Re: Apache + ModSSL
My question is how to configure httpd.conf, so I can access my sites via https://www.mysite.com. from /etc/apache/httpd.conf: # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # www instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. ServerName new.host.name Normally, ServerName localhost will work --- you can access your sites via http://localhost -- Oohara Yuuma Graduate-school of Science, Kyoto University [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: Do you mean this package? Programmer for Atmel AVR microcontrolers that uses PC parallel port Yes. If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. I tried /dev/lp* and couldn't make the program work with it. I should have looked back at what I had done. I didn't use /dev/lp* but a device of my own making /dev/pp125 which is major 125, minor 0 (i.e. in the range reserved for users). But chgrp it just the same. This program uses a specific hardware connected to the printer port. It has to read some bits of the port and write other bits in patterns which has to change in some microseconds. That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at user option[1]) and runs setuid root. I used a kernel module, which saves using ioperm and setuid root. The module loads automatically when anyone (allowed) opens the device. I think (not sure about all architectures) that because of this, it will run only in i386 machines. If I used /dev/lp* it would run in all machines. If someone knows how to use lp device for this specific purpose, please write me. Are you sure you aren't writing /dev/lp* to mean a special device with LP_MAJOR = 6, and hence the lp.o module. That won't work because lp.o only drives printers - it doesn't do arbitrary bit-twiddling. My module didn't use any architecture-specific headers, so I guess it should work on any architecture. However, I had no hardware to test that assertion. [1] root must edit a config file to say which ports the user can choose. A module might look at /etc/modules.conf similarly. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache + ModSSL
-. Oohara Yuuma (2001-07-23) : | | My question is how to configure httpd.conf, so I can access my sites via |https://www.mysite.com. | from /etc/apache/httpd.conf: | | # ServerName allows you to set a host name which is sent back to clients for | # your server I guess the question was more about the https than about the www.mysite.com, no ? :) To enable HTTPS with mod_ssl you have to use the 'SSLEngine on' directive, this can be in the main configuration, or in a virtualhost statement. http://www.modssl.org also has documentation about modssl. Cheers, -tom -- == Thomas.Morin @webmotion.comSysAdmin/RD == Phone: +1 613 731 4046 ext113 \Fax: +1 613 260 9545 == PGP/keyID: 8CEA233D == PGP/KeyFP: 503BF6CFD3AE8719377B832A02FB94E08CEA233D -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables logging
Matthias Richter, 2001-Jul-22 08:18 +0200: You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package Thanks, this helps. I've got it logging now to syslog with a log prefix...nice! Now, I want these log messages to go to a different log file, other than /var/log/syslog. I'd like these Refected: log messages to go into /var/log/iptables.log instead. I can't figure out what changes to make to /etc/syslog.conf to make this happen. Any help is appreciated. jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: why they use IIS (was red worm amusement)
this morning I read an interesting article on the red worm amusement topic that led to the weekend's heated discussion. the article is at http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. html here are a few interesting quotes from the article - Despite the widespread perception of IIS as a nonsecure server, many customers say that ... it (IIS) will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. I would switch if I could convince my company to do it, It's hard to find good Unix security guys stuck with it (IIS) for convenience and fiscal reasons as you can see, most of the quotes are the same things that were mentioned here recently. in the business world, convenience and other things seem to take precedence over security. jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables logging
On Mon, 23 Jul 2001, Jeff Coppock wrote: other than /var/log/syslog. I'd like these Refected: log messages to go into /var/log/iptables.log instead. I can't figure out what changes to make to /etc/syslog.conf to make this happen. Any help is appreciated. apt-get install syslog-ng traditional syslog can't do pattern matching and directing messages based on pattern whereas syslog-ng can. -- [-] you're wasting my time, chatterbox. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: why they use IIS (was red worm amusement)
