From des at des.no Sun Mar 1 03:57:30 2009 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Sun Mar 1 03:57:38 2009 Subject: PAM rules inside pam.d In-Reply-To: <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> (Ivan Grover's message of "Fri, 27 Feb 2009 19:48:41 +0530") References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> Message-ID: <86k579h2vq.fsf@ds4.des.no> Ivan Grover writes: > I have my PAM rules for my service as > > auth required /lib/security/pam_securetty.so > auth required pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so What is pam_stack supposed to do? > I have checked the username, password passed to PAM module by changing the > sources of pam_nologin.so, they are proper. I didnt had sources for > pam_unix, so iam not able to detect the exact problem. Uh, they're in the source tree along with everything else. DES -- Dag-Erling Sm?rgrav - des@des.no From des at des.no Sun Mar 1 04:03:13 2009 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Sun Mar 1 04:10:50 2009 Subject: PAM rules inside pam.d In-Reply-To: <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> (Ivan Grover's message of "Fri, 27 Feb 2009 21:40:42 +0530") References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> Message-ID: <86fxhxh2mq.fsf@ds4.des.no> Ivan Grover writes: > I debugged pam_unix aswell, it looks like crypt function is giving > different strings for telnet and my application with same passwd > string and salt. So i think the issue could be with crypt library > linked telnet and my application. > please let me know your thoughts There's not much I can say (or think) since you still haven't told me what you upgraded *from* and *to*, but I doubt very much that there is anything wrong with crypt(). The only two possibilities I can think of are a) your application calls set_crypt_format() with an incorrect argument, or b) your application contains an alternate (incorrect) implementation of crypt(), or is linked to a library that does. DES -- Dag-Erling Sm?rgrav - des@des.no From healey.rich at itreign.com Sun Mar 1 15:46:45 2009 From: healey.rich at itreign.com (Rich Healey) Date: Sun Mar 1 15:49:31 2009 Subject: OPIE considered insecure In-Reply-To: <20090211180709.GB1467@server.vk2pj.dyndns.org> References: <200902090957.27318.mail@maxlor.com> <20090209170550.GA60223@hobbes.ustdmz.roe.ch> <20090209134738.G15166@treehorn.dfmm.org> <20090209224806.GB63675@hobbes.ustdmz.roe.ch> <20090211180709.GB1467@server.vk2pj.dyndns.org> Message-ID: <006001c99ac5$7ad42c90$707c85b0$@rich@itreign.com> I've been reading this thread with great interest. At present my primary server is ssh keys only, which is all well and good, to login I bounce to a node that allows passwords and then to my server, but this is still not ideal. It just eliminates a very small attach surface. I'm thinking about implementing OPIE, but after reading this I'm not so sure. What's consensus on the best approach to one time logins? -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Peter Jeremy Sent: Thursday, 12 February 2009 5:07 AM To: Lyndon Nerenberg Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure On 2009-Feb-09 15:30:33 -0800, Lyndon Nerenberg wrote: > From what you're describing, I would be more inclined to carry a > bootable OS on that USB stick and reboot into that. Keep in mind that libraries, internet cafes etc aren't going to be keen on you turning up with some (to them) random USB stick and wanting to reboot their pride-and-joy off it. I suspect your choices are to either use OPIE (or some adaption thereof) with ssh on an untrusted computer and assume that anything you type will be logged or carry your own trusted computer and use some form of wireless (3G, NextG etc) to communicate with your systems. Note that using very large sequence numbers should slow down an attacker (though only linerarly) since they still need to iterate MD5 by that many rounds. -- Peter Jeremy From chris at noncombatant.org Sun Mar 1 18:32:54 2009 From: chris at noncombatant.org (Chris Palmer) Date: Sun Mar 1 18:33:01 2009 Subject: OPIE considered insecure Message-ID: <20090302021415.GU5602@noncombatant.org> Rich Healey writes: > I'm thinking about implementing OPIE, but after reading this I'm not so > sure. What's consensus on the best approach to one time logins? Why are people logging into their remote servers from assumed-untrustworthy clients at all? From jahilliya at gmail.com Sun Mar 1 19:21:05 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Sun Mar 1 19:21:12 2009 Subject: OPIE considered insecure In-Reply-To: <20090302021415.GU5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> Message-ID: Because they are a clever bunch On 3/2/09, Chris Palmer wrote: > Rich Healey writes: > >> I'm thinking about implementing OPIE, but after reading this I'm not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed-untrustworthy > clients at all? > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From erratic at devel.ws Sun Mar 1 20:52:39 2009 From: erratic at devel.ws (Paige Thompson) Date: Sun Mar 1 20:52:45 2009 Subject: Trusted Path Execution Message-ID: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework? From jahilliya at gmail.com Sun Mar 1 21:21:17 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Sun Mar 1 21:21:25 2009 Subject: Trusted Path Execution In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> Message-ID: 1 set the noexec mount option on any filesystem that you don't want executanles running on. 2 use acls to prevent execution of files, the bsd Mac framework is the way to go Ie remove executable bit on all files for everyone and leave hoe owner and group then add users to the necessary groups Only issue is monitoring newly created files and the bits set, default umask can help Regards Daniel Regards Daniel On 3/2/09, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From mail at maxlor.com Mon Mar 2 05:10:06 2009 From: mail at maxlor.com (Benjamin Lutz) Date: Mon Mar 2 05:10:16 2009 Subject: OPIE considered insecure In-Reply-To: <20090302021415.GU5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> Message-ID: <200903021410.00093.mail@maxlor.com> On Monday 02 March 2009 03:14:15 Chris Palmer wrote: > Why are people logging into their remote servers from > assumed-untrustworthy clients at all? Because the inconvience of not using whatever service or data the server is providing is considered greater than the security risk. Cheers Benjamin From michael at elehack.net Mon Mar 2 10:05:08 2009 From: michael at elehack.net (Michael Ekstrand) Date: Mon Mar 2 10:05:15 2009 Subject: OPIE considered insecure References: <20090302021415.GU5602@noncombatant.org> Message-ID: <87sklwiptp.fsf@jehiel.elehack.net> Chris Palmer writes: > Rich Healey writes: >> I'm thinking about implementing OPIE, but after reading this I'm not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed-untrustworthy > clients at all? Simple use case: checking e-mail from the library/Internet cafe/relative's house. With Mutt or Gnus. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. From chris at noncombatant.org Mon Mar 2 13:19:32 2009 From: chris at noncombatant.org (Chris Palmer) Date: Mon Mar 2 13:19:40 2009 Subject: OPIE considered insecure In-Reply-To: <200903021410.00093.mail@maxlor.com> <87sklwiptp.fsf@jehiel.elehack.net> References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net> Message-ID: <20090302211932.GZ5602@noncombatant.org> Michael Ekstrand writes: > Simple use case: checking e-mail from the library/Internet > cafe/relative's house. With Mutt or Gnus. So we're talking about a case in which we don't want attackers who own the untrustworthy client to know our password, but we are okay with them reading and forging the shell commands, emails, passwords, et c. that we use the SSH session for? Benjamin Lutz writes: > Because the inconvience of not using whatever service or data the server is > providing is considered greater than the security risk. But isn't regular password authentication the most convenient of all? If we've prioritized the ability to log in from any computer higher than we have prioritized data confidentiality or integrity, one-time password schemes are just bureaucratic overhead. The password is not the ultimate asset -- the data