but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.
But where is it from?
Have you installed/executed any binarys beside debian-packages?
Regards,
Ralf Dreibrodt
but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.
But where is it from?
Have you installed/executed any binarys beside debian-packages?
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTE
't updated it, because of the
ptrace bug.
this is the reason why:
www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap
-16:CAP_SYS_MODULE
www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap
-19:CAP_SYS_PTRACE
For fun i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /p
of the ptrace bug.
this is the reason why:
www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap
-16:CAP_SYS_MODULE
www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap
-19:CAP_SYS_PTRACE
For fun i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /proc and tried it
to see if you are
> vulnerable.
>
> http://www.securityfocus.com/archive/1/315635
stupid question, but is chmod 700 /proc enough?
This exploit doesn't work anymore.
Do you have any exploit which works after a chmod 700 /proc?
Regards,
Ralf Dreibrodt
to see if you are
> vulnerable.
>
> http://www.securityfocus.com/archive/1/315635
stupid question, but is chmod 700 /proc enough?
This exploit doesn't work anymore.
Do you have any exploit which works after a chmod 700 /proc?
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMA
"system" can access files outside this
directory
- you can also access files in /directory/where/files/are2 or is this
bug already solved?
There are probably other possibilities to access files outside this
directory.
open_basedir has nothing to do with chroot, they are two different
th
"system" can access files outside this
directory
- you can also access files in /directory/where/files/are2 or is this
bug already solved?
There are probably other possibilities to access files outside this
directory.
open_basedir has nothing to do with chroot, they are two different
th
_CHROOT from _every_ binary within the chroot, only
programs outside the chroot should have them.
Well, i think the solution depends on you paranoia level ;)
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Ma
_CHROOT from _every_ binary within the chroot, only
programs outside the chroot should have them.
Well, i think the solution depends on you paranoia level ;)
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Ma
own code. Then he can't ssh
anymore.
The other way is via network.
You can deny network usage for the user, for all ports or only for
specific ports.
Is there any packet filter, which can block only outgoing ssh-sessions?
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
E
own code. Then he can't ssh
anymore.
The other way is via network.
You can deny network usage for the user, for all ports or only for
specific ports.
Is there any packet filter, which can block only outgoing ssh-sessions?
Regards,
Ralf Dreibrodt
--
MesosTelefon 49 221 4855798-1
E
woody:
PAMAuthenticationViaKbdInt no
UsePrivilegeSeparation yes
But i think i am also not vulnerable because privsep is default since
3.3.
Regards,
Ralf Dreibrodt
woody:
PAMAuthenticationViaKbdInt no
UsePrivilegeSeparation yes
But i think i am also not vulnerable because privsep is default since
3.3.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
me bugs.
>
> no
>
> qmail...
i was talking about pureftpd.
qmail itself perhaps had no securityproblems, but other programs, e.g.
vpopmail or vchkpw.
Regards,
Ralf Dreibrodt
me bugs.
>
> no
>
> qmail...
i was talking about pureftpd.
qmail itself perhaps had no securityproblems, but other programs, e.g.
vpopmail or vchkpw.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ally sure, i
can boot from cd-rom and compare the harddisk with my tripwire-db, which is
not on the harddisc.
Regards,
Ralf Dreibrodt
ally sure, i
can boot from cd-rom and compare the harddisk with my tripwire-db, which is
not on the harddisc.
Regards,
Ralf Dreibrodt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi,
Javier Fernández-Sanguino Peña wrote:
>
> On Wed, Sep 18, 2002 at 04:33:25AM +0700, Jean Christophe ANDRÃ? wrote:
> >
> > Did you take a look at the Referer of those access?
> > It might help you to track it down...
> >
>
> That's just might be how they get them in the first place. If you bu
Hi,
Javier Fernández-Sanguino Peña wrote:
>
> On Wed, Sep 18, 2002 at 04:33:25AM +0700, Jean Christophe ANDRÃ? wrote:
> >
> > Did you take a look at the Referer of those access?
> > It might help you to track it down...
> >
>
> That's just might be how they get them in the first place. If you b
Michael Renzmann wrote:
>
> > i already made some bad hedrivings a few years ago with something like
> > this...
>
> But one thing I would like to know: what do you mean with "hedrivings"? :)
experiences.
i asked a friend, what i could say for "erfahrungen" in english, he
answered hedrivings, so
Hi,
> hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
L, but you should ask a lawyer before doing stuff like this.
i already made some bad hedrivings a few years ago with something like
this...