On Mon, Jul 23, 2001 at 12:02:00PM -0500, JonesMB wrote: this morning I read an interesting article on the red worm amusement topic that led to the weekend's heated discussion. the article is at http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. html here are a few interesting quotes from the article - Despite the widespread perception of IIS as a nonsecure server, many customers say that ... it (IIS) will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. I would switch if I could convince my company to do it, It's hard to find good Unix security guys *rotfl* yeah and out in the wild are so many MSCE wich are all up to date with their security patches ... so the Code Red Worm had no chance to spread ... Sven -- Subject: Re: woody hanging WRT subject. $ apt-get install viagra ;-) [Karsten M. Self in debian-user] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
On 22-Jul-01, 16:06 (CDT), Steven Barker [EMAIL PROTECTED] wrote: On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. Hmmm, I don't know that that would work on a clean install (no /var/lib/dpkg/info/foo.conffiles). Must try... You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Folks, this is all designed and implemented, and is waiting on the sysvinit and file-rc maintainers to integrate. See http://bugs.debian.org/76868 (Note that it changed somewhat during the disccussion, so read *all* the way through before commenting.) Steve -- Steve Greenland [EMAIL PROTECTED] (Please do not CC me on mail sent to this list; I subscribe to and read every list I post to.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
umask for init
I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? Thanks, Dan -- Dan Christensen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Dan Christensen [EMAIL PROTECTED] writes: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? I think 2.4.6 was one of them; amongst other things, check any files created/touched/downloaded by cron. I've grown a load of perm-666 files in /var/cache/apt/archives/ as a result of a daily dist-upgrade download scheduled for 2am with cron. Otherwise, erm, `man find`? ~Tim -- The blade cuts clean through|[EMAIL PROTECTED] the island soil, |http://spodzone.org.uk/ The years roll back and | the world grows small | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process created by the kernel, including init started with umask 000 and remained that way unless init changed it itself. debian's init does NOT change the umask, and even though there is a umask 022 in /etc/init.d/rcS that is not enough. the result is most .pid files in /var/run/* will be created world writable with 0666 permissions as well as any other file created in the boot process, including: (if it did not exist at boot time) /lib/modules/`uname -r`/modules.dep this is a gaping root hole. /etc/modules.conf (if you have alsa-* packages installed which run update-modules in the initscript). this is another gaping root hole. there are likely more, it depends on what packages you have installed with initscripts, since most of them don't alter thier umask either in the initscript or via the program itself any file created by it will be world writable, depending on what the file is it can be a severe security hole. solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. after fixing your kernel it is highly advisable to check your system for world writable files and make sure any that are found are supposed to be that way: find / -perm +0002 ! -type l ! -type c -ls the ! -type l ! -type c ignores symlinks (which are always mode 0777) and character device files (all unused ptys are supposed to be 0666 so including this in your find will clutter the output to the point of unusability) -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: iptables logging
Tamas TEVESZ, 2001-Jul-23 19:17 +0200:
On Mon, 23 Jul 2001, Jeff Coppock wrote:
other than /var/log/syslog. I'd like these Refected: log
messages to go into /var/log/iptables.log instead. I can't
figure out what changes to make to /etc/syslog.conf to make
this happen. Any help is appreciated.
apt-get install syslog-ng
traditional syslog can't do pattern matching and directing messages
based on pattern whereas syslog-ng can.
I've installed syslog-ng and I did some reading and searching.
I tried to set up the syslog-ng.conf file, but it's doesn't
recognize the facility I set up for the firewall messages. I
inserted the following in their appropriate places and
restarted syslog-ng and got a message about dropping
unrecognized facility:
source -- used default source of 'src'
destination firewall { file(/var/log/firewall.log); };
filter dropped {facility(Dropped); }; # iptables LOG prefix
log { source(src); filter(dropped); destination(firewall); };
Am I even close on the way this should be set up?