is. The password just lets you get it. If the attacker can get the data by other means (screenshots of the desktop, sending key events to the terminal window, et c.), that's fine by him. From david at catwhisker.org Mon Mar 2 13:49:49 2009 From: david at catwhisker.org (David Wolfskill) Date: Mon Mar 2 13:49:57 2009 Subject: OPIE considered insecure In-Reply-To: <20090302211932.GZ5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net> <20090302211932.GZ5602@noncombatant.org> Message-ID: <20090302213034.GM65706@albert.catwhisker.org> On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote: > ... > Benjamin Lutz writes: > > > Because the inconvience of not using whatever service or data the server is > > providing is considered greater than the security risk. > > But isn't regular password authentication the most convenient of all? Not in my experience, no. I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very early, so all processes run under that environment get the benefit of the cached authentication credentials I thus set up. Then I can login to most machines I care about directly, without requiring additional authentication. To me, that's far more convenient than ensuring that I'm around & paying attention whenever some random process (e.g., a CVS update) wants a password. And I strongly suspect that it's better security than a password. For my externally-visible sshd, there's no way I'd use a reusable password for authentication. As things presently stand, I only permit SSH public key authentication for that use. > ... Peace, david -- David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090302/1432ca0b/attachment.pgp From healey.rich at itreign.com Mon Mar 2 16:32:57 2009 From: healey.rich at itreign.com (Rich Healey) Date: Mon Mar 2 16:55:36 2009 Subject: OPIE considered insecure In-Reply-To: <20090302021415.GU5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> Message-ID: <004201c99b97$977935c0$c66ba140$@rich@itreign.com> -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Chris Palmer Sent: Monday, 2 March 2009 1:14 PM To: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Rich Healey writes: > I'm thinking about implementing OPIE, but after reading this I'm not so > sure. What's consensus on the best approach to one time logins? Why are people logging into their remote servers from assumed-untrustworthy clients at all? _______________ Because a truly secure machine (ie one that's switched off) isn't much use to me. From jon.passki at hursk.com Mon Mar 2 18:31:10 2009 From: jon.passki at hursk.com (Jon Passki) Date: Mon Mar 2 18:31:17 2009 Subject: OPIE considered insecure In-Reply-To: <004201c99b97$977935c0$c66ba140$@rich@itreign.com> References: <20090302021415.GU5602@noncombatant.org> <004201c99b97$977935c0$c66ba140$@rich@itreign.com> Message-ID: <4A6B8988-1B09-4B5F-BE82-BAE5B1A4673F@hursk.com> Could we please kill this thread if it does not have anymore to contribute to FreeBSD security specifically? Jon On Mar 2, 2009, at 6:32 PM, "Rich Healey" wrote: > > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Chris Palmer > Sent: Monday, 2 March 2009 1:14 PM > To: freebsd-security@freebsd.org > Subject: Re: OPIE considered insecure > > Rich Healey writes: > >> I'm thinking about implementing OPIE, but after reading this I'm >> not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed- > untrustworthy > clients at all? > _______________ > > Because a truly secure machine (ie one that's switched off) isn't > much use > to me. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From ivangrvr299 at gmail.com Tue Mar 3 21:09:20 2009 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Tue Mar 3 21:09:27 2009 Subject: PAM rules inside pam.d In-Reply-To: <86fxhxh2mq.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> Message-ID: <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> Thanks for your valuable inputs. The PAM module information is not yet clear for me. The pam_unix, which i debugged was from Linux-PAM-0.78 (www.*linux* fromscratch.org/blfs/view/blfs-book-6.0-html/postlfs/*linux*_*pam*.html ) I think the libraries too belong to the same library. I apologize? if i asked this query to wrong forum. Currently i dont see any issues with crypt library as you have suggested. I will plan to upgrade the PAM library and see how it goes. Thanks a lot On Sun, Mar 1, 2009 at 5:32 PM, Dag-Erling Sm?rgrav wrote: > Ivan Grover writes: > > I debugged pam_unix aswell, it looks like crypt function is giving > > different strings for telnet and my application with same passwd > > string and salt. So i think the issue could be with crypt library > > linked telnet and my application. > > please let me know your thoughts > > There's not much I can say (or think) since you still haven't told me > what you upgraded *from* and *to*, but I doubt very much that there is > anything wrong with crypt(). The only two possibilities I can think of > are a) your application calls set_crypt_format() with an incorrect > argument, or b) your application contains an alternate (incorrect) > implementation of crypt(), or is linked to a library that does. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > From des at des.no Wed Mar 4 03:43:19 2009 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed Mar 4 03:43:26 2009 Subject: PAM rules inside pam.d In-Reply-To: <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> (Ivan Grover's message of "Wed, 4 Mar 2009 10:39:17 +0530") References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> Message-ID: <86tz69a4yy.fsf@ds4.des.no> Ivan Grover writes: > Thanks for your valuable inputs. The PAM module information is not yet clear > for me. The pam_unix, which i debugged was from Linux-PAM-0.78 (www.*linux* > fromscratch.org/blfs/view/blfs-book-6.0-html/postlfs/*linux*_*pam*.html ) Why? This is not what FreeBSD uses. > I think the libraries too belong to the same library. I apologize? if i > asked this query to wrong forum. FreeBSD hasn't used Linux-PAM since 2002 or so. > Currently i dont see any issues with crypt library as you have suggested. I > will plan to upgrade the PAM library and see how it goes. Upgrade what from what to what? DES -- Dag-Erling Sm?rgrav - des@des.no From db at danielbond.org Wed Mar 4 06:55:45 2009 From: db at danielbond.org (Daniel Bond) Date: Wed Mar 4 06:55:53 2009 Subject: New CURL Advisory (fixed in 7.19.4) Message-ID: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> Hi, Noticed quite an ugly bug in CURL today: http://curl.haxx.se/docs/adv_20090303.html .. If you didn't see this allready :) here is also the CVE entry for it: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 Thanks to the freebsd security team for doing great work, and Neil Blakey-Milner for maintaining this port. Cheers! DB. From roam at ringlet.net Wed Mar 4 08:49:18 2009 From: roam at ringlet.net (Peter Pentchev) Date: Wed Mar 4 08:49:51 2009 Subject: New CURL Advisory (fixed in 7.19.4) In-Reply-To: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> References: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> Message-ID: <20090304162231.GA1043@straylight.m.ringlet.net> On Wed, Mar 04, 2009 at 03:29:04PM +0100, Daniel Bond wrote: > Hi, > > Noticed quite an ugly bug in CURL today: > http://curl.haxx.se/docs/adv_20090303.html > .. If you didn't see this allready :) > > here is also the CVE entry for it: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 > > Thanks to the freebsd security team for doing great work, and Neil > Blakey-Milner for maintaining this port. Yes, thanks for reporting this :) Actually, Mark Foster had already filed a PR about this, and I committed the VuXML entry a while ago. I'll update the curl port ASAP now. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@space.