From tethys.ocean at gmail.com Mon Sep 1 09:15:50 2008 From: tethys.ocean at gmail.com (tethys ocean) Date: Mon Sep 1 09:15:57 2008 Subject: jail stop extracting iso file In-Reply-To: <20080831201949.96800@gmx.net> References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> <20080831111208.P17652@wojtek.tensor.gdynia.pl> <20080831201949.96800@gmx.net> Message-ID: <235b80000809010215o65579305m155f664fe4f1f145@mail.gmail.com> the problem is already here "at the host system (not in the jail)" i wasnt able to get rid of jail and can't access to device in jail somehow i must access mdconfig and mount but i shouldnt stop jail. On Sun, Aug 31, 2008 at 11:19 PM, Olli Hauer wrote: > > In server jail and squid is running on it as lots of another packet. i > > want > > to extract iso image in this server. But i havent do it. > > > > #mdconfig -a -t vnode -f big_bcbcv.iso > > #mdconfig: open(/dev/mdctl): No such file or directory > > > > you can't > > > > jail doesn't allow it. > > Yes, but why don't mount the ISO at the host system and do a nullfs mount > into the jail? > > at the host system (not in the jail) > # mdconfig -a -t vnode -u 10 -f ${path_to_iso_image} > # mount_cd9660 -o ro /dev/md10 /mnt/ > # mount_nullfs /mnt ${path_to_jail}/mnt > > ssh into the jail > # pkg_add /mnt/filename > > > -- > GMX Kostenlose Spiele: Einfach online spielen und Spa? haben mit Pastry > Passion! > > http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 > -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. From security-advisories at freebsd.org Wed Sep 3 20:13:05 2008 From: security-advisories at freebsd.org (FreeBSD Security Advisories) Date: Wed Sep 3 20:13:19 2008 Subject: FreeBSD Security Advisory FreeBSD-SA-08:07.amd64 Message-ID: <200809032013.m83KD5RL043766@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:07.amd64 Security Advisory The FreeBSD Project Topic: amd64 swapgs local privilege escalation Category: core Module: sys_amd64_amd64 Announced: 2008-09-03 Credits: Nate Eldredge Affects: All supported FreeBSD/amd64 versions. Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3890 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. For Intel CPU's this architecture is known as EM64T or Intel 64. The gs segment CPU register is used by both user processes and the kernel to convieniently access state data. User processes use it to manage per-thread data, and the kernel uses it to manage per-processor data. As the processor enters and leaves the kernel it uses the 'swapgs' instruction to toggle between the kernel and user values for the gs register. The kernel stores critical information in its per-processor data block. This includes the currently executing process and its credentials. As the processor switches between user and kernel level, a number of checks are performed in order to implement the privilege protection system. If the processor detects a problem while attempting to switch privilege levels it generates a trap - typically general protection fault (GPF). In that case, the processor aborts the return to the user level process and re-enters the kernel. The FreeBSD kernel allows the user process to be notified of such an event by a signal (SIGSEGV or SIGBUS). II. Problem Description If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. III. Impact A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions. IV. Workaround No workaround is available, but only systems running the 64 bit FreeSD/amd64 kernels are vulnerable. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/amd64/amd64/exception.S 1.125.2.3 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/amd64/amd64/exception.S 1.125.2.2.2.1 RELENG_7 src/sys/amd64/amd64/exception.S 1.129.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/amd64/amd64/exception.S 1.129.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs 0JZMykjScj7GbrsOlOW3uQg= =bs1z -----END PGP SIGNATURE----- From security-advisories at freebsd.org Wed Sep 3 20:13:13 2008 From: security-advisories at freebsd.org (FreeBSD Security Advisories) Date: Wed Sep 3 20:13:38 2008 Subject: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount Message-ID: <200809032013.m83KDDMv043940@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:08.nmount Security Advisory The FreeBSD Project Topic: nmount(2) local arbitrary code execution Category: core Module: sys_kern Announced: 2008-09-03 Credits: James Gritton Affects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) CVE Name: CVE-2008-3531 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The mount(2) and nmount(2) system calls are used by various utilities in the base system to graft a file system object on to the file system tree to a given mount point. It is possible to allow unprivileged users to utililize these system calls by setting the vfs.usermount sysctl(8) variable. II. Problem Description Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. III. Impact If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. IV. Workaround It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command: # sysctl vfs.usermount=0 V. Solution NOTE WELL: Even with this fix allowing users to mount arbitrary media should not be considered safe. Most of the file systems in FreeBSD was not built to protect safeguard against malicious devices. While such bugs in file systems are fixed when found, a complete audit has not been perfomed on the file system code. Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/vfs_mount.c 1.265.2.10 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/kern/vfs_mount.c 1.265.2.1.2.2 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX yvNI1gVmhAQ7MXOUvPoLcLk= =EsCn -----END PGP SIGNATURE----- From security-advisories at freebsd.org Wed Sep 3 20:13:20 2008 From: security-advisories at freebsd.org (FreeBSD Security Advisories) Date: Wed Sep 3 20:13:56 2008 Subject: FreeBSD Security Advisory FreeBSD-SA-08:09.icmp6 Message-ID: <200809032013.m83KDKnX044551@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:09.icmp6 Security Advisory The FreeBSD Project Topic: Remote kernel panics on IPv6 connections Category: core Module: sys_netinet6 Announced: 2008-09-03 Credits: Tom Parker, Bjoern A. Zeeb Affects: All supported versions of FreeBSD. Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3530 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use ICMPv6 amongst other things to report errors encountered while processing packets. The 'Packet Too Big Message' is sent in case a node cannot forward a packet because the size of the packet is larger than the MTU of next-hop link. II. Problem Description In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. III. Impact When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic, IV. Workaround Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections. Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the RELENG_6_3 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet6/icmp6.c 1.62.2.11 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/netinet6/icmp6.c 1.62.2.9.2.1 RELENG_7 src/sys/netinet6/icmp6.c 1.80.2.7 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/netinet6/icmp6.c 1.80.