use an setgid or setuid interpreter (a.k.a.
suidperl).
Good Luck writing a secure
The Tcl 8.3, Tk 8.3 and Tix 41 packages are not tuned to work ivery
well with each other in woody.
Using it out of box I get and starting tclsh
% package require Tk
couldn't load file "/usr/lib/tk8.3/libtk8.3.so.1":
/usr/lib/tk8.3/libtk8.3.so.1: cannot open shared object file: No such
file or d
Mathias Palm <[EMAIL PROTECTED]> cum veritate scripsit:
> I am not sure if the packagers of tcl are reading this list. If somebody
> knows a better way to reach them, please write me or even better,
> forward it to the appropriate place.
Write to [EMAIL PROTECTED],
and proceed to filing bugs aga
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or
may not have been, be, or will be applicable to Debian Linux or Linux in
general. you have been warned. properly.
http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en
--
martin; (greetings from th
Hi,
AFAIK port scans are legal in Germany. It is even legal to break into a
system, as long as you don't damage anything (which would be computer
sabotage; but pay attention, killing a process with an exploit would
already be "damaging the system") or look at anything (which would be
spying).
An
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote:
> Hi everyone,
>
...
> The question I have is if I "su - username" and then browse the web,
> etc. is it impossible for a remote user who managed to gain access to
> that user session to be
Hallo debian-sec folks,
While I was checking up some configurations,
I've noticed that the root's home directory /root
is world readable...
$ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root
This seems to be Debian's default configuration,
because also on other Potato boxes I've fou
On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote:
>
> Why has Debian choosen to let users access root's home ?
Why not? Debian doesn't put any sensitive files there. In fact, it
doesn't put anything notable there at all.
> Let me say I "chmod 0700 /root", will I encounter any
> problems th
Oops, wrong thread, sorry about this
Mathias
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
At 11:03 AM 1/21/2002, you wrote:
>On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote:
> >
> > Why has Debian choosen to let users access root's home ?
>
>Why not? Debian doesn't put any sensitive files there. In fact, it
>doesn't put anything notable there at all.
There is at least one packa
On Mon, Jan 21, 2002 at 01:34:31PM -0800, Chris Francy wrote:
>
> There is at least one package in Debian that requires you to put sensitive
> information in /root. The mysql server package needs you to have a .my.cnf
> in the /root if you want the logs to rotate. The my.cnf contains the clea
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
>> I have changed /root to 0700 on all my installations because I am running
>> mysql server. It hasn't broken anything.
>
> Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
> case? Clearly there are individual files that you d
Chris Francy <[EMAIL PROTECTED]> writes:
> There is at least one package in Debian that requires you to put
> sensitive information in /root. The mysql server package needs you to
> have a .my.cnf in the /root if you want the logs to rotate. The
> my.cnf contains the clear text version of the r
On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote:
> > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
> > case? Clearly there are individual files that you don't want
> > world-readable, but that's true for normal users' home dirs as well.
>
> Why do you want folks
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote:
> > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
>> > case? Clearly there are individual files that you don't want
>> > world-readable, but that's true for norma
On Tue, 2002-01-22 at 03:11, martin f krafft wrote:
> also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
> > Martin, it's a server in my spare room :-) The only person installing a
> > backdoor on the server would be an unlawful intruder. Or a cat who can
> > type ;-) Your points
On Tue, 2002-01-22 at 07:41, Federico Grau wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote:
> > Hi everyone,
> >
> ...
> > The question I have is if I "su - username" and then browse the web,
> > etc. is it impossible for a
Greetings!
On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote:
>
> Well, here's my list of questions:
> Are there any free or no cost solutions (for corporate use)?