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090304/9f9e43bb/attachment.pgp From des at des.no Wed Mar 4 13:25:32 2009 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed Mar 4 13:25:39 2009 Subject: PAM rules inside pam.d In-Reply-To: <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> (Ivan Grover's message of "Wed, 4 Mar 2009 18:17:35 +0530") References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> <86tz69a4yy.fsf@ds4.des.no> <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> Message-ID: <86eixd9e0m.fsf@ds4.des.no> Ivan Grover writes: > Dag-Erling Sm?rgrav writes: > > Ivan Grover writes: > > > I will plan to upgrade the PAM library and see how it goes. > > Upgrade what from what to what? > from Linux-PAM-0.78 to Linux-PAM-1.0.3. Uh, so, why did you post to a FreeBSD mailing list? This has nothing to do with FreeBSD, since FreeBSD does not use Linux-PAM (not since 5.1 came out). And why didn't you answer this question the first time I asked it? Why did you not tell us right away which version of which library you were using, on which operating system? How can we answer your question if you won't tell us what the question is? Suggested reading: http://www.gerv.net/hacking/how-to-ask-good-questions/ DES -- Dag-Erling Sm?rgrav - des@des.no From randy at psg.com Thu Mar 5 18:15:36 2009 From: randy at psg.com (Randy Bush) Date: Thu Mar 5 18:15:44 2009 Subject: emacs installs a lot of 777 directories Message-ID: foo.on.you:/usr/local/share# find . -type d -perm 777 ./emacs/22.3/etc/tree-widget ./emacs/22.3/etc/tree-widget/folder ./emacs/22.3/etc/tree-widget/default ./emacs/22.3/etc/e ./emacs/22.3/etc/images ./emacs/22.3/etc/images/low-color ./emacs/22.3/etc/images/gnus ./emacs/22.3/etc/images/icons ./emacs/22.3/etc/images/gud ./emacs/22.3/etc/images/smilies ./emacs/22.3/etc/images/mail ./emacs/22.3/etc/images/ezimage ./emacs/22.3/lisp ./emacs/22.3/lisp/net ./emacs/22.3/lisp/progmodes ./emacs/22.3/lisp/calc ./emacs/22.3/lisp/emacs-lisp ./emacs/22.3/lisp/url ./emacs/22.3/lisp/emulation ./emacs/22.3/lisp/play ./emacs/22.3/lisp/erc ./emacs/22.3/lisp/term ./emacs/22.3/lisp/obsolete ./emacs/22.3/lisp/textmodes ./emacs/22.3/lisp/mail ./emacs/22.3/lisp/eshell ./emacs/22.3/lisp/calendar ./emacs/22.3/lisp/mh-e ./emacs/22.3/lisp/international ./emacs/22.3/lisp/gnus ./emacs/22.3/lisp/language ./emacs/22.3/leim/ja-dic ./emacs/22.3/leim/quail From jhein at timing.com Thu Mar 5 19:25:01 2009 From: jhein at timing.com (John Hein) Date: Thu Mar 5 19:25:27 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: References: Message-ID: <18864.35251.561178.43550@gromit.timing.com> Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: > foo.on.you:/usr/local/share# find . -type d -perm 777 > ./emacs/22.3/etc/tree-widget > ./emacs/22.3/etc/tree-widget/folder > ./emacs/22.3/etc/tree-widget/default > ./emacs/22.3/etc/e > ./emacs/22.3/etc/images > ./emacs/22.3/etc/images/low-color > ./emacs/22.3/etc/images/gnus > ./emacs/22.3/etc/images/icons > ./emacs/22.3/etc/images/gud > ./emacs/22.3/etc/images/smilies > ./emacs/22.3/etc/images/mail > ./emacs/22.3/etc/images/ezimage > ./emacs/22.3/lisp > ./emacs/22.3/lisp/net > ./emacs/22.3/lisp/progmodes > ./emacs/22.3/lisp/calc > ./emacs/22.3/lisp/emacs-lisp > ./emacs/22.3/lisp/url > ./emacs/22.3/lisp/emulation > ./emacs/22.3/lisp/play > ./emacs/22.3/lisp/erc > ./emacs/22.3/lisp/term > ./emacs/22.3/lisp/obsolete > ./emacs/22.3/lisp/textmodes > ./emacs/22.3/lisp/mail > ./emacs/22.3/lisp/eshell > ./emacs/22.3/lisp/calendar > ./emacs/22.3/lisp/mh-e > ./emacs/22.3/lisp/international > ./emacs/22.3/lisp/gnus > ./emacs/22.3/lisp/language > ./emacs/22.3/leim/ja-dic > ./emacs/22.3/leim/quail Seems okay on my system (0755 for those dirs). Could it be something specific to yours? From jahilliya at gmail.com Thu Mar 5 20:07:18 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Thu Mar 5 20:07:25 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: References: Message-ID: <1236312264.7184.1.camel@yog-sothoth.rlyeh> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: > foo.on.you:/usr/local/share# find . -type d -perm 777 > ./emacs/22.3/etc/tree-widget > ./emacs/22.3/etc/tree-widget/folder > ./emacs/22.3/etc/tree-widget/default > ./emacs/22.3/etc/e > ./emacs/22.3/etc/images > ./emacs/22.3/etc/images/low-color > ./emacs/22.3/etc/images/gnus > ./emacs/22.3/etc/images/icons > ./emacs/22.3/etc/images/gud > ./emacs/22.3/etc/images/smilies > ./emacs/22.3/etc/images/mail > ./emacs/22.3/etc/images/ezimage > ./emacs/22.3/lisp > ./emacs/22.3/lisp/net > ./emacs/22.3/lisp/progmodes > ./emacs/22.3/lisp/calc > ./emacs/22.3/lisp/emacs-lisp > ./emacs/22.3/lisp/url > ./emacs/22.3/lisp/emulation > ./emacs/22.3/lisp/play > ./emacs/22.3/lisp/erc > ./emacs/22.3/lisp/term > ./emacs/22.3/lisp/obsolete > ./emacs/22.3/lisp/textmodes > ./emacs/22.3/lisp/mail > ./emacs/22.3/lisp/eshell > ./emacs/22.3/lisp/calendar > ./emacs/22.3/lisp/mh-e > ./emacs/22.3/lisp/international > ./emacs/22.3/lisp/gnus > ./emacs/22.3/lisp/language > ./emacs/22.3/leim/ja-dic > ./emacs/22.3/leim/quail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Could this simply be an over promiscuous umask being set when Emacs was installed? ie. umask 000 rather than the default umask 022 for root? I know I get warnings if attempting to install a package with a umask 077 which means no-one except the installer can access the files. Do packages print a warning to screen if umask 000 is set? Regards, Daniel From wxs at FreeBSD.org Thu Mar 5 20:19:30 2009 From: wxs at FreeBSD.org (Wesley Shields) Date: Thu Mar 5 20:19:37 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <18864.35251.561178.43550@gromit.timing.com> References: <18864.35251.561178.43550@gromit.timing.com> Message-ID: <20090306040257.GH59920@atarininja.org> On Thu, Mar 05, 2009 at 07:25:55PM -0700, John Hein wrote: > Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: > > foo.on.you:/usr/local/share# find . -type d -perm 777 > > ./emacs/22.3/etc/tree-widget > > ./emacs/22.3/etc/tree-widget/folder > > ./emacs/22.3/etc/tree-widget/default > > ./emacs/22.3/etc/e > > ./emacs/22.3/etc/images > > ./emacs/22.3/etc/images/low-color > > ./emacs/22.3/etc/images/gnus > > ./emacs/22.3/etc/images/icons > > ./emacs/22.3/etc/images/gud > > ./emacs/22.3/etc/images/smilies > > ./emacs/22.3/etc/images/mail > > ./emacs/22.3/etc/images/ezimage > > ./emacs/22.3/lisp > > ./emacs/22.3/lisp/net > > ./emacs/22.3/lisp/progmodes > > ./emacs/22.3/lisp/calc > > ./emacs/22.3/lisp/emacs-lisp > > ./emacs/22.3/lisp/url > > ./emacs/22.3/lisp/emulation > > ./emacs/22.3/lisp/play > > ./emacs/22.3/lisp/erc > > ./emacs/22.3/lisp/term > > ./emacs/22.3/lisp/obsolete > > ./emacs/22.3/lisp/textmodes > > ./emacs/22.3/lisp/mail > > ./emacs/22.3/lisp/eshell > > ./emacs/22.3/lisp/calendar > > ./emacs/22.3/lisp/mh-e > > ./emacs/22.3/lisp/international > > ./emacs/22.3/lisp/gnus > > ./emacs/22.3/lisp/language > > ./emacs/22.3/leim/ja-dic > > ./emacs/22.3/leim/quail > > Seems okay on my system (0755 for those dirs). > Could it be something specific to yours? umask? -- WXS From oliver.pntr at gmail.com Fri Mar 6 08:33:23 2009 From: oliver.pntr at gmail.com (Oliver Pinter) Date: Fri Mar 6 08:33:30 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <20090306040257.GH59920@atarininja.org> References: <18864.35251.561178.43550@gromit.timing.com> <20090306040257.GH59920@atarininja.org> Message-ID: <6101e8c40903060812r3b8720c2hf86c4089ef692506@mail.gmail.com> hmm, the libsndfile's dir is too: [oliver@xyz /usr/local/share]$ find . -type d -perm 777 ./doc/libsndfile On 3/6/09, Wesley Shields wrote: > On Thu, Mar 05, 2009 at 07:25:55PM -0700, John Hein wrote: >> Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> >> Seems okay on my system (0755 for those dirs). >> Could it be something specific to yours? > > umask? > > -- WXS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From freebsd001 at pc.jgr.de Fri Mar 6 14:57:37 2009 From: freebsd001 at pc.jgr.de (freebsd001@pc.jgr.de) Date: Fri Mar 6 14:57:44 2009 Subject: emacs installs a lot of 777 directories Message-ID: <200903062256.n26MuA2r085728@pc.jgr.de> March 06, 2009 Dear list members, I am not only wondering about the permissions of several emacs-related directories as it has recently been mentioned in this thread, but also about the ownership of several emacs-related files. On several of my systems, a user in the group wheel did su to become root and when installed emacs via the ports by means of make and make install. Many files installed are not owned by root as I would expect, but by this user: >uname -r -s FreeBSD 6.3-RELEASE-p9 >pwd /usr/local/share >find . -not -user root | head -n 3 ./emacs/22.3/etc ./emacs/22.3/etc/GNUS-NEWS ./emacs/22.3/etc/fr-drdref.ps >find . -not -user root | wc -l 2643 > With best regards