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS AvvrO0r+UAa6bn1H9mFf9So= =MBB1 -----END PGP SIGNATURE----- From rwatson at FreeBSD.org Wed Sep 3 23:14:27 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Sep 3 23:14:35 2008 Subject: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount In-Reply-To: <200809032013.m83KDDMv043940@freefall.freebsd.org> References: <200809032013.m83KDDMv043940@freefall.freebsd.org> Message-ID: On Wed, 3 Sep 2008, FreeBSD Security Advisories wrote: > The mount(2) and nmount(2) system calls are used by various utilities in the > base system to graft a file system object on to the file system tree to a > given mount point. It is possible to allow unprivileged users to utililize > these system calls by setting the vfs.usermount sysctl(8) variable. Note that as-shipped by the FreeBSD Project, vfs.usermount is *disabled* in FreeBSD. This may not be the case in rebundled or derived systems, however. You can check whether it is enabled using "sysctl vfs.usermount" -- if the result is "0" then you should be fine. Robert N M Watson Computer Laboratory University of Cambridge > > II. Problem Description > > Various user defined input such as mount points, devices, and mount > options are prepared and passed as arguments to nmount(2) into the > kernel. Under certain error conditions, user defined data will be > copied into a stack allocated buffer stored in the kernel without > sufficient bounds checking. > > III. Impact > > If the system is configured to allow unprivileged users to mount file > systems, it is possible for a local adversary to exploit this > vulnerability and execute code in the context of the kernel. > > IV. Workaround > > It is possible to work around this issue by allowing only privileged > users to mount file systems by running the following sysctl(8) > command: > > # sysctl vfs.usermount=0 > > V. Solution > > NOTE WELL: Even with this fix allowing users to mount arbitrary media > should not be considered safe. Most of the file systems in FreeBSD > was not built to protect safeguard against malicious devices. While > such bugs in file systems are fixed when found, a complete audit has > not been perfomed on the file system code. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_7 > src/sys/kern/vfs_mount.c 1.265.2.10 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.8 > src/sys/conf/newvers.sh 1.72.2.5.2.8 > src/sys/kern/vfs_mount.c 1.265.2.1.2.2 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX > yvNI1gVmhAQ7MXOUvPoLcLk= > =EsCn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From mike at sentex.net Sun Sep 7 11:55:32 2008 From: mike at sentex.net (Mike Tancsa) Date: Sun Sep 7 11:55:38 2008 Subject: Heimdal or MIT for kerberos? Message-ID: <200809071155.m87BtS2H082832@lava.sentex.ca> We are looking at deploying Kerberos for better user management (SSO) and 2 factor authentication via pkcs#11 etokens. The servers are all FreeBSD and the machines principals will login from a mix of FreeBSD, Windows and MAC OSX using ssh and openvpn. As part of our compliance project, access must be 2 factor. The Heimdal in RELENG_7 is a rather old version and doesnt seem to have all the bits needed for x509 pre-auth so I would probably need to install from the ports anyways. Does anyone have any suggestions as to which implementation to use ? We are in Canada so it doesnt matter regulation wise. Is one better maintained than the other ? There are no legacy v4 apps Thanks, ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From tethys.ocean at gmail.com Mon Sep 8 14:13:10 2008 From: tethys.ocean at gmail.com (tethys ocean) Date: Mon Sep 8 14:13:18 2008 Subject: joomla15-1.5.3 has known vulnerabilities: Message-ID: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> Hi all one of the co-locatin customer want to use joomla(lestest version 15) i want to install from port but i ve taken this error [root@wmn /usr/ports/www/joomla15]# make install clean ===> joomla15-1.5.3 has known vulnerabilities: => joomla -- flaw in the reset token validation. Reference: < http://www.FreeBSD.org/ports/portaudit/8514b6e7-6f0f-11dd-b3db-001c2514716c.html > => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/www/joomla15. [root@wmn /usr/ports/www/joomla15]# port is updated firstly it would install i patch it but not install -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. From freebsd-security-local at be-well.ilk.org Mon Sep 8 14:58:34 2008 From: freebsd-security-local at be-well.ilk.org (Lowell Gilbert) Date: Mon Sep 8 14:58:46 2008 Subject: joomla15-1.5.3 has known vulnerabilities: In-Reply-To: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> (tethys ocean's message of "Mon\, 8 Sep 2008 17\:13\:06 +0300") References: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> Message-ID: <44hc8qr968.fsf@be-well.ilk.org> "tethys ocean" writes: > Hi all > > one of the co-locatin customer want to use joomla(lestest version 15) i want > to install from port but i ve taken this error > > > [root@wmn /usr/ports/www/joomla15]# make install clean > ===> joomla15-1.5.3 has known vulnerabilities: > => joomla -- flaw in the reset token validation. > Reference: < > http://www.FreeBSD.org/ports/portaudit/8514b6e7-6f0f-11dd-b3db-001c2514716c.html >> > => Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/www/joomla15. > [root@wmn /usr/ports/www/joomla15]# > > port is updated > > firstly it would install i patch it but not install If you have patched to fix the vulnerability, then you can just disable portaudit. From astorms at ncircle.com Mon Sep 8 15:57:58 2008 From: astorms at ncircle.com (Andrew Storms) Date: Mon Sep 8 15:58:04 2008 Subject: Question on recent PHP VuXML info Message-ID: Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty dead given the last update was in 2007 according to the archives. We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available. Affected package: php5-posix-5.2.6 Type of problem: php -- input validation error in posix_access function. Reference: ----------- Then late last week, the same VuXML ID started reporting this information instead: Affected package: php5-5.2.6 Type of problem: php -- input validation error in safe_mode. Reference: ------------ The generic question I'm asking is: What happened and why? Seems to me that if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then it's name and description shouldn't just apparently change one day. So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, the same bug, a new description, does the newer supercede, etc, etc? Where can I get the background on what went on here? Thanks. -_S From jille at quis.cx Mon Sep 8 16:34:17 2008 From: jille at quis.cx (Jille Timmermans) Date: Mon Sep 8 16:34:30 2008 Subject: Question on recent PHP VuXML info In-Reply-To: References: Message-ID: <48C54DBF.3070000@quis.cx> Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > .html> > > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > .html> > > ------------ > > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. There was an input validation bug in a function that was used in all posix_ functions that used files (http://../ ended up in /) which bypassed safe_mode. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? It was only in the posix module, not in entire PHP. ale@ took the fixing patch from PHP-cvs and attached it as a patch to the port a few days ago (or at least committed it) Afaik the vuxml also updated then; and I think ale@ took a look at the patch and changed the vuxml to say the portrevision with that patch wasn't vulnerable anymore, and also clearified the description. -- Jille > > Thanks. > > -_S > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From koitsu at FreeBSD.org Mon Sep 8 16:34:22 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Mon Sep 8 16:34:30 2008 Subject: Question on recent PHP VuXML info In-Reply-To: References: Message-ID: <20080908161818.GA72963@icarus.home.lan> On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > .html> > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > .html> > ------------ > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs: CVE-2008-2665: http://www.securityfocus.com/bid/29797 CVE-2008-2666: http://www.securityfocus.com/bid/29796 As for the CVS commits under scrutiny, here they are in chronological order: Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From ipfreak at yahoo.com Tue Sep 9 05:12:52 2008 From: ipfreak at yahoo.com (gahn) Date: Tue Sep 9 05:12:59 2008 Subject: jails Message-ID: <839688.9358.qm@web52105.mail.re2.yahoo.com> hi all: i tried to build jails and just could not get it work. it kept giving me errors. for 6.3, i got following errors: ////////////////////// cd /usr/src; make -f Makefile.inc1 hierarchy cd /usr/src/etc; make distrib-dirs mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p /home/j/mroot/ mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p /home/j/mroot/var mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p /home/j/mroot/usr mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p /home/j/mroot/usr/include mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p /home/j/mroot/var/named mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p /home/j/mroot/ cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s usr/src/sys sys cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf ../man* . cd /home/j/mroot/usr/share/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done cd /home/j/mroot/usr/share/openssl/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; ln -sf ../man* . cd /home/j/mroot/usr/share/nls; set - `grep "^[a-zA-Z]" /usr/src/etc/nls.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done -------------------------------------------------------------- >>> Installing everything -------------------------------------------------------------- cd /usr/src; make -f Makefile.inc1 install ===> share/info (install) ===> include (install) creating osreldate.h from newvers.sh touch: not found *** Error code 127 Stop in /usr/src/include. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. //////////////////////////////// for 7.0 i got errors: //////////////////////// >>> Installing everything -------------------------------------------------------------- cd /usr/src; make -f Makefile.inc1 install ===> share/info (install) ===> lib (install) ===> lib/csu/i386-elf (install) gcc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c crt1.c gcc:No such file or directory *** Error code 1 Stop in /usr/src/lib/csu/i386-elf. *** Error code 1 Stop in /usr/src/lib. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 /////////////////////////////// i followed the instructions of the "handbook".... thanks From ipfreak at yahoo.com Tue Sep 9 15:45:34 2008 From: ipfreak at yahoo.com (gahn) Date: Tue Sep 9 15:45:41 2008 Subject: jails In-Reply-To: <20080909153559.GD10842@nemesis.frida.mouhaha.de> Message-ID: <104708.43710.qm@web52108.mail.re2.yahoo.com> Hello: I don't know what you were referring to. but the date and time of the machine was set correctly. #date Tue Sep 9 11:40:04 EDT 2008 best --- On Tue, 9/9/08, Oliver Peter wrote: > From: Oliver Peter > Subject: Re: jails > To: "gahn" > Cc: "freebsd security" > Date: Tuesday, September 9, 2008, 8:36 AM > On Mon, Sep 08, 2008 at 09:46:10PM -0700, gahn wrote: > > hi all: > > > > i tried to build jails and just could not get it work. > it kept giving me errors. > > > > for 6.3, i got following errors: > > > > ////////////////////// > > > > cd /usr/src; make -f Makefile.inc1 hierarchy > > cd /usr/src/etc; make distrib-dirs > > mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p > /home/j/mroot/ > > mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p > /home/j/mroot/var > > mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p > /home/j/mroot/usr > > mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p > /home/j/mroot/usr/include > > mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p > /home/j/mroot/var/named > > mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p > /home/j/mroot/ > > cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s > usr/src/sys sys > > cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf > ../man* . > > cd /home/j/mroot/usr/share/man; set - `grep > "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > cd /home/j/mroot/usr/share/openssl/man; set - `grep > "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; > ln -sf ../man* . > > cd /home/j/mroot/usr/share/nls; set - `grep > "^[a-zA-Z]" /usr/src/etc/nls.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > > > > -------------------------------------------------------------- > > >>> Installing everything > > > -------------------------------------------------------------- > > cd /usr/src; make -f Makefile.inc1 install > > ===> share/info (install) > > ===> include (install) > > creating osreldate.h from newvers.sh > > touch: not found > > *** Error code 127 > > > > Stop in /usr/src/include. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > > > //////////////////////////////// > > > > for 7.0 i got errors: > > > > //////////////////////// > > > > >>> Installing everything > > > -------------------------------------------------------------- > > cd /usr/src; make -f Makefile.inc1 install > > ===> share/info (install) > > ===> lib (install) > > ===> lib/csu/i386-elf (install) > > gcc -O2 -fno-strict-aliasing -pipe > -I/usr/src/lib/csu/i386-elf/../common > -I/usr/src/lib/csu/i386-elf/../../libc/include > -Wsystem-headers -Wall -Wno-format-y2k -W > -Wno-unused-parameter -Wstrict-prototypes > -Wmissing-prototypes -Wpointer-arith -Wreturn-type > -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align > -Wunused-parameter -Wchar-subscripts -Winline > -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c > crt1.c > > gcc:No such file or directory > > *** Error code 1 > > > > Stop in /usr/src/lib/csu/i386-elf. > > *** Error code 1 > > > > Stop in /usr/src/lib. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > /////////////////////////////// > > > > i followed the instructions of the > "handbook".... > > > > thanks > > > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-05/0059.html > > -- > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > "If it feels good, you're doing something > wrong." > -- Coach McTavish From lists at peter.de.com Tue Sep 9 15:54:08 2008 From: lists at peter.de.com (Oliver Peter) Date: Tue Sep 9 15:54:16 2008 Subject: jails In-Reply-To: <839688.9358.qm@web52105.mail.re2.yahoo.com> References: <839688.9358.qm@web52105.mail.re2.yahoo.com> Message-ID: <20080909153559.GD10842@nemesis.frida.mouhaha.de> On Mon, Sep 08, 2008 at 09:46:10PM -0700, gahn wrote: > hi all: > > i tried to build jails and just could not get it work. it kept giving me errors. > > for 6.3, i got following errors: > > ////////////////////// > > cd /usr/src; make -f Makefile.inc1 hierarchy > cd /usr/src/etc; make distrib-dirs > mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p /home/j/mroot/ > mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p /home/j/mroot/var > mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p /home/j/mroot/usr > mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p /home/j/mroot/usr/include > mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p /home/j/mroot/var/named > mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p /home/j/mroot/ > cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s usr/src/sys sys > cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf ../man* . > cd /home/j/mroot/usr/share/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done > cd /home/j/mroot/usr/share/openssl/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done > cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; ln -sf ../man* . > cd /home/j/mroot/usr/share/nls; set - `grep "^[a-zA-Z]" /usr/src/etc/nls.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done > > -------------------------------------------------------------- > >>> Installing everything > -------------------------------------------------------------- > cd /usr/src; make -f Makefile.inc1 install > ===> share/info (install) > ===> include (install) > creating osreldate.h from newvers.sh > touch: not found > *** Error code 127 > > Stop in /usr/src/include. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > > //////////////////////////////// > > for 7.0 i got errors: > > //////////////////////// > > >>> Installing everything > -------------------------------------------------------------- > cd /usr/src; make -f Makefile.inc1 install > ===> share/info (install) > ===> lib (install) > ===> lib/csu/i386-elf (install) > gcc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c crt1.c > gcc:No such file or directory > *** Error code 1 > > Stop in /usr/src/lib/csu/i386-elf. > *** Error code 1 > > Stop in /usr/src/lib. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > /////////////////////////////// > > i followed the instructions of the "handbook".... > > thanks http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-05/0059.html -- Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 "If it feels good, you're doing something wrong." -- Coach McTavish -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20080909/fa416ee3/attachment.pgp From lists at peter.de.com Tue Sep 9 16:14:07 2008 From: lists at peter.de.com (Oliver Peter) Date: Tue Sep 9 16:14:15 2008 Subject: jails In-Reply-To: <104708.43710.qm@web52108.mail.re2.yahoo.com> References: <20080909153559.GD10842@nemesis.frida.mouhaha.de> <104708.43710.qm@web52108.mail.re2.yahoo.com> Message-ID: <20080909165440.1ec3ef7f@dilbert.office.centralnic.com> On Tue, 9 Sep 2008 08:45:33 -0700 (PDT) gahn wrote: > I don't know what you were referring to. but the date and time of the > machine was set correctly. > > #date Tue Sep 9 11:40:04 EDT 2008 Can you reproduce the problem - with correct date/time? Are you trying to build a 7-RELEASE jail within a 6.3 environment? (very bad idea) Also, if you have updated your sourcetree it's recommended to erase the while content of your obj directory bevore you build your world, i.e.: # rm -rf /usr/obj/* (but that only applies if you want to make an upgrade from 6 -> 7) Provide us your make.conf as well. Cheers. PS: move this topic to freebsd-questions@ ! It isn't security related. -- Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 "I like to con people. And I like to insult people. If you combine con & insult, you get consult!" -- Dogbert From koitsu at FreeBSD.org Tue Sep 9 16:46:11 2008 From: koitsu at FreeBSD.org (Jeremy Chadwick) Date: Tue Sep 9 16:46:19 2008 Subject: jails In-Reply-To: <104708.43710.qm@web52108.mail.re2.yahoo.com> References: <20080909153559.GD10842@nemesis.frida.mouhaha.de> <104708.43710.qm@web52108.mail.re2.yahoo.com> Message-ID: <20080909164608.GA2448@icarus.home.lan> On Tue, Sep 09, 2008 at 08:45:33AM -0700, gahn wrote: > Hello: > > I don't know what you were referring to. but the date and time of the machine was set correctly. > > #date Tue Sep 9 11:40:04 EDT 2008 > > best Is your system clock skewing a lot? Are you running ntpd? (I hope you're not using ntpdate from a cronjob, that would pretty much guarantee what you're seeing.) You can't easily tell clock skew with userland utilities, but the result often manifests itself in the way you're seeing. I can provide some advice on how to use ntpd/ntpq/ntpdc if need be. If you're not using ntpd, you should be! Here's a decent/proper ntp.conf (you should visit the use.html document and pick servers that are appropriate for your region). Do not add "iburst" to all of the servers; just the first one. # north-america.pool.ntp.org # http://www.pool.ntp.org/use.html # # maxpoll 9 is used to work around PLL/FLL flipping, which # happens at exactly 1024 seconds (the default maxpoll value). # Another FreeBSD member recommended using 9 instead. # http://lists.freebsd.org/pipermail/freebsd-stable/2006-December/031512.html # server 0.north-america.pool.ntp.org maxpoll 9 iburst server 1.north-america.pool.ntp.org maxpoll 9 server 2.north-america.pool.ntp.org maxpoll 9 # Default: ignore all ntp queries from all other hosts. Packets # to/from "server" lines are still respected. restrict default noquery nomodify nopeer # Allow queries to/from localhost, used for ntpdc and other utils # Allow queries to/from the local private network (read-only) restrict 127.0.0.0 mask 255.0.0.0 restrict 192.168.1.0 mask 255.255.255.0 nomodify nopeer notrap After, run "ntpdate ", where server is the first server in your list. ntpdate should update the clock for you, and provide you an idea of just how skewed it was compared to the remote NTP server's clock. Then you can run ntpd safely. Just place the below into /etc/rc.conf and run /etc/rc.d/ntpd start. (ntpd_sync_on_start is primarily for when you reboot the box; don't let the name mislead you) ntpd_enable="yes" ntpd_sync_on_start="yes" Hope this helps, or at least educates. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From ipfreak at yahoo.com Tue Sep 9 18:02:08 2008 From: ipfreak at yahoo.com (gahn) Date: Tue Sep 9 18:02:14 2008 Subject: jails In-Reply-To: <20080909165440.1ec3ef7f@dilbert.office.centralnic.com> Message-ID: <351360.97910.qm@web52101.mail.re2.yahoo.com> thanks for your all. it has worked out very well after i did first "make world DESTDIR/home/j/mroot", then did "make installworld DESTDIR=/home/j/mroot". best --- On Tue, 9/9/08, Oliver Peter wrote: > From: Oliver Peter > Subject: Re: jails > To: ipfreak@yahoo.com > Cc: "freebsd security" > Date: Tuesday, September 9, 2008, 8:54 AM > On Tue, 9 Sep 2008 08:45:33 -0700 (PDT) > gahn wrote: > > > I don't know what you were referring to. but the > date and time of the > > machine was set correctly. > > > > #date Tue Sep 9 11:40:04 EDT 2008 > > Can you reproduce the problem - with correct date/time? > > Are you trying to build a 7-RELEASE jail within a 6.3 > environment? > (very bad idea) > > Also, if you have updated your sourcetree it's > recommended to erase the > while content of your obj directory bevore you build your > world, i.e.: > > # rm -rf /usr/obj/* > > (but that only applies if you want to make an upgrade from > 6 -> 7) > > Provide us your make.conf as well. > > Cheers. > > PS: move this topic to freebsd-questions@ ! > It isn't security related. > > -- > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > "I like to con people. And I like to insult people. > If you combine con & insult, you get consult!" > -- Dogbert From simon at FreeBSD.org Tue Sep 9 21:06:08 2008 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Tue Sep 9 21:06:19 2008 Subject: Question on recent PHP VuXML info In-Reply-To: <20080908161818.GA72963@icarus.home.lan> References: <20080908161818.GA72963@icarus.home.lan> Message-ID: <20080909204958.GA1203@arthur.nitro.dk> On 2008.09.08 09:18:18 -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > > Not sure if this is the correct place for VuXML questions, but the FreeBSD > > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > > dead given the last update was in 2007 according to the archives. > > > > We were previously tracking this entry, which pretty much sat for a while > > without an applicable upgradeable resolution available. While I haven't looked into the details of this particular entry, Jille and Jeremy did that well, I just want to take this opportunity to point out that "safe_mode" is broken... From the particular entry: It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon. We (secteam) have seriously debated if it was worth documenting "safe_mode" issues at all, but the compromise was just to add something similar to the above text. -- Simon L. Nielsen FreeBSD Security Team From flygt at sr.se Wed Sep 10 06:46:03 2008 From: flygt at sr.se (Gunnar Flygt) Date: Wed Sep 10 06:46:10 2008 Subject: Heimdal or MIT for kerberos? In-Reply-To: <200809071155.m87BtS2H082832@lava.sentex.ca> References: <200809071155.m87BtS2H082832@lava.sentex.ca> Message-ID: <20080910063408.GA99970@sr.se> I'm very pleased with heimdal 1.1. I compile it from sources. No big problem. Compile on one machine and copy the file structure to the other at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 with the KRB5_HOME flag set to the directory of heimdal. Same thing there, compile and make a package on one machine. The KDC's run FreeBSD 7 and the same release of heimdal as the others. On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > We are looking at deploying Kerberos for better user management (SSO) > and 2 factor authentication via pkcs#11 etokens. The servers are all > FreeBSD and the machines principals will login from a mix of FreeBSD, > Windows and MAC OSX using ssh and openvpn. As part of our compliance > project, access must be 2 factor. The Heimdal in RELENG_7 is a > rather old version and doesnt seem to have all the bits needed for > x509 pre-auth so I would probably need to install from the ports > anyways. Does anyone have any suggestions as to which > implementation to use ? We are in Canada so it doesnt matter > regulation wise. Is one better maintained than the other ? There are > no legacy v4 apps > Thanks, > > ---Mike > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From khachatur.shahinyan at arca.am Sat Sep 13 06:04:38 2008 From: khachatur.shahinyan at arca.am (Khachatur Shahinyan) Date: Sat Sep 13 06:06:25 2008 Subject: Freebsd auto locking users Message-ID: <48CB52AE.6070501@arca.am> Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is 1)make freebsd to lock users after 3 unsuccessful login attempts, 2)force users to change their passwords every 90 days I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: >>>>>> default:\ ............. ............. ............. :login-retries=1:\ :passwordtime=90d:\ :warnpassword=7d:\ :warnexpire=7d:\ >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. The fields which are reserved for password aging parameters are 0:0 test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. Thank You Khachatur Shahinyan From kurin at delete.org Sat Sep 13 06:52:24 2008 From: kurin at delete.org (Toby Burress) Date: Sat Sep 13 13:44:20 2008 Subject: Freebsd auto locking users In-Reply-To: <48CB52AE.6070501@arca.am> References: <48CB52AE.6070501@arca.am> Message-ID: <20080913063522.GA3784@lithium.delete.org> On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd > file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are > welcome. You'll notice in the login.conf man page that these are in the "reserved capabilities" section: RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. For blocking repeated password attempts, check out security/pam_abl. Note that if sshd doesn't use PAM, it won't have any effect for ssh logins. A quick search doesn't show me any port for enforcing password age. For what it's worth, I once emailed Bruce Schneier about the effectiveness of that and he said he never changed his passwords (based on age, anyway). But there's probably something. From jon.passki at hursk.com Sat Sep 13 14:18:32 2008 From: jon.passki at hursk.com (Jon Passki) Date: Sat Sep 13 14:18:40 2008 Subject: Freebsd auto locking users In-Reply-To: <48CB52AE.6070501@arca.am> References: <48CB52AE.6070501@arca.am> Message-ID: On Sat, Sep 13, 2008 at 12:42 AM, Khachatur Shahinyan wrote: > > Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is > 1)make freebsd to lock users after 3 unsuccessful login attempts, > 2)force users to change their passwords every 90 days > > I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: > >>>>>> > default:\ > ............. > ............. > ............. :login-retries=1:\ > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. login.conf manual page: [1] RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. [...] passwordtime time Used by passwd(1) to set next pass- word expiry date. [...] The other capabilities (warnpassword, warnexpire, login-retries) do not relate to lock-outs attempts. To my knowledge, there are no other capabilities that are supported by the base in login.conf that will lock out an account. This has been discussed prior [2,3]. It is not available in the base; the administrator has to manually do this. [1] http://www.freebsd.org/cgi/man.cgi?query=login.