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 9639263
Wallstr. 123 Fax 49 221 9646649
51063 Koeln Mail [EMAIL PROTECTED]
Michael Renzmann wrote:
>
> > i already made some bad hedrivings a few years ago with something like
> > this...
>
> But one thing I would like to know: what do you mean with "hedrivings"? :)
experiences.
i asked a friend, what i could say for "erfahrungen" in english, he
answered hedrivings, s
Hi,
> hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
L, but you should ask a lawyer before doing stuff like this.
i already made some bad hedrivings a few years ago with something like
this...
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 9639263
Wallstr. 123 Fax 49 221 9646649
51063 Koeln Mail [EMAIL PROTECTED]
Hi,
> > Sorry i know this is off topic but dose anyone know where theres a good
> > HOW-TO on Seting up SAMBA as a print server ??
there is an online book from oreilly:
http://www.oreilly.com/catalog/samba/chapter/book/index.html
Viele Gruesse
Ralf Dreibrodt
--
Mesos Te
ion crontab etc. have to be protected, too.
there are much more solutions for this problem...
sorry, i don't have any debian specific solution, but i just wanted to tell
you, that your solution is wrong and gives a false sense of security.
Regards,
Ralf Dreibrodt
--
Mesos Telefon
n (from shadowutils iirc).
a little bit offtopic:
Redhat uses chfn and chsh from linux-utils, SuSE from shadow-utils...
Well, i always suggest to remove the s-flag, if users shouldn't change
something in /etc/passwd.
So i don't have to touch all Redhat-Boxes, on which i have done this ;)
V
Hi,
StarK wrote:
>
> What kind of security can I use to avoid this ? Can we chroot the PHP
> (Yes I know it's a strange sentence :) ?
i know two useable solutions:
1. care about every service:
use SuEXEC for CGIs, Safe Mode for PHP, a good directory and right
structure.
2. chroot everything
j
Hi,
Craig Dickson wrote:
>
> Florian Weimer wrote:
>
> > Two possibilities: The documentation refers to a previous version of
> > the scanner, or you forgot to restart Apache after installing the
> > packages.
>
> Installing a new .deb for a server package should automatically restart
> the ser
Hi,
Mark Janssen wrote:
>
> On Tue, 2002-06-25 at 18:11, Phillip Hofmeister wrote:
> > *TECHNICALLY* every login is root. Getty runs as root and then gives up
> > root
> > to the authenticated user once PAM gives the okay...Does this mean the user
> > can break back into root? If the exit thei
Hi,
Christian Jaeger wrote:
>
> Hmm, I'm wondering if it's any better: if the attacker manages code
> to run in the chrooted daemon, I suspect he can also advise the part
> running as root to open up a new root connection? Isn't it that the
> separation simply protects against direct shell launch
Hi,
Florian Weimer wrote:
>
> Is this worth the effort if there's still a remote nobody exploit?
> At least that's the way understand the DSA.
i unterstand it as remote chrooted nobody exploit, this is much more
better than a remote root-exploit.
bye,
Ralf
--
To UNSUBSCRIBE, email to [EMAIL
Hi,
Phillip Hofmeister wrote:
>
> Sowhat does this mean for us running potato on internet servers?
>
> Does this effect the daemon or the client?
this is the information markus friedl send to bugtraq and it is perhaps
the same, the debian-team got?!?
> Date: Mon, 24 Jun 2002 15:00:10 -0600
Hi,
Thomas Thurman wrote:
>
> On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
> > tail -n 1 /var/log/apache/access.log
> > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> >
> > to
Hi,
i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var
drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log
drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache
-rw-rw-r--1 www-data n
Hi,
Thomas Thurman wrote:
>
> On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
> > tail -n 1 /var/log/apache/access.log
> > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> >
> > to
Hi,
i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var
drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log
drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache
-rw-rw-r--1 www-data
Hi,
Javier Fernández-Sanguino Peña wrote:
>
> On Wed, Feb 06, 2002 at 05:31:23PM +0100, Christian Hammers wrote:
> > On Wed, Feb 06, 2002 at 05:26:27PM +0100, Ralf Dreibrodt wrote:
> > > just run apache chrooted and you don?t have problems like this.
> > Doesn'
Hi,
Javier Fernández-Sanguino Peña wrote:
>
> On Wed, Feb 06, 2002 at 05:31:23PM +0100, Christian Hammers wrote:
> > On Wed, Feb 06, 2002 at 05:26:27PM +0100, Ralf Dreibrodt wrote:
> > > just run apache chrooted and you don?t have problems like this.