Joachim Griesche freebsd001@pc.jgr.de From jahilliya at gmail.com Fri Mar 6 19:24:44 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Fri Mar 6 19:24:52 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <200903062256.n26MuA2r085728@pc.jgr.de> References: <200903062256.n26MuA2r085728@pc.jgr.de> Message-ID: Isn't best practice to build as a user and install as root? Make install should su - root to ensure the uid and euid are both 0 Regards Daniel On 3/7/09, freebsd001@pc.jgr.de wrote: > March 06, 2009 > Dear list members, > > I am not only wondering about the permissions of several > emacs-related directories as it has recently been mentioned > in this thread, but also about the ownership of several > emacs-related files. On several of my systems, a user in > the group wheel did su to become root and when installed > emacs via the ports by means of make and make install. Many > files installed are not owned by root as I would expect, > but by this user: > >>uname -r -s > FreeBSD 6.3-RELEASE-p9 >>pwd > /usr/local/share >>find . -not -user root | head -n 3 > ./emacs/22.3/etc > ./emacs/22.3/etc/GNUS-NEWS > ./emacs/22.3/etc/fr-drdref.ps >>find . -not -user root | wc -l > 2643 >> > > With best regards > Joachim Griesche > > freebsd001@pc.jgr.de > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From rwatson at FreeBSD.org Sat Mar 7 09:25:45 2009 From: rwatson at FreeBSD.org (Robert Watson) Date: Sat Mar 7 09:25:52 2009 Subject: Trusted Path Execution In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> Message-ID: On Sun, 1 Mar 2009, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? Hi Paige-- The ugidfw(8) file system firewall, and mac_bsdextended(4) kernel module it depends on, can be used to limit what binaries can be executed. However, be aware that this may not affect memory mapping of shared libraries on platforms where there are not seperate read/execute bits, such as on i386. You may want to combine this with the noexec flag, which our runtime linker is aware of and assists in enforcing for shared libraries. Robert N M Watson Computer Laboratory University of Cambridge From Gabor at Zahemszky.HU Sat Mar 7 09:59:17 2009 From: Gabor at Zahemszky.HU (Zahemszky =?ISO-8859-2?Q?G=E1bor?=) Date: Sat Mar 7 09:59:25 2009 Subject: FreeBSD and MAC Message-ID: <20090307183701.4b42830e@Picasso.Zahemszky.HU> Hi! I have two simple questions about the Mandatory Access Control framework of FreeBSD: a) what has happened with the SEBSD modul? When will be available (or will it be at all) in the system (or can I find one for an up-to-date kernel: 7.x or up)? b) when will be the "options MAC" in the GENERIC kernel, or why not? (I think, more people can test the MAC-modules, if they don't need to config a kernel for it.) Tahnks, G?bor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!'; IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break; [[ $i = ??? ]]&&j=$i&&i=${i%?}; typeset -i40 i=8#$i;print -n ${i#???}; [[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;}; IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2; [[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From randy at psg.com Sun Mar 8 00:52:23 2009 From: randy at psg.com (Randy Bush) Date: Sun Mar 8 00:52:30 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <1236312264.7184.1.camel@yog-sothoth.rlyeh> References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Message-ID: At Fri, 06 Mar 2009 13:04:24 +0900, Daniel Marsh wrote: > > On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: > > foo.on.you:/usr/local/share# find . -type d -perm 777 > > ./emacs/22.3/etc/tree-widget > > ./emacs/22.3/etc/tree-widget/folder > > ./emacs/22.3/etc/tree-widget/default > > ./emacs/22.3/etc/e > > ./emacs/22.3/etc/images > > ./emacs/22.3/etc/images/low-color > > ./emacs/22.3/etc/images/gnus > > ./emacs/22.3/etc/images/icons > > ./emacs/22.3/etc/images/gud > > ./emacs/22.3/etc/images/smilies > > ./emacs/22.3/etc/images/mail > > ./emacs/22.3/etc/images/ezimage > > ./emacs/22.3/lisp > > ./emacs/22.3/lisp/net > > ./emacs/22.3/lisp/progmodes > > ./emacs/22.3/lisp/calc > > ./emacs/22.3/lisp/emacs-lisp > > ./emacs/22.3/lisp/url > > ./emacs/22.3/lisp/emulation > > ./emacs/22.3/lisp/play > > ./emacs/22.3/lisp/erc > > ./emacs/22.3/lisp/term > > ./emacs/22.3/lisp/obsolete > > ./emacs/22.3/lisp/textmodes > > ./emacs/22.3/lisp/mail > > ./emacs/22.3/lisp/eshell > > ./emacs/22.3/lisp/calendar > > ./emacs/22.3/lisp/mh-e > > ./emacs/22.3/lisp/international > > ./emacs/22.3/lisp/gnus > > ./emacs/22.3/lisp/language > > ./emacs/22.3/leim/ja-dic > > ./emacs/22.3/leim/quail > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > Could this simply be an over promiscuous umask being set when Emacs was > installed? ie. umask 000 rather than the default umask 022 for root? root's umask is 022 randy From jahilliya at gmail.com Sun Mar 8 08:42:23 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Sun Mar 8 08:42:29 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Message-ID: And who owns the files? On 3/8/09, Randy Bush wrote: > At Fri, 06 Mar 2009 13:04:24 +0900, > Daniel Marsh wrote: >> >> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> > _______________________________________________ >> > freebsd-security@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > To unsubscribe, send any mail to >> > "freebsd-security-unsubscribe@freebsd.org" >> >> Could this simply be an over promiscuous umask being set when Emacs was >> installed? ie. umask 000 rather than the default umask 022 for root? > > root's umask is 022 > > randy > -- Sent from my mobile device http://buymeahouse.stiw.org/ From jahilliya at gmail.com Sun Mar 8 08:52:05 2009 From: jahilliya at gmail.com (Daniel Marsh) Date: Sun Mar 8 08:52:12 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Message-ID: Sorry, but when was emaca installed? If you deinstall and reinstall after verifying the suspect directories are deleted, and roots umask is 022 do you get the same problem? Are you doing make install as a user and letting the port escalate privaleges? Or do you login , sudo or su to root? Login via tty as root, check umask and install port Make install as user will su to root but you need to check the users umask Sudo will use the users umask not root su is the same as sudo > su - root This will work as it simulates a login and sets roots environment, including the umask Umask is set during login, most privilege escalation commands arth the euid to root but not the uid, they also don't run through the login process (ie ~/.login ) which sets up your environment Regards Daniel On 3/8/09, Randy Bush wrote: > At Fri, 06 Mar 2009 13:04:24 +0900, > Daniel Marsh wrote: >> >> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> > _______________________________________________ >> > freebsd-security@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > To unsubscribe, send any mail to >> > "freebsd-security-unsubscribe@freebsd.org" >> >> Could this simply be an over promiscuous umask being set when Emacs was >> installed? ie. umask 000 rather than the default umask 022 for root? > > root's umask is 022 > > randy > -- Sent from my mobile device http://buymeahouse.stiw.org/ From randy at psg.com Sun Mar 8 11:21:40 2009 From: randy at psg.com (Randy Bush) Date: Sun Mar 8 11:21:47 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Message-ID: > And who owns the files? >>> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >>>> foo.on.you:/usr/local/share# find . -type d -perm 777 >>>> ./emacs/22.3/etc/tree-widget >>>> ./emacs/22.3/etc/tree-widget/folder >>>> ./emacs/22.3/etc/tree-widget/default >>> Could this simply be an over promiscuous umask being set when Emacs was >>> installed? ie. umask 000 rather than the default umask 022 for root? >> root's umask is 022 root From ivangrvr299 at gmail.com Tue Mar 10 07:59:27 2009 From: ivangrvr299 at gmail.com (Ivan Grover) Date: Tue Mar 10 07:59:34 2009 Subject: PAM rules inside pam.d In-Reply-To: <86eixd9e0m.