thanks,
jc
--
Jeff CoppockNortel Networks
Systems Engineerhttp://nortelnetworks.com
Major Accts.Santa Clara, CA
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Ethan Benson [EMAIL PROTECTED] writes: On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. You can also set the umask used by init to spawn processes in /etc/initscript. See initscript(5). -sami. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Christian Jaeger [EMAIL PROTECTED] writes: I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it (/etc/init.d/rcS already has a umask 022 command). And presumably I need to reboot after doing this, right? Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables logging
On Mon, 23 Jul 2001, Jeff Coppock wrote: iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete What more information does log prefix add to the log? thankx G -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables logging
On Mon, 23 Jul 2001 19:27:06 dude wrote: On Mon, 23 Jul 2001, Jeff Coppock wrote: iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete What more information does log prefix add to the log? Without: Jul 23 22:55:45 aias kernel: IN=eth0 OUT ... With: Jul 23 22:55:45 aias kernel: Rejected: IN=eth0 OUT ... ^ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unidentified subject!
Nick Name [EMAIL PROTECTED] writes: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Hmm, sounds similar to what I experienced. Have a look at http://lists.debian.org/debian-user-0106/msg01977.html and follow-ups for details. I finally ended up blaming it on a bad graphics card, switched to using the frame buffer and haven't had any trouble since. Hope this helps, -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Apache + ModSSL
Dear Debian Security: I have a problem configuring apache + mod_ssl on debian. I already have installed apache and mod-ssl from debian site (potato), and in apache error log, I got: [Mon Jul 23 11:07:10 2001] [notice] Apache/1.3.9 (Unix) Debian/GNU mod_ssl/2.4.10 OpenSSL/0.9.4 PHP/4.0.3pl1 configured -- resuming normal operations My question is how to configure httpd.conf, so I can access my sites via https://www.mysite.com. Any helps or document in debian sites that explain about this configuration? Thanks Didit
Re: Apache + ModSSL
My question is how to configure httpd.conf, so I can access my sites via https://www.mysite.com. from /etc/apache/httpd.conf: # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # www instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. ServerName new.host.name Normally, ServerName localhost will work --- you can access your sites via http://localhost -- Oohara Yuuma Graduate-school of Science, Kyoto University [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: Do you mean this package? Programmer for Atmel AVR microcontrolers that uses PC parallel port Yes. If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. I tried /dev/lp* and couldn't make the program work with it. I should have looked back at what I had done. I didn't use /dev/lp* but a device of my own making /dev/pp125 which is major 125, minor 0 (i.e. in the range reserved for users). But chgrp it just the same. This program uses a specific hardware connected to the printer port. It has to read some bits of the port and write other bits in patterns which has to change in some microseconds. That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at user option[1]) and runs setuid root. I used a kernel module, which saves using ioperm and setuid root. The module loads automatically when anyone (allowed) opens the device. I think (not sure about all architectures) that because of this, it will run only in i386 machines. If I used /dev/lp* it would run in all machines. If someone knows how to use lp device for this specific purpose, please write me. Are you sure you aren't writing /dev/lp* to mean a special device with LP_MAJOR = 6, and hence the lp.o module. That won't work because lp.o only drives printers - it doesn't do arbitrary bit-twiddling. My module didn't use any architecture-specific headers, so I guess it should work on any architecture. However, I had no hardware to test that assertion. [1] root must edit a config file to say which ports the user can choose. A module might look at /etc/modules.conf similarly. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: Apache + ModSSL
-. Oohara Yuuma (2001-07-23) : | | My question is how to configure httpd.conf, so I can access my sites via https://www.mysite.com. | from /etc/apache/httpd.conf: | | # ServerName allows you to set a host name which is sent back to clients for | # your server I guess the question was more about the https than about the www.mysite.com, no ? :) To enable HTTPS with mod_ssl you have to use the 'SSLEngine on' directive, this can be in the main configuration, or in a virtualhost statement. http://www.modssl.org also has documentation about modssl. Cheers, -tom -- == Thomas.Morin @webmotion.comSysAdmin/RD == Phone: +1 613 731 4046 ext113 \Fax: +1 613 260 9545 == PGP/keyID: 8CEA233D == PGP/KeyFP: 503BF6CFD3AE8719377B832A02FB94E08CEA233D --
Re: apt-get install apache (was red worm amusement)