For exim there is a filter which rejects all mail with directly
executable files attached (ftp.exim.org/pub/filt
martin f krafft wrote:
>also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
>
>>Martin, it's a server in my spare room :-) The only person installing a
>>backdoor on the server would be an unlawful intruder. Or a cat who can
>>type ;-) Your points are well taken and I would follo
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]:
> > as sad as it sounds, unlawful intruders happen. this being a true
> > story, i have 11 machines in my spare room, and my house was broken
> > in once. the *only* thing the intruder did was reboot one of the
> > machines (that
On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote:
> > There is at least one package in Debian that requires you to put
> > sensitive information in /root. The mysql server package needs you to
> > have a .my.cnf in the /root if you want the logs to rotate. The
> > my.cnf cont
also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]:
> Woah, that does sound a little far-fetched. I am assuming there is a
> little more to this story? I would think most *physical* intruders
> would try to nab DVD players, valuables, and money, not wander into a
> spare room and
Christian Hammers <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote:
> > > There is at least one package in Debian that requires you to put
> > > sensitive information in /root. The mysql server package needs you to
> > > have a .my.cnf in the /ro
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]:
> Federico, are you saying that if you su - to a user account (from root)
> and then start X that you are running X as root? If so that is a major
> problem.
no, he actually says that with exec, you should theoretically be more
Hi
On Mon, Jan 21, 2002 at 03:23:15PM -0800, Thomas Bushnell, BSG wrote:
> If it's a way to get "the logs" to rotate, that sure sounds like a
> system-wide option. If it's a root password to a system-wide
> database, then that's also a system-wide option.
The password for the mysql root user i
Christian Hammers <[EMAIL PROTECTED]> writes:
> The password for the mysql root user is not property of the system wide
> configuration as I can't force the user to change a file in /etc
> every time they change the users password and, due to mysqls default to
> use the mysql user of the same nam
Package: courier-mta
Version: 0.36.1-2
Severity: critical
A hand-crafted .courier file can be used to insert \r characters in the
message queue file. A bug in the function that reads message queue files
subsequently results in memory corruption.
This exploit is fixed in 0.37.2 upstream, I'll up
Hello
On Mon, Jan 21, 2002 at 03:35:14PM -0800, Thomas Bushnell, BSG wrote:
[cutted much to answer all below]
> > So I end up with a debian specific user with shutdown/reload privileges
> > that's created with a random (saved) password at installtime as the best
> > solution, or?
>
> Nope. Pr
This can be a real security hole, at least when you are not aware of
it (I have just discovered a working way to exploit it on one of my
machines).
dpkg-buildpackage makes a semi-real "make install" into a sub
directory of the debian/ directory in the source dir, and then tar's
the installed
On Mon, Jan 21, 2002 at 06:16:34AM -0800, martin f krafft wrote:
> assuming i have SecurID tokens with licenses, can i make linux
> authenticate based on these *without* the use of external or commercial
> software (like ACE/Server)? any experience anyone?
I don't think so.
But I'd be i
Previously Petro wrote:
> I don't think so.
> But I'd be interested in the responses as well.
There is some support in PAM and in OpenSSH. I have a cryptocard
RB-1 token now which I intent to get working with OpenSSH at least
once I have some free time to spent on it.
Wichert.
--
__
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0111 +0100]:
> Now you may say "don't build packages as root, use fakeroot instead".
> Well I have always used it, and somehow thought I'm safe, but I'm
> not: the permissions modes (like 4755) make it through to the real
> filesystem
At 1:19 Uhr +0100 22.01.2002, martin f krafft wrote:
>why are your build directories accessible to the world? a simple
>chmod 0700 ~/deb/build fixes all these problems for me, and
>persistently...
They were accessible, because I didn't realize that there was a risk,
and because it's convenient w
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.01.22.0122 +0100]:
> There is some support in PAM and in OpenSSH. I have a cryptocard
> RB-1 token now which I intent to get working with OpenSSH at least
> once I have some free time to spent on it.
yeah, but that's OpenSSH only (which *is*
Hi,
Quoting martin f krafft ([EMAIL PROTECTED]):
> yeah, but that's OpenSSH only (which *is* 99% of what you'd use it for).
> but i'd love a PAM-based solution. maybe i should port it. if openssh
> can do it, then the code is open-source, then pam should be able to do
> it too.