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> <86tz69a4yy.fsf@ds4.des.no> <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> <86eixd9e0m.fsf@ds4.des.no> Message-ID: <670f29e20903100759g2cb54108o5d51d10ec73c7206@mail.gmail.com> I am really sorry for this. Now the problem is resolved from our application. The only change we made was to use crypt_r instead of crypt. thanks very much On Thu, Mar 5, 2009 at 2:55 AM, Dag-Erling Sm?rgrav wrote: > Ivan Grover writes: > > Dag-Erling Sm?rgrav writes: > > > Ivan Grover writes: > > > > I will plan to upgrade the PAM library and see how it goes. > > > Upgrade what from what to what? > > from Linux-PAM-0.78 to Linux-PAM-1.0.3. > > Uh, so, why did you post to a FreeBSD mailing list? This has nothing to > do with FreeBSD, since FreeBSD does not use Linux-PAM (not since 5.1 > came out). > > And why didn't you answer this question the first time I asked it? Why > did you not tell us right away which version of which library you were > using, on which operating system? How can we answer your question if > you won't tell us what the question is? > > Suggested reading: > > http://www.gerv.net/hacking/how-to-ask-good-questions/ > > DES > -- > Dag-Erling Sm?rgrav - des@des.no > From esykes at opnet.com Wed Mar 11 14:14:56 2009 From: esykes at opnet.com (Ed Sykes) Date: Wed Mar 11 14:15:04 2009 Subject: HSM devices and FreeBSD Message-ID: <49B8263A.3000006@opnet.com> I am essentially asking the same question that Eirik Overby asked a couple of years ago. Is anyone aware of PCI-X/PCIe hardware security modules that are supported on FreeBSD? I have not seen any on the FreeBSD hardware compatibility lists. Again, as Eirik noted in his question, HSMs are not simply crypto accelerators (which are supported on FreeBSD), they also are a means of storing keys with physical, tamper-resistant security. Thanks. Ed Sykes From ltning at anduin.net Wed Mar 11 15:52:52 2009 From: ltning at anduin.net (=?ISO-8859-1?Q?Eirik_=D8verby?=) Date: Wed Mar 11 15:52:59 2009 Subject: HSM devices and FreeBSD In-Reply-To: <49B8263A.3000006@opnet.com> References: <49B8263A.3000006@opnet.com> Message-ID: <6F15EC76-7AC8-4C63-98B9-9CA9B5B9D6EA@anduin.net> On 11. mars. 2009, at 21.59, Ed Sykes wrote: > I am essentially asking the same question that Eirik Overby asked a > couple of years ago. Is anyone aware of PCI-X/PCIe hardware > security modules that are supported on FreeBSD? I have not seen any > on the FreeBSD hardware compatibility lists. Again, as Eirik noted > in his question, HSMs are not simply crypto accelerators (which are > supported on FreeBSD), they also are a means of storing keys with > physical, tamper-resistant security. Thanks for re-iterating this question. I now work for the software developer I previously accused of leaving us in the dust, and have managed to convert the company to using FreeBSD as our primary hosting platform ;) The problem with supported HSM devices, however, lingers. For one device (Thales RG8000), we've done our own software (Java) implementation of their communications library, specific to our application. This is a network-attached device. For the other device we use (Thales WebSentry), we're using the Linux pkcs#11/openssl engine implementation and associated openssl binaries, along with our internal tools compiled on Linux. All this under Linux emulation on FreeBSD. This works - so far - well, however it is impossible to use Java JNI to interface with Linux binaries, so we're still at a disadvantage. So the question still stands - Are there HSM devies out there, internal or external, with proper FreeBSD support? /Eirik From krassi at bulinfo.net Thu Mar 12 01:38:04 2009 From: krassi at bulinfo.net (Krassimir Slavchev) Date: Thu Mar 12 01:38:13 2009 Subject: HSM devices and FreeBSD In-Reply-To: <49B8263A.3000006@opnet.com> References: <49B8263A.3000006@opnet.com> Message-ID: <49B8C9E6.9070308@bulinfo.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AFAIR nCipher have had drivers for FreeBSD but now it is not listed. http://www.ncipher.com/en/Products/Hardware Security Modules/nShield.aspx http://www.mail-archive.com/freebsd-hackers%40freebsd.org/msg18436.html Ed Sykes wrote: > I am essentially asking the same question that Eirik Overby asked a > couple of years ago. Is anyone aware of PCI-X/PCIe hardware security > modules that are supported on FreeBSD? I have not seen any on the > FreeBSD hardware compatibility lists. Again, as Eirik noted in his > question, HSMs are not simply crypto accelerators (which are supported > on FreeBSD), they also are a means of storing keys with physical, > tamper-resistant security. > > Thanks. > > Ed Sykes > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFJuMnlxJBWvpalMpkRAtVjAJ9cHO2KLzkB+WZ4yh/2rk+ZhQfJPQCfanIL 0AQucILSKzgqkamVvjW1yNc= =xmc+ -----END PGP SIGNATURE----- From freebsd001 at pc.jgr.de Sun Mar 15 16:50:18 2009 From: freebsd001 at pc.jgr.de (freebsd001@pc.jgr.de) Date: Sun Mar 15 16:50:24 2009 Subject: emacs installs a lot of 777 directories Message-ID: <200903152350.n2FNoGnk006601@pc.jgr.de> March 16, 2009 Dear Giorgos, thank you for coming back to the emacs issue. I deinstalled emacs by means of pkg_delete -v -d, deleted by hand /usr/local/share/emacs to make sure that nothing is left, logged in as user "nutzer", and did su to root: > id uid=1006(nutzer) gid=1000(user) groups=1000(user),0(wheel) > su Password: >id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > Then, I did cd to /usr/ports/editors/emacs and did make and make install. The result is as follows: >pwd /usr/local/share/emacs/22.3 >ll total 22 drwxrwxrwx 5 nutzer wheel 3072 Mar 15 23:52 etc drwxr-xr-x 4 nutzer wheel 512 Mar 15 23:53 leim drwxrwxrwx 20 nutzer wheel 13312 Mar 15 23:53 lisp drwxr-xr-x 2 root wheel 512 Mar 15 23:52 site-lisp > There are some rwx directories as originally mentioned in the thread, and several directories as well as the files in these directories are not owned by root, but by nutzer. If I log in as another user in the group wheel, do su, and repeat the procedure, the files are owned by the other user I log in. As I have only limited console access or find the console access inconvenient, I have installed many ports by logging in as a user in the group wheel and doing su to root. But only emacs related files are owned by somebody else than expected. With best regards Joachim Griesche freebsd001@pc.jgr.de From keramida at freebsd.org Sun Mar 15 13:16:48 2009 From: keramida at freebsd.org (Giorgos Keramidas) Date: Sun Mar 15 19:39:56 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <200903062256.n26MuA2r085728@pc.jgr.de> (freebsd's message of "Fri, 6 Mar 2009 23:56:10 +0100 (CET)") References: <200903062256.n26MuA2r085728@pc.jgr.de> Message-ID: <87ljr61t3v.fsf@kobe.laptop> On Fri, 6 Mar 2009 23:56:10 +0100 (CET), freebsd001@pc.jgr.de wrote: > Dear list members, > > I am not only wondering about the permissions of several emacs-related > directories as it has recently been mentioned in this thread, but also > about the ownership of several emacs-related files. This seems to be a local installation glitch. >>find . -not -user root | head -n 3 > ./emacs/22.3/etc > ./emacs/22.3/etc/GNUS-NEWS > ./emacs/22.3/etc/fr-drdref.ps > >>find . -not -user root | wc -l > 2643 % uname -vr 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri Mar 13 16:39:47 EET 2009 build@kobe:/usr/obj/usr/src/sys/KOBE % pwd /usr/local/share % find . -not -user root -exec ls -ld {} + | head -3 -rw-rw-r-- 1 games games 0 Mar 14 19:06 ./games/glines.Large.scores -rw-rw-r-- 1 games games 0 Mar 14 19:06 ./games/glines.Medium.scores -rw-rw-r-- 1 games games 0 Mar 14 19:06 ./games/glines.Small.scores % find . -not -user root -a -not -user games -exec ls -ld {} + % So the only files that are not owned by root here are those owned by the `games' user. You have many hundreds of files owned by != root users. Who owns those files, and do yu remember how the relevant ports have been installed? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090315/e1681931/attachment.pgp From ltning at anduin.net Mon Mar 16 12:31:24 2009 From: ltning at anduin.net (=?ISO-8859-1?Q?Eirik_=D8verby?