Yes, but when you're upgrading your existing packages, and the dependencies have changed to such a degree to require *new* packages, that almost always implies a major change, such as a stable - testing transition, not a security fix for a package in stable (which is what security.debian.org is for). Yes, that makes sense. I guess my point is that from the manpage paragraph, this wasn't immediately clear, so I wouldn't be surprised if there are other people who misinterpreted it the same way I did. Thanks for the clarification. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: iptables logging
Matthias Richter, 2001-Jul-22 08:18 +0200: You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package Thanks, this helps. I've got it logging now to syslog with a log prefix...nice! Now, I want these log messages to go to a different log file, other than /var/log/syslog. I'd like these Refected: log messages to go into /var/log/iptables.log instead. I can't figure out what changes to make to /etc/syslog.conf to make this happen. Any help is appreciated. jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA
OT: why they use IIS (was red worm amusement)
this morning I read an interesting article on the red worm amusement topic that led to the weekend's heated discussion. the article is at http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. html here are a few interesting quotes from the article - Despite the widespread perception of IIS as a nonsecure server, many customers say that ... it (IIS) will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. I would switch if I could convince my company to do it, It's hard to find good Unix security guys stuck with it (IIS) for convenience and fiscal reasons as you can see, most of the quotes are the same things that were mentioned here recently. in the business world, convenience and other things seem to take precedence over security. jmb
Re: iptables logging
On Mon, 23 Jul 2001, Jeff Coppock wrote: other than /var/log/syslog. I'd like these Refected: log messages to go into /var/log/iptables.log instead. I can't figure out what changes to make to /etc/syslog.conf to make this happen. Any help is appreciated. apt-get install syslog-ng traditional syslog can't do pattern matching and directing messages based on pattern whereas syslog-ng can. -- [-] you're wasting my time, chatterbox.
Re: OT: why they use IIS (was red worm amusement)
On Mon, Jul 23, 2001 at 12:02:00PM -0500, JonesMB wrote: this morning I read an interesting article on the red worm amusement topic that led to the weekend's heated discussion. the article is at http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. html here are a few interesting quotes from the article - Despite the widespread perception of IIS as a nonsecure server, many customers say that ... it (IIS) will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. I would switch if I could convince my company to do it, It's hard to find good Unix security guys *rotfl* yeah and out in the wild are so many MSCE wich are all up to date with their security patches ... so the Code Red Worm had no chance to spread ... Sven -- Subject: Re: woody hanging WRT subject. $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
umask for init
I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? Thanks, Dan -- Dan Christensen [EMAIL PROTECTED]
Re: umask for init
On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process created by the kernel, including init started with umask 000 and remained that way unless init changed it itself. debian's init does NOT change the umask, and even though there is a umask 022 in /etc/init.d/rcS that is not enough. the result is most .pid files in /var/run/* will be created world writable with 0666 permissions as well as any other file created in the boot process, including: (if it did not exist at boot time) /lib/modules/`uname -r`/modules.dep this is a gaping root hole. /etc/modules.conf (if you have alsa-* packages installed which run update-modules in the initscript). this is another gaping root hole. there are likely more, it depends on what packages you have installed with initscripts, since most of them don't alter thier umask either in the initscript or via the program itself any file created by it will be world writable, depending on what the file is it can be a severe security hole. solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. after fixing your kernel it is highly advisable to check your system for world writable files and make sure any that are found are supposed to be that way: find / -perm +0002 ! -type l ! -type c -ls the ! -type l ! -type c ignores symlinks (which are always mode 0777) and character device files (all unused ptys are supposed to be 0666 so including this in your find will clutter the output to the point of unusability) -- Ethan Benson http://www.alaska.net/~erbenson/ pgppiPWysg2pl.pgp Description: PGP signature
Re: --no-run option (was: Re: red worm amusement)
On 22-Jul-01, 16:06 (CDT), Steven Barker [EMAIL PROTECTED] wrote: On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. Hmmm, I don't know that that would work on a clean install (no /var/lib/dpkg/info/foo.conffiles). Must try... You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Folks, this is all designed and implemented, and is waiting on the sysvinit and file-rc maintainers to integrate. See http://bugs.debian.org/76868 (Note that it changed somewhat during the disccussion, so read *all* the way through before commenting.) Steve -- Steve Greenland [EMAIL PROTECTED] (Please do not CC me on mail sent to this list; I subscribe to and read every list I post to.)