> > Doesn'
Hi,
Ramon Acedo wrote:
>
> I'd like to have a map like this:
>
> ftp1.mydomain.net ---> 192.168.1.10
> ftp2.mydomain.net ---> 192.168.1.50
> www1.mydomain.net ---> 192.168.1.12
> www2.mydomain.net ---> 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet,
Hi,
Ramon Acedo wrote:
>
> I'd like to have a map like this:
>
> ftp1.mydomain.net ---> 192.168.1.10
> ftp2.mydomain.net ---> 192.168.1.50
> www1.mydomain.net ---> 192.168.1.12
> www2.mydomain.net ---> 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet,
Hi,
brendan hack wrote:
>
> I received an error saying 'test_database' not found.
of course you should change $db to you db-name.
> I then
> removed all access privileges from the anonymous user to the test
> database and received the following:
>
> FAILED: USE test
> REASON: Access denied for
Hi,
brendan hack wrote:
>
> I received an error saying 'test_database' not found.
of course you should change $db to you db-name.
> I then
> removed all access privileges from the anonymous user to the test
> database and received the following:
>
> FAILED: USE test
> REASON: Access denied fo
Hi,
"Dmitry N. Hramtsov" schrieb:
>
> Any comments or counsel?
>
> Maybe debian developers should make a "quick and dirty" fix for this,
> because (as I can understand) php developers already knows about this
> hole and do still nothing.
just run apache chrooted and you don´t have problems like
Hi,
"Dmitry N. Hramtsov" schrieb:
>
> Any comments or counsel?
>
> Maybe debian developers should make a "quick and dirty" fix for this,
> because (as I can understand) php developers already knows about this
> hole and do still nothing.
just run apache chrooted and you don´t have problems lik
Hi,
David N Moore wrote:
>
> i'm a new poster here, but one thing that strikes me is that the
> source to passwd should be hanging around somewhere. It wouldn't be
> incredibly difficult to make a custom version which does not ask for
> the original password, right? Then you could set it to be
Hi,
David N Moore wrote:
>
> i'm a new poster here, but one thing that strikes me is that the
> source to passwd should be hanging around somewhere. It wouldn't be
> incredibly difficult to make a custom version which does not ask for
> the original password, right? Then you could set it to be
hi,
> anyone to offer any
> explanation will be showered with greatness!
here is an example:
#include
void example()
{
char a[10];
char b[10];
strcpy(a, "123456789");
printf ("a: %s\n", a);
b[20]='X';
b[21]='Y';
b[22]='Z';
printf("a: %s\n", a);
return;
}
main()
{
example();
hi,
> anyone to offer any
> explanation will be showered with greatness!
here is an example:
#include
void example()
{
char a[10];
char b[10];
strcpy(a, "123456789");
printf ("a: %s\n", a);
b[20]='X';
b[21]='Y';
b[22]='Z';
printf("a: %s\n", a);
return;
}
main()
{
example();
Hi,
Kevin van Haaren wrote:
>
> if I:
> ssh in as a user account
> su root
have a look at this:
[EMAIL PROTECTED]:~$ su
Password:
debian:/home/ralf# set | grep LOGNAME
LOGNAME=ralf
debian:/home/ralf# exit
[EMAIL PROTECTED]:~$ su -
Password:
debian:~# set | grep LOGNAME
LOGNAME=root
"su" !=
Hi,
Kevin van Haaren wrote:
>
> if I:
> ssh in as a user account
> su root
have a look at this:
ralf@debian:~$ su
Password:
debian:/home/ralf# set | grep LOGNAME
LOGNAME=ralf
debian:/home/ralf# exit
ralf@debian:~$ su -
Password:
debian:~# set | grep LOGNAME
LOGNAME=root
"su" != "su -"
wha
Hi,
Dietmar Braun schrieb:
>
> Ok, I admit that this isn't practicable (I shouldn't write mails when I am
> VERY angry...),
> but the point is:
> from USA and Germany, we normally get also mails we want and we need.
> From Korea/China and other spammers heaven, we get nothing but spam -
not we,
Hi,
Dietmar Braun schrieb:
>
> Ok, I admit that this isn't practicable (I shouldn't write mails when I am
> VERY angry...),
> but the point is:
> from USA and Germany, we normally get also mails we want and we need.
> From Korea/China and other spammers heaven, we get nothing but spam -
not we
> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
--
To
Hi,
> > There is a tool set, including a Linux kernel patch: UserIPacct
> > (http://ramses.smeyers.be/homepage/useripacct/). But I do not know how
> > stable it is. Besides, the last patch is for 2.4.6 and I need a more
> > up-to-date 2.4 kernel.