=) Date: Mon Mar 16 12:31:31 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <200903152350.n2FNoGnk006601@pc.jgr.de> References: <200903152350.n2FNoGnk006601@pc.jgr.de> Message-ID: <253C16FF-5287-4941-8DFB-AB07D57E3C90@anduin.net> On 16. mars. 2009, at 00.50, freebsd001@pc.jgr.de wrote: > March 16, 2009 > Dear Giorgos, > > thank you for coming back to the emacs issue. I deinstalled > emacs by means of pkg_delete -v -d, deleted by hand > /usr/local/share/emacs to make sure that nothing is left, > logged in as user "nutzer", and did su to root: > >> id > uid=1006(nutzer) gid=1000(user) groups=1000(user),0(wheel) >> su > Password: Try 'su -' instead of 'su'. There might be some environment issues; I've seen similar behavior when making that mistake myself. Not sure if it'll explain the 777, but the owner should be the correct one then. /Eirik > >> id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) >> > > Then, I did cd to /usr/ports/editors/emacs and did make and > make install. The result is as follows: > >> pwd > /usr/local/share/emacs/22.3 >> ll > total 22 > drwxrwxrwx 5 nutzer wheel 3072 Mar 15 23:52 etc > drwxr-xr-x 4 nutzer wheel 512 Mar 15 23:53 leim > drwxrwxrwx 20 nutzer wheel 13312 Mar 15 23:53 lisp > drwxr-xr-x 2 root wheel 512 Mar 15 23:52 site-lisp >> > > There are some rwx directories as originally mentioned in > the thread, and several directories as well as the files in > these directories are not owned by root, but by nutzer. > > If I log in as another user in the group wheel, do su, and > repeat the procedure, the files are owned by the other user > I log in. > > As I have only limited console access or find the console > access inconvenient, I have installed many ports by logging > in as a user in the group wheel and doing su to root. But > only emacs related files are owned by somebody else than > expected. > > With best regards > Joachim Griesche > > freebsd001@pc.jgr.de > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From rwatson at FreeBSD.org Tue Mar 17 10:02:28 2009 From: rwatson at FreeBSD.org (Robert Watson) Date: Tue Mar 17 10:02:35 2009 Subject: FreeBSD and MAC In-Reply-To: <20090307183701.4b42830e@Picasso.Zahemszky.HU> References: <20090307183701.4b42830e@Picasso.Zahemszky.HU> Message-ID: On Sat, 7 Mar 2009, Zahemszky G?bor wrote: > I have two simple questions about the Mandatory Access Control framework of > FreeBSD: > > a) what has happened with the SEBSD modul? When will be available (or will > it be at all) in the system (or can I find one for an up-to-date kernel: 7.x > or up)? > > b) when will be the "options MAC" in the GENERIC kernel, or why not? (I > think, more people can test the MAC-modules, if they don't need to config a > kernel for it.) Dear G?bor: Right now no one is maintaining the SEBSD module; this is unfortunate, but largely a property of people having enough time. If this is something you can contribute to (or anyone else who's interested) I'm happy to provide pointers and advice. Most of the MAC Framework dependencies for SEBSD were merged back into the base tree, but it would need quite a bit of adaptation to move forward to FreeBSD7/8. Also, SEBSD uses what are now quite old SELinux parts, so those would also need updating (although I guess that isn't required). Feel free to ask questions here, or on the trustedbsd-discuss mailing list. "options MAC" is believed to cause a significant performance loss on 7.x and earlier; we're currently working to address that with the hope of shipping "options MAC" in GENERIC starting with FreeBSD 8.0. I've not re-benchmarked in a few months but we've merged a number of improvements that should be getting us close. For example, whereas previously MAC automatically allocated memory to hold security labels for objects, now it only allocates memory when policies are registered that specifically require labels on those object types. On a similar note, the locking for the MAC Framework itself has been significantly optimized over the last few weeks to lower overhead, and there are more changes in the works. We'll probably pause and take stock sometime in the next month and see what performance regressions remain. Robert N M Watson Computer Laboratory University of Cambridge From ipfreak at yahoo.com Tue Mar 17 12:15:35 2009 From: ipfreak at yahoo.com (gahn) Date: Tue Mar 17 12:16:28 2009 Subject: ipfw and carp Message-ID: <25680.4880.qm@web52105.mail.re2.yahoo.com> Hi all: Did any one use ipfw with CARP before? is there anything specific about ipfw configurations working with CARP? I have two servers and they configured with CARP. they are working fine except i can't turn on ipfw. I have the exact same configuration except ip addresses; those same rule sets of ipfw work on one server but not on another. Thanks all From ipfreak at yahoo.com Tue Mar 17 12:23:30 2009 From: ipfreak at yahoo.com (gahn) Date: Tue Mar 17 12:23:42 2009 Subject: ipfw and carp In-Reply-To: <25680.4880.qm@web52105.mail.re2.yahoo.com> Message-ID: <303326.75880.qm@web52107.mail.re2.yahoo.com> Sorry I meant the same rules I used on another machine (working fine) would not work for those machines with CARP activated. I didn't change anything except IP addresses. Also instead of physical interfaces, I put rules on carp interface. --- On Tue, 3/17/09, gahn wrote: > From: gahn > Subject: ipfw and carp > To: "freebsd security" , "freebsd general questions" > Date: Tuesday, March 17, 2009, 12:15 PM > Hi all: > > Did any one use ipfw with CARP before? is there anything > specific about ipfw configurations working with CARP? I have > two servers and they configured with CARP. they are working > fine except i can't turn on ipfw. > > I have the exact same configuration except ip addresses; > those same rule sets of ipfw work on one server but not on > another. > > Thanks all > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From gabriele.modena at gmail.com Wed Mar 18 12:02:29 2009 From: gabriele.modena at gmail.com (Gabriele Modena) Date: Wed Mar 18 13:47:37 2009 Subject: FreeBSD and MAC In-Reply-To: References: <20090307183701.4b42830e@Picasso.Zahemszky.HU> Message-ID: <1fe1d5d60903181131n73580c78r1045c376874f4470@mail.gmail.com> 2009/3/17 Robert Watson : Dear Robert; > Right now no one is maintaining the SEBSD module; this is unfortunate, but > largely a property of people having enough time. ?If this is something you > can contribute to (or anyone else who's interested) I'm happy to provide > pointers and advice. Could this be a valid Google Summer of Code project? I am about to write a proposal for this summer; my idea was related to semantic file systems (in a way to combine my interest in kernel hacking to my current research interest in information retrieval) and I am still reading background literature about that. If there is interest from the community, SEBSD/TrustedBSD would be another area I would like to work on. In the past I worked a bit (at a hobbyst level) with SELinux and I have a background in security and (linux) kernel hacking. In both cases I am interested in working on FreeBSD during the summer with or without a Google's grant. Thanks, kind regards. From rwatson at FreeBSD.org Wed Mar 18 15:06:40 2009 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Mar 18 15:06:47 2009 Subject: FreeBSD and MAC In-Reply-To: <1fe1d5d60903181131n73580c78r1045c376874f4470@mail.gmail.com> References: <20090307183701.4b42830e@Picasso.Zahemszky.HU> <1fe1d5d60903181131n73580c78r1045c376874f4470@mail.gmail.com> Message-ID: On Wed, 18 Mar 2009, Gabriele Modena wrote: > 2009/3/17 Robert Watson : > >> Right now no one is maintaining the SEBSD module; this is unfortunate, but >> largely a property of people having enough time. ?If this is something you >> can contribute to (or anyone else who's interested) I'm happy to provide >> pointers and advice. > > Could this be a valid Google Summer of Code project? > > I am about to write a proposal for this summer; my idea was related to > semantic file systems (in a way to combine my interest in kernel hacking to > my current research interest in information retrieval) and I am still > reading background literature about that. > > If there is interest from the community, SEBSD/TrustedBSD would be another > area I would like to work on. In the past I worked a bit (at a hobbyst > level) with SELinux and I have a background in security and (linux) kernel > hacking. > > In both cases I am interested in working on FreeBSD during the summer with > or without a Google's grant. Yes, I think this would be a good GSoC project, although it is quite large so I think you'd need to break it up into parts and plan not to complete all of them in one summer. I think the first step would be to