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/015073.html [3] http://lists.freebsd.org/pipermail/freebsd-questions/2008-February/167981.html Cheers, Jon From mouss at netoyen.net Sat Sep 13 21:05:33 2008 From: mouss at netoyen.net (mouss) Date: Sat Sep 13 21:05:41 2008 Subject: Freebsd auto locking users In-Reply-To: <20080913063522.GA3784@lithium.delete.org> References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> Message-ID: <48CC26A7.6020407@netoyen.net> Toby Burress wrote: > On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: >> :passwordtime=90d:\ >> :warnpassword=7d:\ >> :warnexpire=7d:\ >>>>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd >> file. >> The fields which are reserved for password aging parameters are 0:0 >> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh >> >> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( >> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are >> welcome. > > You'll notice in the login.conf man page that these are in the > "reserved capabilities" section: > > RESERVED CAPABILITIES > The following capabilities are reserved for the purposes indicated and > may be supported by third-party software. They are not implemented in > the base system. > > For blocking repeated password attempts, check out security/pam_abl. > Note that if sshd doesn't use PAM, it won't have any effect for ssh > logins. > > A quick search doesn't show me any port for enforcing password age. > For what it's worth, I once emailed Bruce Schneier about the > effectiveness of that and he said he never changed his passwords > (based on age, anyway). But there's probably something. Given that it's not easy to select a good password (both strong and easy to remember), password expiration sometimes result in weak passwords or in forgotten ones. or if no measure is taken against, people change to old ones. http://www.cryptosmith.com/sanity/expharmful.html http://www.rsa.com/blog/blog_entry.aspx?id=1286 http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ and the other side has its proponents of course: http://lopsa.org/node/29 From rwatson at FreeBSD.org Sun Sep 14 10:12:47 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Sun Sep 14 10:12:53 2008 Subject: Freebsd auto locking users In-Reply-To: <48CC26A7.6020407@netoyen.net> References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> Message-ID: On Sat, 13 Sep 2008, mouss wrote: >> A quick search doesn't show me any port for enforcing password age. For >> what it's worth, I once emailed Bruce Schneier about the effectiveness of >> that and he said he never changed his passwords (based on age, anyway). >> But there's probably something. > > Given that it's not easy to select a good password (both strong and easy to > remember), password expiration sometimes result in weak passwords or in > forgotten ones. or if no measure is taken against, people change to old > ones. > > http://www.cryptosmith.com/sanity/expharmful.html > http://www.rsa.com/blog/blog_entry.aspx?id=1286 > http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ > > and the other side has its proponents of course: > > http://lopsa.org/node/29 While these complaints about password expiration are certainly true, it seems like a common policy required by many sites, and failing to be able to support that policy will limit our ability to run at those sites. It would be nice if we could complete the implementation of some of those password-related policies. Robert N M Watson Computer Laboratory University of Cambridge From m at micheas.net Sun Sep 14 10:48:37 2008 From: m at micheas.net (Micheas Herman) Date: Sun Sep 14 10:48:46 2008 Subject: Freebsd auto locking users (minor correction In-Reply-To: References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> Message-ID: <1221388102.5857.4.camel@mars.sf.greencampaigns.com> On Sun, 2008-09-14 at 11:12 +0100, Robert Watson wrote: > On Sat, 13 Sep 2008, mouss wrote: > > > > and the other side has its proponents of course: > > > > http://lopsa.org/node/29 This should be http://lopsa.org/node/295 -- "... all the modern inconveniences ..." -- Mark Twain From mouss at netoyen.net Sun Sep 14 11:04:17 2008 From: mouss at netoyen.net (mouss) Date: Sun Sep 14 11:04:24 2008 Subject: Freebsd auto locking users In-Reply-To: References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> Message-ID: <48CCEFB8.7090402@netoyen.net> Robert Watson wrote: > [snip] >> http://lopsa.org/node/29 Missing trailing '5'. Thanks Micheas. > > While these complaints about password expiration are certainly true, it > seems like a common policy required by many sites, and failing to be > able to support that policy will limit our ability to run at those > sites. It would be nice if we could complete the implementation of some > of those password-related policies. Agreed. Give them the tools and the documentation, and let them decide. From khachatur.shahinyan at arca.am Tue Sep 16 06:32:20 2008 From: khachatur.shahinyan at arca.am (Khachatur Shahinyan) Date: Tue Sep 16 11:29:59 2008 Subject: Freebsd auto locking users In-Reply-To: <20080914065041.3600784c.trhodes@FreeBSD.org> References: <48CB52AE.6070501@arca.am> <20080913021758.39d946c1.trhodes@FreeBSD.org> <48CB5F29.3040903@arca.am> <20080913053721.764ed614.trhodes@FreeBSD.org> <48CB9542.30008@arca.am> <20080914065041.3600784c.trhodes@FreeBSD.org> Message-ID: <48CF5298.9020601@arca.am> Yes, pam_abl is the correct pam module to solve this problem. After reading its manual i was able to lock users and log the authentication failures. Thank You for help. But the password expiration and warning issues are still open. Thank You Khachatur Shahinyan Tom Rhodes wrote: > On Sat, 13 Sep 2008 15:26:10 +0500 > Khachatur Shahinyan wrote: > > >> Tom Rhodes wrote: >> >>> On Sat, 13 Sep 2008 11:35:21 +0500 >>> Khachatur Shahinyan wrote: >>> >>> >>> >>>> Tom Rhodes wrote: >>>> >>>> >>>>> On Sat, 13 Sep 2008 10:42:06 +0500 >>>>> Khachatur Shahinyan wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Dear FreeBsd gurus, I have a problem concerning users password and >>>>>> authentication policies. The goal is >>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts, >>>>>> 2)force users to change their passwords every 90 days >>>>>> >>>>>> I've done such changes in Linux distros, with various PAM modules.But in >>>>>> Freebsd it seems that i need to use login.conf file. Here I made >>>>>> necessary changes in that file: >>>>>> >>>>>> >>>>>> default:\ >>>>>> ............. >>>>>> ............. >>>>>> ............. :login-retries=1:\ >>>>>> :passwordtime=90d:\ >>>>>> :warnpassword=7d:\ >>>>>> :warnexpire=7d:\ >>>>>> >>>>>>> >>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, >>>>>> no error messages, but after adding a test user I see no changes in the >>>>>> master.passwd file. >>>>>> The fields which are reserved for password aging parameters are 0:0 >>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User >>>>>> &:/home/test:/bin/sh >>>>>> >>>>>> And the locking point does not work either, e.g. no matter how many >>>>>> times I input wrong password, I'm still able to login. :( >>>>>> I cannot understand what I'm doing wrong, and what should be done solve >>>>>> this issues? I'm not an expert Freebsd administration, so any comments >>>>>> and suggestions