There are open sou
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.22.0129 +0100]:
> They were accessible, because I didn't realize that there was a risk,
> and because it's convenient when other users on the system can grab
> the finished .deb's from the build dir (to install them on their
> machine) w
On Tue, 2002-01-22 at 12:21, martin f krafft wrote:
> also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]:
> > Federico, are you saying that if you su - to a user account (from root)
> > and then start X that you are running X as root? If so that is a major
> > problem.
>
> no, he
>yes, that's UNIX life. convenience ~ security^-1,
I just wanted to point it out here, since I wasn't sure whether I
should file a bug report against fakeroot for writing suid through,
or one for the fakeroot manpage not mentioning the danger, or one for
dpkg-buildpackage either for not mentio
For the non-mathmatical, or rather gramatical, style to say it, I use the phrase:
"Security is Inconvenient."
The first time I say it to someone, they usually pause for a moment, digest it, and it
really helps in further discussions about "what to do about...".
It's my answer, for instance, wh
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote:
> This can be a real security hole, at least when you are not aware of
> it (I have just discovered a working way to exploit it on one of my
> machines).
And isn't that a bug in the package in question? :)
--
Daniel Jacobowitz
On Tue, 2002-01-22 at 05:26, martin f krafft wrote:
> this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or
> may not have been, be, or will be applicable to Debian Linux or Linux in
> general. you have been warned. properly.
>
> http://www.aerasec.de/security/index.html?id=ae-2
On Tue, Jan 22, 2002 at 05:11:45PM +1300, Adam Warner wrote:
> Why does the KDE Control Center think the user is currently root? In
> contrast the GNOME Control Center properly identifies the username.
Perhaps KDE uses getlogin(2) ?
--
Leo Howell M5AKW
Hi all.
I have startet a Security Company in Germany an now i have e few questions.
Are ftp anonymous scans illegal?
if it is, can i get an license to do penetrations test?
thx for help,
thomas
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote:
> Hi all.
>
> I have startet a Security Company in Germany an now i have e few questions.
First try learning how to write :)
>
> Are ftp anonymous scans illegal?
That depends on what country the system is located in, but general
Hi.
I am setting up a (updating an existing) mail server at our company and
would like to get some recommendations on what anti-virus software to
run on the server. Currently I'm only looking for an on-demand mail
scanner. (Maybe also with some kind of HTTP proxy support too. On-access
scanni
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]:
> If the use of switch user has remote security implications I want to
> be able to understand them. The same as I want to be able to
> understand if leaving a root console open has remote security
> implications. Don't worry abou
On Wed, Jan 16, 2002 at 12:36:21PM -0500, Noah L. Meyerhans wrote:
> On Wed, Jan 16, 2002 at 12:25:34PM -0500, Chris Hilts wrote:
> > >> It seems to. The above ports were closed just by commenting them out
> > >> of /etc/services and then rebooting.
> > > An init 1, init 3 would have worked as wel
> I've tried to check a few websites for info on the commercial products,
> but I find them mostly confusing. Many have like one to a billion
> different 'products' or 'solutions' listed and I can't find the magic
> word linux anywhere either... :/
>
> Well, here's my list of questions:
> Are t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Am Montag, 21. Januar 2002 11:17 schrieb Mikko Kilpikoski:
> Hi.
>
> I am setting up a (updating an existing) mail server at our company and
> would like to get some recommendations on what anti-virus software to
> run on the server. Currently I'm
also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]:
> > Also, which mailserver would you recommend? (I have to learn one
> > anyway.)
> I'd recommend QMail. Why? - Read some mailing lists... And this is commonly
> the question of religion.
and i'd recommend postfix.
trying
and i'd recommend postfix.
I run postfix + kavcheck + avcheck (do a google and you'll probably find
it). kavcheck's postfix implementation isn't very good, but the avcheck
program comes complete with a howto do set it up chroot. Very nice.