slide the current SEBSD port forward to a newer FreeBSD version, then work towards updating the SEBSD parts from new Linux parts. It would also be worth chatting with NSA (et al) about whether non-GPL'd kernel parts are available. I know there's some on-going OpenSolaris porting work, and CDDL and GPL mix like water and oil, as I understand it, so there may be. I would be happy to lend technical advice to a project to do the above updates, and I suspect more hands would turn up once someone was clearly driving things forwards, GSoC project or not. The advice I'm giving all students, btw, is that if you're submitting a proposal based on one of our project ideas on the web page, consider submitting multiple proposals, as in previous years we've found ourselves having to pick just one of several promising students because they all picked the same idea and there was really room for only one instance of the project. Since you're talking about proposing ideas not on the list, that caution probably doesn't apply in the same way, but submitting multiple proposals (given enough time invested in each) likely will improve the chances that we can select you. Thanks, Robert N M Watson Computer Laboratory University of Cambridge From keramida at ceid.upatras.gr Wed Mar 18 21:50:08 2009 From: keramida at ceid.upatras.gr (Giorgos Keramidas) Date: Wed Mar 18 21:50:18 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <253C16FF-5287-4941-8DFB-AB07D57E3C90@anduin.net> ("Eirik =?iso-8859-1?Q?=D8verby=22's?= message of "Mon, 16 Mar 2009 20:31:21 +0100") References: <200903152350.n2FNoGnk006601@pc.jgr.de> <253C16FF-5287-4941-8DFB-AB07D57E3C90@anduin.net> Message-ID: <871vsub0bf.fsf@kobe.laptop> On Mon, 16 Mar 2009 20:31:21 +0100, Eirik ?verby wrote: > On 16. mars. 2009, at 00.50, freebsd001@pc.jgr.de wrote: >> Dear Giorgos, >> thank you for coming back to the emacs issue. I deinstalled >> emacs by means of pkg_delete -v -d, deleted by hand >> /usr/local/share/emacs to make sure that nothing is left, >> logged in as user "nutzer", and did su to root: >> >>> id >> uid=1006(nutzer) gid=1000(user) groups=1000(user),0(wheel) >>> su >> Password: > > Try 'su -' instead of 'su'. > There might be some environment issues; I've seen similar behavior > when making that mistake myself. This is correct. `su -' should be preferred when installing stuff :) From ntarmos at cs.uoi.gr Thu Mar 19 03:45:11 2009 From: ntarmos at cs.uoi.gr (Nikos Ntarmos) Date: Thu Mar 19 04:20:41 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <87ljr61t3v.fsf@kobe.laptop> References: <200903062256.n26MuA2r085728@pc.jgr.de> <87ljr61t3v.fsf@kobe.laptop> Message-ID: <20090319102606.GA27912@ace.cs.uoi.gr> On Sun, Mar 15, 2009 at 09:30:44PM +0200, Giorgos Keramidas wrote: > On Fri, 6 Mar 2009 23:56:10 +0100 (CET), freebsd001@pc.jgr.de wrote: > > Dear list members, > > > > I am not only wondering about the permissions of several emacs-related > > directories as it has recently been mentioned in this thread, but also > > about the ownership of several emacs-related files. > > This seems to be a local installation glitch. > > >>find . -not -user root | head -n 3 > > ./emacs/22.3/etc > > ./emacs/22.3/etc/GNUS-NEWS > > ./emacs/22.3/etc/fr-drdref.ps > > > >>find . -not -user root | wc -l > > 2643 That's probably due to the fact that emacs uses something along the lines of 'tar -chf - ... | tar -xvf - ...' to copy the files, followed (in some cases) by a chown to $LOGNAME (or if that is not set, to $USERNAME). If you just 'su', LOGNAME remains set to what it was before (i.e. nutzer), while 'su -' will clear that out. Cheers. \n\n From keramida at ceid.upatras.gr Thu Mar 19 05:16:19 2009 From: keramida at ceid.upatras.gr (Giorgos Keramidas) Date: Thu Mar 19 05:16:26 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <20090319102606.GA27912@ace.cs.uoi.gr> (Nikos Ntarmos's message of "Thu, 19 Mar 2009 12:26:06 +0200") References: <200903062256.n26MuA2r085728@pc.jgr.de> <87ljr61t3v.fsf@kobe.laptop> <20090319102606.GA27912@ace.cs.uoi.gr> Message-ID: <87eiwtwvwb.fsf@kobe.laptop> On Thu, 19 Mar 2009 12:26:06 +0200, Nikos Ntarmos wrote: >On Sun, Mar 15, 2009 at 09:30:44PM +0200, Giorgos Keramidas wrote: >>On Fri, 6 Mar 2009 23:56:10 +0100 (CET), freebsd001@pc.jgr.de wrote: >>> Dear list members, >>> >>> I am not only wondering about the permissions of several emacs-related >>> directories as it has recently been mentioned in this thread, but also >>> about the ownership of several emacs-related files. >> >> This seems to be a local installation glitch. >> >>>>find . -not -user root | head -n 3 >>> ./emacs/22.3/etc >>> ./emacs/22.3/etc/GNUS-NEWS >>> ./emacs/22.3/etc/fr-drdref.ps >>> >>>>find . -not -user root | wc -l >>> 2643 > > That's probably due to the fact that emacs uses something along the > lines of 'tar -chf - ... | tar -xvf - ...' to copy the files, followed > (in some cases) by a chown to $LOGNAME (or if that is not set, to > $USERNAME). If you just 'su', LOGNAME remains set to what it was > before (i.e. nutzer), while 'su -' will clear that out. Yep, that's exactly what the Emacs build glue does. One of the directories mentioned in the permission listings of the thread includes `leim/'. The source of `emacs/leim/Makefile.in' installs files with tar and chown: 240 tar -chf - quail/* ja-dic \ 241 | (cd ${INSTALLDIR}; umask 0; tar -xvf - && cat > /dev/null) ;\ ... 264 find ${INSTALLDIR} -exec chown $${installuser} '{}' ';' There are probably better ways to install a configurable list of files, i.e. by using a `manifest' of some sort and piping the list through xargs to ${INSTALLDIR} and ${INSTALLDATA} macros. This would require extensive changes to the vendor source though. It may be worth the effort if someone is interested to hack Emacs sources, so anyone interested in this sort of change to the GNU sources of Emacs should try taking this up with the `emacs-devel' mailing list. That's the right place to discuss potential improvements to Emacs sources, so that all the other platforms where Emacs works can benefit too :-) Having said that, fixing the makefiles of Emacs won't really solve the potential problems of *all* ports when plain `su' is used to install ports. So while it it a good idea for someone who wants to start hacking Emacs code, the general rule of "install only with `su -'" still applies for every other port in our tree. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090319/50b4c802/attachment.pgp From smithi at nimnet.asn.au Thu Mar 19 08:14:39 2009 From: smithi at nimnet.asn.au (Ian Smith) Date: Thu Mar 19 08:14:54 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <871vsub0bf.fsf@kobe.laptop> References: <200903152350.n2FNoGnk006601@pc.jgr.de> <253C16FF-5287-4941-8DFB-AB07D57E3C90@anduin.net> <871vsub0bf.fsf@kobe.laptop> Message-ID: <20090320013025.W95588@sola.nimnet.asn.au> On Thu, 19 Mar 2009, Giorgos Keramidas wrote: > On Mon, 16 Mar 2009 20:31:21 +0100, Eirik ?verby wrote: > > On 16. mars. 2009, at 00.50, freebsd001@pc.jgr.de wrote: > >> Dear Giorgos, > >> thank you for coming back to the emacs issue. I deinstalled > >> emacs by means of pkg_delete -v -d, deleted by hand > >> /usr/local/share/emacs to make sure that nothing is left, > >> logged in as user "nutzer", and did su to root: > >> > >>> id > >> uid=1006(nutzer) gid=1000(user) groups=1000(user),0(wheel) > >>> su > >> Password: > > > > Try 'su -' instead of 'su'. > > There might be some environment issues; I've seen similar behavior > > when making that mistake myself. > > This is correct. `su -' should be preferred when installing stuff :) Absolutely - but I can't find where it(7) actually says that? cheers, Ian From freebsd001 at pc.jgr.de Thu Mar 19 08:36:29 2009 From: freebsd001 at pc.jgr.de (freebsd001@pc.jgr.de) Date: Thu Mar 19 08:36:36 2009 Subject: emacs installs a lot of 777 directories Message-ID: <200903191534.n2JFYtME099569@mypc.dca.jgr.de> March 19, 2009 Dear list members, thank you for the detailed explanation why I got a strange ownership of emacs related files. I am afraid that my question about ownership has moved the thread from permissions to ownership. I would like to remember that the question that was originally posted by Randy Bush in this thread was about 777 directories. These 777 directories also exist on my