Re: iptables logging
Tamas TEVESZ, 2001-Jul-23 19:17 +0200:
On Mon, 23 Jul 2001, Jeff Coppock wrote:
other than /var/log/syslog. I'd like these Refected: log
messages to go into /var/log/iptables.log instead. I can't
figure out what changes to make to /etc/syslog.conf to make
this happen. Any help is appreciated.
apt-get install syslog-ng
traditional syslog can't do pattern matching and directing messages
based on pattern whereas syslog-ng can.
I've installed syslog-ng and I did some reading and searching.
I tried to set up the syslog-ng.conf file, but it's doesn't
recognize the facility I set up for the firewall messages. I
inserted the following in their appropriate places and
restarted syslog-ng and got a message about dropping
unrecognized facility:
source -- used default source of 'src'
destination firewall { file(/var/log/firewall.log); };
filter dropped {facility(Dropped); }; # iptables LOG prefix
log { source(src); filter(dropped); destination(firewall); };
Am I even close on the way this should be set up?
thanks,
jc
--
Jeff CoppockNortel Networks
Systems Engineerhttp://nortelnetworks.com
Major Accts.Santa Clara, CA
Re: umask for init
At 16:53 Uhr -0400 23.7.2001, Dan Christensen wrote: Does anyone know if a Debian system is susceptible to this problem, it is and if so, which files may have been created world-writable? Files from quite many servers: look in /var/run, for example (another place is /tmp). I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it (/etc/init.d/rcS already has a umask 022 command). chj
Re: umask for init
Dan Christensen [EMAIL PROTECTED] writes: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? I think 2.4.6 was one of them; amongst other things, check any files created/touched/downloaded by cron. I've grown a load of perm-666 files in /var/cache/apt/archives/ as a result of a daily dist-upgrade download scheduled for 2am with cron. Otherwise, erm, `man find`? ~Tim -- The blade cuts clean through|[EMAIL PROTECTED] the island soil, |http://spodzone.org.uk/ The years roll back and | the world grows small |
Re: umask for init
Il giorno Mon, 23 Jul 2001 15:58:33 -0800 Ethan Benson [EMAIL PROTECTED] ha scritto: kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process created by the kernel, including init started with umask 000 and remained that way unless init changed it itself. Sincerely thanks. I did not know of this bug and I got a machine running 2.4.6. For others, here's a quick way to test if you have the bug: In /etc/inittab: # Action on special keypress (ALT-UpArrow). kb::kbrequest:/usr/bin/touch /tmp/crack_this_system_with_me then, as root obviously: telinit q Then press Alt+UpArrow and ls -la /tmp/crack_this_system_with_me If this is rw-rw-rw well, you will agree, you have the feature ... er ... the bug! Tell me this and your ip, and do nothing else, I'll repair your system : More seriously, a quick fix could be, if you can't switch back 2.2.19 or go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init a script like this, everything is untested of course: #!/bin/sh umask 022 exec /sbin/init Have fun! Bye Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia -
Re: umask for init
Ethan Benson [EMAIL PROTECTED] writes: On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. You can also set the umask used by init to spawn processes in /etc/initscript. See initscript(5). -sami.
Re: umask for init
Christian Jaeger [EMAIL PROTECTED] writes: I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it (/etc/init.d/rcS already has a umask 022 command). And presumably I need to reboot after doing this, right? Dan