Combine this with crontab and you can update twice d
On Mon, 2002-01-21 at 23:40, martin f krafft wrote:
> nevertheless, leave a root console open on a production machine really
> just calls for trouble. imagine you are about to head for lunch with a
> friend, but you decide to check something in the server room quickly.
> while you stare at your
> > > Also, which mailserver would you recommend? (I have to learn one
> > > anyway.)
> > I'd recommend QMail. Why? - Read some mailing lists... And this
> is commonly
> > the question of religion.
>
> and i'd recommend postfix.
>
> trying hard to stay away from a religious war, i am keeping th
Please, everyone flame me if this is a blatant security hole
Make your shell script secure, non-interuptable
set the permission on it to 4750 (Setuid bit) with GROUP Being the group of
people you want to run it and OWNER being the person you want to run it as.
Phil
-Original Messag
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
> Martin, it's a server in my spare room :-) The only person installing a
> backdoor on the server would be an unlawful intruder. Or a cat who can
> type ;-) Your points are well taken and I would follow the same security
> practi
assuming i have SecurID tokens with licenses, can i make linux
authenticate based on these *without* the use of external or commercial
software (like ACE/Server)? any experience anyone?
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto:";
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]:
> Please, everyone flame me if this is a blatant security hole
consider yourself flamed.
> Make your [setuid] shell script secure, non-interuptable
good luck. there is *a lot* of insecurity in a shell script. you
Am Montag, 21. Januar 2002 15:21 schrieb martin f krafft:
> don't run shellscripts setuid or setgid.
AFAIK Linux doesn't support setuid or setgid scripts, if you want to achieve
things like this, you'll have to use an setgid or setuid interpreter (a.k.a.
suidperl).
Good Luck writing a secure
The Tcl 8.3, Tk 8.3 and Tix 41 packages are not tuned to work ivery
well with each other in woody.
Using it out of box I get and starting tclsh
% package require Tk
couldn't load file "/usr/lib/tk8.3/libtk8.3.so.1":
/usr/lib/tk8.3/libtk8.3.so.1: cannot open shared object file: No such
file or di
Mathias Palm <[EMAIL PROTECTED]> cum veritate scripsit:
> I am not sure if the packagers of tcl are reading this list. If somebody
> knows a better way to reach them, please write me or even better,
> forward it to the appropriate place.
Write to debian-user@lists.debian.org,
and proceed to filin
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or
may not have been, be, or will be applicable to Debian Linux or Linux in
general. you have been warned. properly.
http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en
--
martin; (greetings from the
Hi,
AFAIK port scans are legal in Germany. It is even legal to break into a
system, as long as you don't damage anything (which would be computer
sabotage; but pay attention, killing a process with an exploit would
already be "damaging the system") or look at anything (which would be
spying).
Any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote:
> Hi everyone,
>
...
> The question I have is if I "su - username" and then browse the web,
> etc. is it impossible for a remote user who managed to gain access to
> that user session to bec
Hallo debian-sec folks,
While I was checking up some configurations,
I've noticed that the root's home directory /root
is world readable...
$ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root
This seems to be Debian's default configuration,
because also on other Potato boxes I've foun
On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote:
>
> Why has Debian choosen to let users access root's home ?
Why not? Debian doesn't put any sensitive files there. In fact, it
doesn't put anything notable there at all.
> Let me say I "chmod 0700 /root", will I encounter any
> problems thr
Oops, wrong thread, sorry about this
Mathias
At 11:03 AM 1/21/2002, you wrote:
On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote:
>
> Why has Debian choosen to let users access root's home ?
Why not? Debian doesn't put any sensitive files there. In fact, it
doesn't put anything notable there at all.
There is at least one package in
On Mon, Jan 21, 2002 at 01:34:31PM -0800, Chris Francy wrote:
>
> There is at least one package in Debian that requires you to put sensitive
> information in /root. The mysql server package needs you to have a .my.cnf
> in the /root if you want the logs to rotate. The my.cnf contains the clear
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
>> I have changed /root to 0700 on all my installations because I am running
>> mysql server. It hasn't broken anything.