system - even after pkg_delete -v -d -a, rm -rvf /usr/local, and a fresh installation of emacs via make fetch-recursive, make, and make install in /usr/ports/editors/emacs (ports version FreeBSD: ports/UPDATING,v 1.790 2009/03/16 22:33:17 beat Exp). With best regards Joachim Griesche freebsd001@pc.jgr.de From keramida at freebsd.org Thu Mar 19 12:23:48 2009 From: keramida at freebsd.org (Giorgos Keramidas) Date: Thu Mar 19 12:35:33 2009 Subject: emacs installs a lot of 777 directories In-Reply-To: <20090320013025.W95588@sola.nimnet.asn.au> (Ian Smith's message of "Fri, 20 Mar 2009 01:49:29 +1100 (EST)") References: <200903152350.n2FNoGnk006601@pc.jgr.de> <253C16FF-5287-4941-8DFB-AB07D57E3C90@anduin.net> <871vsub0bf.fsf@kobe.laptop> <20090320013025.W95588@sola.nimnet.asn.au> Message-ID: <87ab7hpb9d.fsf@kobe.laptop> On Fri, 20 Mar 2009 01:49:29 +1100 (EST), Ian Smith wrote: >On Thu, 19 Mar 2009, Giorgos Keramidas wrote: >> This is correct. `su -' should be preferred when installing stuff :) > > Absolutely - but I can't find where it(7) actually says that? It's more or less a rite of passage for FreeBSD admins, like "don't run `rm -fr /' if you are unsure of what it does". For a better reason see the post by Nikos Ntarmos and my reply to that :-) From security-advisories at freebsd.org Sun Mar 22 17:09:14 2009 From: security-advisories at freebsd.org (FreeBSD Security Advisories) Date: Sun Mar 22 17:09:40 2009 Subject: FreeBSD Security Advisory FreeBSD-SA-09:06.ktimer Message-ID: <200903230009.n2N09C3N065231@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:06.ktimer Security Advisory The FreeBSD Project Topic: Local privilege escalation Category: core Module: kern Announced: 2009-03-23 Affects: FreeBSD 7.x Corrected: 2009-03-23 00:00:50 UTC (RELENG_7, 7.2-PRERELEASE) 2009-03-23 00:00:50 UTC (RELENG_7_1, 7.1-RELEASE-p4) 2009-03-23 00:00:50 UTC (RELENG_7_0, 7.0-RELEASE-p11) CVE Name: CVE-2009-1041 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero. II. Problem Description An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked. III. Impact An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to "become root"), to escape from a jail, or to bypass security mechanisms in other ways. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 7.0 and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch # fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/kern_time.c 1.142.2.3 RELENG_7_1 src/UPDATING 1.507.2.13.2.7 src/sys/conf/newvers.sh 1.72.2.9.2.8 src/sys/kern/kern_time.c 1.142.2.2.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.15 src/sys/conf/newvers.sh 1.72.2.5.2.15 src/sys/kern/kern_time.c 1.142.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r190301 releng/7.1/ r190301 releng/7.0/ r190301 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1041 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:09.ktimer.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAknG0hQACgkQFdaIBMps37JA4gCfaznvIWKB/AU0cv6ojZUhheD4 MuYAnAp3wuz3E7gIX6VK7PeUVnPp/41o =MPIX -----END PGP SIGNATURE----- From cperciva at freebsd.org Sun Mar 22 17:22:27 2009 From: cperciva at freebsd.org (FreeBSD Security Officer) Date: Sun Mar 22 17:22:35 2009 Subject: Security advisory scheduling Message-ID: <49C6D55D.1010309@freebsd.org> Just to head off any complaints: Yes, a security advisory just went out, and yes, I do know that Monday morning (for UTC and further east) / Sunday afternoon (west of UTC) is not the most convenient time for you to be patching systems. Unfortunately, this issue was announced publicly at CanSecWest -- unlike most security issues, we didn't get any advance notice of this. When issues have not yet been publicly announced we try to aim to send out advisories on Wednesdays; but in cases like this when an issue is already public we don't want to delay any more than necessary. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From james.technew at gmail.com Tue Mar 24 00:14:47 2009 From: james.technew at gmail.com (James Chang) Date: Tue Mar 24 00:14:54 2009 Subject: DNS of FreeBSD.org been Attacked!? Message-ID: Dear all, I found some strange DNS query result these days. Show the strange result as following :< C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 Server: dns.hinet.net Address: 168.95.1.1 Name: ftp11.tw.freebsd.org.com.tw Address: 82.98.86.170 C:\Documents and Settings\Administrator>nslookup ftp6.tw.freebsd.org 168.95.1.1 Server: dns.hinet.net Address: 168.95.1.1 Name: ftp6.tw.freebsd.org.com.tw Address: 82.98.86.170 Both ftp6.tw.freebsd.org and ftp11.tw.freebsd.org has the same IP adderess, and this IP address seems belong to a malice domain! Could anyone have good idea? From ueda at netforest.ad.jp Tue Mar 24 01:16:35 2009 From: ueda at netforest.ad.jp (UEDA Hiroyuki) Date: Tue Mar 24 01:16:43 2009 Subject: DNS of FreeBSD.org been Attacked!? In-Reply-To: References: Message-ID: <20090324164644.A697.5F3C430A@netforest.ad.jp> Hello, > C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 > > Server: dns.hinet.net > Address: 168.95.1.1 > > Name: ftp11.tw.freebsd.org.com.tw ^^^^^^^^ You seem to nslookup "ftp11.tw.freebsd.org.COM.TW". If it's right, > Address: 82.98.86.170 is correct as follows: $ dig A ftp11.tw.freebsd.org.com.tw ; <<>> DiG 9.2.4 <<>> A ftp11.tw.freebsd.org.com.tw ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53400 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp11.tw.freebsd.org.com.tw. IN A ;; ANSWER SECTION: ftp11.tw.freebsd.org.com.tw. 600 IN A 82.98.86.170 So you had better check your PC's settings. BTW, a wild card record(*.org.com.tw) is probably used. For example, I got same results with following queries: $ dig A foo.bar.freebsd.org.com.tw $ dig A foo.bar.org.com.tw $ dig A foo.org.com.tw Best regards. ----- UEDA Hiroyuki Netforest Inc., JAPAN From bc at default.rs Tue Mar 24 01:52:16 2009 From: bc at default.rs (=?UTF-8?B?Qm9nZGFuIMSGdWxpYnJr?=) Date: Tue Mar 24 04:27:31 2009 Subject: DNS of FreeBSD.org been Attacked!? In-Reply-To: <20090324164644.A697.5F3C430A@netforest.ad.jp> References: <20090324164644.A697.5F3C430A@netforest.ad.jp> Message-ID: <49C898FC.3010107@default.rs> UEDA Hiroyuki wrote: > Hello, > > >> C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 >> >> Server: dns.hinet.net >> Address: 168.95.1.1 >> >> Name: ftp11.tw.freebsd.org.com.tw > ^^^^^^^^ > You seem to nslookup "ftp11.tw.freebsd.org.COM.TW". If it's right, > >> Address: 82.98.86.170 > > is correct as follows: > > $ dig A ftp11.tw.freebsd.org.com.tw > > ; <<>> DiG 9.2.4 <<>> A ftp11.tw.freebsd.org.com.tw > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53400 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ftp11.tw.freebsd.org.com.tw. IN A > > ;; ANSWER SECTION: > ftp11.tw.freebsd.org.com.tw. 600 IN A 82.98.86.170 > > So you had better check your PC's settings. > > > BTW, a wild card record(*.org.com.tw) is probably used. For example, I > got same results with following queries: > > $ dig A foo.bar.freebsd.org.com.tw > $ dig A foo.bar.org.com.tw > $ dig A foo.org.com.tw > An epic fail guy ;> From cliftonr at lava.net Tue Mar 24 10:51:35 2009 From: cliftonr at lava.net (Clifton Royston) Date: Tue Mar 24 10:51:43 2009 Subject: DNS of FreeBSD.org been Attacked!? In-Reply-To: <20090324120024.159DE10656D7@hub.freebsd.org> References: <20090324120024.159DE10656D7@hub.freebsd.org> Message-ID: <20090324175131.GB14702@lava.net> On Tue, Mar 24, 2009 at 12:00:24PM +0000, freebsd-security-request@freebsd.org wrote: > Date: Tue, 24 Mar 2009 14:56:10 +0800 > From: James Chang > Subject: DNS of FreeBSD.org been Attacked!? > To: freebsd-security@freebsd.org > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Dear all, > > I found some strange DNS query result these days. > > Show the strange result as following :< > > C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 > > Server: dns.hinet.net > Address: 168.95.1.1 > > Name: ftp11.tw.freebsd.org.com.tw > Address: 82.98.86.170 Correct the configuration of your Windows machine (under Connection Properties -> TCP/IP properties -> Advanced -> DNS -> "Append these DNS suffixes", so that ".com.tw" is not appended as your domain by default. Otherwise, things won't work well for you. This is in no way a FreeBSD issue. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services