are welcome. >>>>>> >>>>>> >>>>>> >>>>> You should be able to set these via the pw(8) utility. >>>>> >>>>> >>>>> >>>>> >>>> Thank You for fast reply. >>>> >>>> Yes, some settings can be done via "pw", but it does not support auto >>>> locking. >>>> >>>> >>>> >>>> >>> I'm about to be going to bed soon, but how did you accomplish >>> this in Linux? We have PAM configuration in /etc/pam.d, you >>> may wish to look there. >>> >>> >>> >> We have few Redhat Linux machines, and solved this problem with faillog >> (http://linux.die.net/man/8/faillog), and pam tally >> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html). >> It took over 30 minutes to fully configure the system. But in case of >> FreeBsd, it does not seem to be that easy :) >> >> > > Someone mentioned this port: > > security/pam_abl > > The description of this pam module is: > > localhost# cat /usr/ports/security/pam_abl/pkg-descr > The pam_abl provides auto blacklisting of hosts and users > responsible for repeated failed authentication attempts. > > WWW: http://www.hexten.net/pam_abl/ > > Which sounds interesting and most likely do what you want. > > From mike at sentex.net Tue Sep 16 14:34:47 2008 From: mike at sentex.net (Mike Tancsa) Date: Tue Sep 16 14:34:55 2008 Subject: Heimdal or MIT for kerberos? In-Reply-To: <20080910063408.GA99970@sr.se> References: <200809071155.m87BtS2H082832@lava.sentex.ca> <20080910063408.GA99970@sr.se> Message-ID: <200809161434.m8GEYi0Y037839@lava.sentex.ca> At 02:34 AM 9/10/2008, Gunnar Flygt wrote: >I'm very pleased with heimdal 1.1. I compile it from sources. No big >problem. Compile on one machine and copy the file structure to the other >at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 >with the KRB5_HOME flag set to the directory of heimdal. Same thing >there, compile and make a package on one machine. The KDC's run FreeBSD >7 and the same release of heimdal as the others. Hi, Thanks for the response! When you installed heimdal 1.1 from the source, did you overwrite the local libs, or did you keep everything in /usr/local ? Also, do you use hx509 at all and certs for pre-auth ? ---Mike >On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > > We are looking at deploying Kerberos for better user management (SSO) > > and 2 factor authentication via pkcs#11 etokens. The servers are all > > FreeBSD and the machines principals will login from a mix of FreeBSD, > > Windows and MAC OSX using ssh and openvpn. As part of our compliance > > project, access must be 2 factor. The Heimdal in RELENG_7 is a > > rather old version and doesnt seem to have all the bits needed for > > x509 pre-auth so I would probably need to install from the ports > > anyways. Does anyone have any suggestions as to which > > implementation to use ? We are in Canada so it doesnt matter > > regulation wise. Is one better maintained than the other ? There are > > no legacy v4 apps > > Thanks, > > > > ---Mike > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Sentex Communications, mike@sentex.net > > Providing Internet since 1994 www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From ivangrvr299 at gmail.com Wed Sep 17 12:09:03 2008 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Wed Sep 17 12:09:10 2008 Subject: Controlling PAM modules Message-ID: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Hi All, I am trying to use few modules such as pam_radius - does remote authentication pam_abl - to lock users/ IP addresses My Problem is , Do i have any standard way to skip one of the PAM module with out changing the service conf file. Suppose i dont want to enable locking of users, then one solution i can think of is to share a common database across application and pam modules. The application sets the flag which indicates, if pam_able is included or not. Then pam_abl module will look into this database and then return simply PAM_SUCCESS always or process the user lockouts. Please advise/comment Best Regards, Ivan. From freebsd-security at dfmm.org Wed Sep 17 13:13:21 2008 From: freebsd-security at dfmm.org (freebsd-security@dfmm.org) Date: Wed Sep 17 13:13:29 2008 Subject: Controlling PAM modules In-Reply-To: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Do i have any standard way to skip one of the PAM module > with out changing the service conf file. Why do you not want to change the per-service conf files? Those files _are_ the database. There are a bunch of strategies that you could use to, e.g., maintain your alterations as a diff to the base-system config so to make upgrades easier, but a) to answer your question, no, there's nothing standard for that, and b) that is an especially risky approach - you could completely break your security, letting anyone in, or locking legitimate users out, etc. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFI0PwqswXMWWtptckRAqLsAJ9taCFEPfVGwY6Rrt3qtLuHVvmNDwCfatyl S++ho4Gf4Zl/3E6Vjkks26o= =gGZG -----END PGP SIGNATURE----- From ivangrvr299 at gmail.com Wed Sep 17 16:16:17 2008 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Wed Sep 17 16:16:25 2008 Subject: Controlling PAM modules In-Reply-To: References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Message-ID: <670f29e20809170916g2cafdbaybc6745ce92ad0187@mail.gmail.com> Thanks Jason. Let me try to explain the complete problem: I have three authentication modules -- pam_radius_auth.so (for remote authentication) -- pam_unix ( unix local authentication) -- pam_opie (challenge/response) and other accounting modules such as pam_abl. I would like to place these in my service conf file in a best possible way. Assume my service conf file looks like: auth required pam_env.so auth required pam_abl.so config=/etc/security/pam_abl.conf auth sufficient pam_radius_auth.so // for remote authentication auth required pam_unix.so auth required pam_opie.so // for challenge response User will try with Remote authentication, if it fails then he has to enter correct unix passwd and challenge/response(providing both might be painful sometimes). Please advise if the above doesnt look ok or if i missed something. PAM application can be configured in the following way: - setup doesnt want to use Remote authenticaion, then pam_radius_auth.so is unneccessarly executed. so disable it - setup doesnt want to use user lockouts/ip address lockouts, then pam_abl.so is unnecessary. Similarly challenge/response softwatre may not be there in client side, so doesnt want to run pam_opie.so. so disable both in this case. By allowing such configurations, i might have to keep so many service conf files for each configuration. instead can i have some other better approach , if any. Does it make sense to leave to SecurityAdministrator to configure in the desired way or we try to code the PAM modules in a proper way so that they dont crash if they dont find the setup required. Please let me know your comments. On Wed, Sep 17, 2008 at 6:16 PM, wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Do i have any standard way to skip one of the PAM module >> with out changing the service conf file. >> > > Why do you not want to change the per-service conf