>
> Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
> case? Clearly there are individual files that you do
Chris Francy <[EMAIL PROTECTED]> writes:
> There is at least one package in Debian that requires you to put
> sensitive information in /root. The mysql server package needs you to
> have a .my.cnf in the /root if you want the logs to rotate. The
> my.cnf contains the clear text version of the ro
On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote:
> > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
> > case? Clearly there are individual files that you don't want
> > world-readable, but that's true for normal users' home dirs as well.
>
> Why do you want folks t
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 09:45:50PM +, Tim Haynes wrote:
> > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
>> > case? Clearly there are individual files that you don't want
>> > world-readable, but that's true for normal
On Tue, 2002-01-22 at 03:11, martin f krafft wrote:
> also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
> > Martin, it's a server in my spare room :-) The only person installing a
> > backdoor on the server would be an unlawful intruder. Or a cat who can
> > type ;-) Your points
On Tue, 2002-01-22 at 07:41, Federico Grau wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Sun, Jan 20, 2002 at 11:04:13AM +1300, Adam Warner wrote:
> > Hi everyone,
> >
> ...
> > The question I have is if I "su - username" and then browse the web,
> > etc. is it impossible for a
Greetings!
On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote:
>
> Well, here's my list of questions:
> Are there any free or no cost solutions (for corporate use)?
For exim there is a filter which rejects all mail with directly
executable files attached (ftp.exim.org/pub/filte
martin f krafft wrote:
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
Martin, it's a server in my spare room :-) The only person installing a
backdoor on the server would be an unlawful intruder. Or a cat who can
type ;-) Your points are well taken and I would follow the
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]:
> > as sad as it sounds, unlawful intruders happen. this being a true
> > story, i have 11 machines in my spare room, and my house was broken
> > in once. the *only* thing the intruder did was reboot one of the
> > machines (that
On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote:
> > There is at least one package in Debian that requires you to put
> > sensitive information in /root. The mysql server package needs you to
> > have a .my.cnf in the /root if you want the logs to rotate. The
> > my.cnf conta
also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]:
> Woah, that does sound a little far-fetched. I am assuming there is a
> little more to this story? I would think most *physical* intruders
> would try to nab DVD players, valuables, and money, not wander into a
> spare room and
Christian Hammers <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 01:46:58PM -0800, Thomas Bushnell, BSG wrote:
> > > There is at least one package in Debian that requires you to put
> > > sensitive information in /root. The mysql server package needs you to
> > > have a .my.cnf in the /roo
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]:
> Federico, are you saying that if you su - to a user account (from root)
> and then start X that you are running X as root? If so that is a major
> problem.
no, he actually says that with exec, you should theoretically be more
s
Package: courier-mta
Version: 0.36.1-2
Severity: critical
A hand-crafted .courier file can be used to insert \r characters in the
message queue file. A bug in the function that reads message queue files
subsequently results in memory corruption.
This exploit is fixed in 0.37.2 upstream, I'll upl
Hi
On Mon, Jan 21, 2002 at 03:23:15PM -0800, Thomas Bushnell, BSG wrote:
> If it's a way to get "the logs" to rotate, that sure sounds like a
> system-wide option. If it's a root password to a system-wide
> database, then that's also a system-wide option.
The password for the mysql root user is
Christian Hammers <[EMAIL PROTECTED]> writes:
> The password for the mysql root user is not property of the system wide
> configuration as I can't force the user to change a file in /etc
> every time they change the users password and, due to mysqls default to
> use the mysql user of the same name
Hello
On Mon, Jan 21, 2002 at 03:35:14PM -0800, Thomas Bushnell, BSG wrote:
[cutted much to answer all below]
> > So I end up with a debian specific user with shutdown/reload privileges
> > that's created with a random (saved) password at installtime as the best
> > solution, or?
>
> Nope. Pro
1 - 100 of 113 matches
Mail list logo