>
> yeah, that looks nice, but who'd run a 2.4.6 t
Hi,
> > There is a tool set, including a Linux kernel patch: UserIPacct
> > (http://ramses.smeyers.be/homepage/useripacct/). But I do not know how
> > stable it is. Besides, the last patch is for 2.4.6 and I need a more
> > up-to-date 2.4 kernel.
>
> yeah, that looks nice, but who'd run a 2.4.6
Hi,
Gary MacDougall wrote:
>
> Actually your point of view basically states that its "ok" for anyone to
> tresspass.
no, i just said, that laws can´t help against unknown people.
until now nobody broke in my house, and i think because of two facts:
- i always keep my doors and windows closed (w
Hi,
Gary MacDougall wrote:
>
> Actually your point of view basically states that its "ok" for anyone to
> tresspass.
no, i just said, that laws can´t help against unknown people.
until now nobody broke in my house, and i think because of two facts:
- i always keep my doors and windows closed (
Hi,
> I noticed that xdm behaves different if I enter a non-existing username
> of if I enter a wrong password. In the last case, there is a short pause.
>
> Knowing that it is possible to find valid usernames. I do not think that
> this pause is a good idea. Correct me if I'm wrong.
i think the
Hi,
> I noticed that xdm behaves different if I enter a non-existing username
> of if I enter a wrong password. In the last case, there is a short pause.
>
> Knowing that it is possible to find valid usernames. I do not think that
> this pause is a good idea. Correct me if I'm wrong.
i think th
Hi,
Gary MacDougall wrote:
>
> Hmmm... Mom has a good point.
>
> I think the bottom line is that we'll never have 100% security until
> there are laws that protect the break-in's and hacking that occurs.
> Still laws... not crappy little wrist slapping type laws.
laws can´t do anything against
Hi,
Gary MacDougall wrote:
>
> Hmmm... Mom has a good point.
>
> I think the bottom line is that we'll never have 100% security until
> there are laws that protect the break-in's and hacking that occurs.
> Still laws... not crappy little wrist slapping type laws.
laws can´t do anything against
Hi,
"J. Paul Bruns-Bielkowicz" wrote:
>
> > Commenting out things in /etc/services doesn't
> > disable anything.
>
> It seems to. The above ports were closed just by commenting them out of
> /etc/services and then rebooting.
well, there are daemons which don't know on which port they should ru
Hi,
"J. Paul Bruns-Bielkowicz" wrote:
>
> > Commenting out things in /etc/services doesn't
> > disable anything.
>
> It seems to. The above ports were closed just by commenting them out of
> /etc/services and then rebooting.
well, there are daemons which don't know on which port they should r
Hi,
> Trouble is, the IP addresses that access squid don't have host
> names (ie. they don't exist) and they keep changing. Is there any way
> to block access to this and is there a good FAQ, etc.
there is a good FAQ at /usr/doc/squid/FAQ.html (belongs to web/squid).
But you should not block the
Hi,
> Trouble is, the IP addresses that access squid don't have host
> names (ie. they don't exist) and they keep changing. Is there any way
> to block access to this and is there a good FAQ, etc.
there is a good FAQ at /usr/doc/squid/FAQ.html (belongs to web/squid).
But you should not block th
Hi,
Mathias Gygax wrote:
>
> On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:
>
> > No, you can't. No matter how you cut it, root can install a new
> > kernel, sans LIDS and write to his/her home dir.
>
> how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
>
Hi,
Mathias Gygax wrote:
>
> On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:
>
> > No, you can't. No matter how you cut it, root can install a new
> > kernel, sans LIDS and write to his/her home dir.
>
> how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
>
Hi,
Mathias Gygax wrote:
>
> > i wanted to post something about lids, but then i thought, it doesn't
> > make sense in this case.
>
> i think it does make sense.
as far as i have read the problem is, that the (wo)man, who has a
root-account is able to read mails.
what is the advantage of instal
Hi,
Mathias Gygax wrote:
>
> On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote:
>
> > > > Root is God. Anything you do on the system is potentially visible to
> > > > root.
>
> this is, with the right patches applied, not true.
well, i thought this is the definition of root.
> > >
Hi,
Mathias Gygax wrote:
>
> > i wanted to post something about lids, but then i thought, it doesn't
> > make sense in this case.
>
> i think it does make sense.
as far as i have read the problem is, that the (wo)man, who has a
root-account is able to read mails.
what is the advantage of insta
Hi,
Mathias Gygax wrote:
>
> On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote:
>
> > > > Root is God. Anything you do on the system is potentially visible to
> > > > root.
>
> this is, with the right patches applied, not true.
well, i thought this is the definition of root.
> > >
75 matches
Mail list logo