files? Those files > _are_ the database. > > There are a bunch of strategies that you could use to, e.g., maintain your > alterations as a diff to the base-system config so to make upgrades easier, > but a) to answer your question, no, there's nothing standard for that, and > b) that is an especially risky approach - you could completely break your > security, letting anyone in, or locking legitimate users out, etc. > > > -Jason > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQFI0PwqswXMWWtptckRAqLsAJ9taCFEPfVGwY6Rrt3qtLuHVvmNDwCfatyl > S++ho4Gf4Zl/3E6Vjkks26o= > =gGZG > -----END PGP SIGNATURE----- > From ivangrvr299 at gmail.com Wed Sep 17 16:22:33 2008 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Wed Sep 17 16:22:40 2008 Subject: passing data from PAM module Message-ID: <670f29e20809170922r43e8c02dlcdeea6e76d18d659@mail.gmail.com> Hi, My PAM application uses remote authentication module pam_radius_auth.so for authenticating users from remote servers. There can be several remote servers. In this case, can any one please suggest me the best way to gather information on several remote servers such as -- server reachability, (kind of returning array saying server 1 is reachable, server 2 is unreachable) -- do they run radius service ...etc I am trying to use pam_get_env pam_set_env for the above. Please advise, if this is not the proper way. I looked at pam_set_data, but i think this cant be used in PAM application. Best Regards, Ivan From simon at FreeBSD.org Sat Sep 20 12:40:45 2008 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Sat Sep 20 12:40:49 2008 Subject: Spam filtering for mails to FreeBSD Security Team Message-ID: <20080920124042.GD1151@arthur.nitro.dk> Hey, In the past security-officer@FreeBSD.org, and a few related addresses, had spam filtering disabled, but due to the amount of spam those addresses were receiving we had to enable spam filtering. It's the same filters as used for the rest of FreeBSD.org. To make sure people can still contact the FreeBSD Security Team, even if spam filters are in the way, we have created a separate email address which doesn't have filtering. This address is published on the FreeBSD Security Website [1]. It's somewhat obfuscated but if/when this address starts to receive spam the address will be changed. The current address will always be published on the FreeBSD Security Website. It's annoying to have to do this, but with the current levels of spam we risk real issues getting lost in the noise. [1] http://security.FreeBSD.org/ -- Simon L. Nielsen FreeBSD Deputy Security Officer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20080920/36ea9ebc/attachment.pgp From des at des.no Mon Sep 22 08:07:10 2008 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Mon Sep 22 08:07:14 2008 Subject: Controlling PAM modules In-Reply-To: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> (Ivan Grover's message of "Wed, 17 Sep 2008 17:23:06 +0530") References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Message-ID: <86od2gmxke.fsf@ds4.des.no> "Ivan Grover" writes: > Suppose i dont want to enable locking of users, then one solution i > can think of is to share a common database across application and pam > modules. The application sets the flag which indicates, if pam_able > is included or not. Then pam_abl module will look into this database > and then return simply PAM_SUCCESS always or process the user > lockouts. Put pam_able in a separate policy that you include in the others. Whenever you want to disable it, just comment out the contents of that policy. DES -- Dag-Erling Sm?rgrav - des@des.no From ivangrvr299 at gmail.com Tue Sep 23 07:44:08 2008 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Tue Sep 23 07:44:11 2008 Subject: Controlling PAM modules In-Reply-To: <86od2gmxke.fsf@ds4.des.no> References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no> Message-ID: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> Thanks a lot. Please corrrect if my understanding below is what you have suggested. create a separate service conf file such as lockout-users in /etc/pam.d, then in my service conf file, i write like this auth required pam_stack.so service=lockout-users After that whenever i want to disable the lockout, just edit the /etc/pam.d/lockout-users file and comment as below: #auth required pam_able.so Best Regards, Ivan On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm?rgrav wrote: > "Ivan Grover" writes: > > Suppose i dont want to enable locking of users, then one solution i > > can think of is to share a common database across application and pam > > modules. The application sets the flag which indicates, if pam_able > > is included or not. Then pam_abl module will look into this database > > and then return simply PAM_SUCCESS always or process the user > > lockouts. > > Put pam_able in a separate policy that you include in the others. > Whenever you want to disable it, just comment out the contents of that > policy. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > From ivangrvr299 at gmail.com Tue Sep 23 07:50:46 2008 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Tue Sep 23 07:50:48 2008 Subject: Controlling PAM modules In-Reply-To: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no> <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> Message-ID: <670f29e20809230050ved14880m1b5524f0f976d12d@mail.gmail.com> I think there is something like auth include lockout-users I feel this would be the right way to do this. Thanks ALL for your suggestions. On Tue, Sep 23, 2008 at 1:14 PM, Ivan Grover wrote: > Thanks a lot. Please corrrect if my understanding below is what you have > suggested. > > > create a separate service conf file such as lockout-users in /etc/pam.d, > then in my service conf file, i write like this > auth required pam_stack.so service=lockout-users > > After that whenever i want to disable the lockout, just edit the > /etc/pam.d/lockout-users file > and comment as below: > > #auth required pam_able.so > > > Best Regards, > Ivan > > > On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm?rgrav wrote: > >> "Ivan Grover" writes: >> > Suppose i dont want to enable locking of users, then one solution i >> > can think of is to share a common database across application and pam >> > modules. The application sets the flag which indicates, if pam_able >> > is included or not. Then pam_abl module will look into this database >> > and then return simply PAM_SUCCESS always or process the user >> > lockouts. >> >> Put pam_able in a separate policy that you include in the others. >> Whenever you want to disable it, just comment out the contents of that >> policy. >> >> DES >> -- >> Dag-Erling Sm?rgrav - des@des.no >> > > From bra at fsn.hu Thu Sep 25 12:14:29 2008 From: bra at fsn.hu (Attila Nagy) Date: Thu Sep 25 12:14:37 2008 Subject: Missing /dev/auditpipe Message-ID: <48DB7CA4.80609@fsn.hu> Hello, Running RELENG_7 (and HEAD too), and I can't find the auditpipe device. Is there anything which should be set in order to make it useable? auditd runs and logs to /var/audit, which I can read with praudit. Thanks,