what is this postponed publickey for user in the logs?
Hi! I'm using ssh with pubkey auth, works ok, but I get this strange (at least for me) message in the logs: Aug 15 12:14:40 host sshd[26124]: Postponed publickey for user from ip port 35313 ssh2 I guess this is not an error, because I can log in, and nothing indicates that this is an error message, but I'm curious about what does it mean. Maybe this is just a lost in translation thing, and I'm not getting the right meaning of that word. I've translated the english postponed word in this context to delayed. Is this right? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
su - and su - what is the real difference?
Hi! Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
2006. July 28. 16:04, Michael Marsh: On 7/28/06, LeVA [EMAIL PROTECTED] wrote: Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. From the info pages for su: --- [ info su ] `-' `-l' `--login' Make the shell a login shell. This means the following. Unset all environment variables except `TERM', `HOME', and `SHELL' (which are set as described above), and `USER' and `LOGNAME' (which are set, even for the super-user, as described above), and set `PATH' to a compiled-in default value. Change to USER's home directory. Prepend `-' to the shell's name, intended to make it read its login startup file(s). What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. So running su with the '-' option is safer then running without it? Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
2006. July 28. 16:04, Michael Marsh: On 7/28/06, LeVA [EMAIL PROTECTED] wrote: Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. [snip] What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Under OpenBSD (yes, yes I know this is not a obsd list :) if the target uid is 0, then su (without the '-') doesn't change the USER nor the LOGNAME variables. Is this a minor thing and I'm just facing two coders who were not thinking the same when creating two different type of su programs; or those are the same su programs and there is some deeper evil lying behind those variables? Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
2006. July 28. 17:03, Florent Rougon: LeVA [EMAIL PROTECTED] wrote: And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Which suite are you testing this on? Here, on sarge, using su with the - sets USER to root but doesn't modify LOGNAME. I'm using testing with ii login 4.0.17-2 system login tools I'd prefer to keep at least the LOGNAME variable the same as the logged in user after su-ing. Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
editing new known_hosts files
Hi! I have reinstalled a server of mine, and now I need to remove it's old pubkey from my $HOME/.ssh/known_hosts, but it is in the new format, so no hostnames which may indicate which pubkey belongs to which host. How can I decrypt the known_hosts file? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
can not connect to sshd
Hi! I'm experiencing this problem: After my server has lost it's internet connection, I can not ssh to it from our local network. I get this in the auth.log: sshd[10746]: Did not receive identification string from :::192.168.0.3 But that is all, I can not notice anything else in the log files. Also, I can not connect from the server itself (localhost): sshd[10797]: refused connect from localhost.localdomain (:::127.0.0.1) My hosts.allow any hosts.deny files are configured to allow anything from LOCAL and from my network. After the internet connection comes back again, I can connect to the machine. What could be the problem? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
2006. május 23. 02:04, Uwe Hermann [EMAIL PROTECTED] - George Hein [EMAIL PROTECTED],debian-laptop@lists.debian.org, debian-security@lists.debian.org: iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 Correct me if I'm wrong, but I think this would also allow incoming traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing his IP address to appear to be 127.0.0.1 could send _any_ traffic to you and you would ACCEPT it, basically rendering the firewall useless. Did I miss anything? The following should be better, as it only allows traffic to/from the loopback interface (but not eth0 or what have you)... iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT But if one can spoof 127.0.0.1, then one can spoof anything else, so creating any rule with an ip address matching is useless. No? If I set up my firewall to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone can spoof that too. So what's the point of creating rules? :) Daniel -- LeVA
Re: Request for comments: iptables script for use on laptops.
2006. május 23. 10:06, Rolf Kutz [EMAIL PROTECTED] - debian-security@lists.debian.org,: * Quoting LeVA ([EMAIL PROTECTED]): iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT But if one can spoof 127.0.0.1, then one can spoof anything else, so creating any rule with an ip address matching is useless. No? If I set up my firewall to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone can spoof that too. So what's the point of creating rules? :) The script under scrutiny was intended for a laptop. A router or firewall setup is something different and should not route traffic with spoofed addresses. rp_filter should catch this easily, if you can use it. If not, an IP-based rule is ok, IMHO. So sticking with the smtp example, if I have enabled rp_filter, then does it matter whether I'm using this: iptables -A INPUT -p tcp -i lo --dport 25 -j ACCEPT or this: iptables -A INPUT -p tcp -s 127.0.0.1 --dport 25 -j ACCEPT Daniel -- LeVA
tuning the samba log file
Hi! I have this entry in my smbd.log file: [2005/07/28 15:38:03, 2] smbd/open.c:open_file(245) nobody opened file /elite/rewrites_01 read=Yes write=No (numopen=3) But how can I configure samba to log the remote's host or ip, or anything from what I could trail who is copying from me? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
getting the MAC address from an ip
Hi! How can I get a machines mac address, if I only know it's ip? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
2005. június 14. 07:57, Radu Spineanu [EMAIL PROTECTED] - debian-security@lists.debian.org,: Ian Eure wrote: On Monday 13 June 2005 04:41 pm, LeVA wrote: I don't see why it would be helpful, unless you're trying to keep your info secret from a determined/resourceful attacker. But an attacker like that would probably get it anyways. I use TLS PLAIN, and encrypt/sign my messages with GPG for my business email, and I think that's plenty secure for my needs. That would maka it very easy for a sniffer running ettercap for example to do a MiTM attack. And of course the certificate is changed a little, but 80% of users ignore this change and click yes on whatever is shown just to read their emails, not knowing what this could lead to. Also an attacker could alter that data the server sends so that it doesn't advertise cram-md5 as an authentication method but this is more advanced. Doing a simple MiTM in ettercap is script kiddie friendly. What's this MiTM attact means? Daniel -- LeVA
which pop3/imap secure method should I use?
Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
2005. jnius 14. 01:36, Ian Eure [EMAIL PROTECTED] - debian-security@lists.debian.org,: On Monday 13 June 2005 04:23 pm, LeVA wrote: Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. TLS and SSL are equally secure. TLS is easier on your system's resources; Courier-IMAP runs a seperate daemon for SSL connections, which you don't need if you use TLS. PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password file. Shouldn't be a risk if you're only using PLAIN over TLS. I understand that with TLS or SSL the clear text passwords are secured, so do you think that an SSL + CRAM-MD5 combination is just a usesell complication of the problem, and I should stay with the SSL(or TLS) + clear text auth or with the no connection encryption + CRAM-MD5 auth? Daniel -- LeVA
secure ident daemon
Hi! Can someone please suggest me a secure ident daemon. I can not choose from the apt searched list. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
upgrading sendmail package when postfix installed
Hi! I have installed postfix from sources a while ago, and now there is a security update fro sendmail. As you probably know, I can not remove the sendmail package (although I'm not using it), because it would remove apache and many other packages wich are depending on a MTA. So can I fake the sendmail installation, so apt-get would see that sendmail has been upgraded, or do I have upgrade sendmail (for security reasons) and then re-install postfix all over again? Thanks! Daniel -- LeVA pgpGRZ6W2bkkj.pgp Description: PGP signature
vsftpd virtual user
Hi! Would anyone recommend me a nice howto about setting up virtual users with vsftpd? I am specifically curious about how to (and where to) create the virtual user's passwd (and maybe shadow) file. The virtual user's options in vsftpd.conf seems to be clear, and understandable, but I can not figure out how to make those passwd files. Thanks! Daniel -- LeVA pgp9qlMQgD9i3.pgp Description: PGP signature
Re: logging samba access
2004. június 6. 13:16 dátummal Dariush Pietrzak ezt írta: The problem is - in order to see file/dir accesses you need to increase log level in smb.conf. This sounds innocent enough unless you actually do it - the level in which you see those accesses is one of 'DEBUG' ones, and you get GIGs of logfiles per day/hour, and then parsing this becomes a nightmare. So simple task like finding who created this 'John Doe is f***ing faggot' with porn on your samba fileserver is not as easy as with ftp servers (this is party because of protocol nature, but not that much ). btw, I'd be very interested if someone knew solution to this that does not require modifying samba source and then maintaining your own packages... I think increasing the log level is quite enough for me. Thanks! Daniel -- LeVA pgpoeScU65KgD.pgp Description: signature
logging samba access
Hi! Is it possible to log the file/dir accesses to samba server? I.e. I got a share, and when someone mounts (from win or unix) it and access file, or write files I want samba to log it to the smb.log. Is this possible? Thanks! Daniel -- LeVA pgp1uiUEsQUo6.pgp Description: signature
Re: logging samba access
2004. június 6. 13:16 dátummal Dariush Pietrzak ezt írta: The problem is - in order to see file/dir accesses you need to increase log level in smb.conf. This sounds innocent enough unless you actually do it - the level in which you see those accesses is one of 'DEBUG' ones, and you get GIGs of logfiles per day/hour, and then parsing this becomes a nightmare. So simple task like finding who created this 'John Doe is f***ing faggot' with porn on your samba fileserver is not as easy as with ftp servers (this is party because of protocol nature, but not that much ). btw, I'd be very interested if someone knew solution to this that does not require modifying samba source and then maintaining your own packages... I think increasing the log level is quite enough for me. Thanks! Daniel -- LeVA pgpaK13c71bwY.pgp Description: signature
what process is using a port
Hi! Is there a way to figure out what program is using a port. For example I want to know which process is using port 80. How can I do this? ps.: and another tiny question: Is it possible to see if a symlink is pointing at a given file? Thanks! Daniel -- LeVA pgp0.pgp Description: signature
Re: what process is using a port
Wow, thanks for all the answers. I really appreciate it! Daniel -- LeVA pgp0.pgp Description: signature
what process is using a port
Hi! Is there a way to figure out what program is using a port. For example I want to know which process is using port 80. How can I do this? ps.: and another tiny question: Is it possible to see if a symlink is pointing at a given file? Thanks! Daniel -- LeVA pgpys9DERUZ4Q.pgp Description: signature
Re: what process is using a port
Wow, thanks for all the answers. I really appreciate it! Daniel -- LeVA pgpFpG8NgrnLc.pgp Description: signature
restricting process limit
Hi! I'm using spamassassin on my system (Pentium-MMX 233 w/ 160Mb RAM), and it works fine, if I get small amount of messages. But when I get a lot of messages, the ultra-fast 233MHz processor can not take it, and it gets very slooow. My setup looks like this: I have a 'spam' user, and I've set up postfix, to run a tiny little script as this 'spam' user. This script accepts messages thru the stdin, and it filters the message thru the spamd daemon with the spamc client. After the filtering, it sends the message using the 'sendmail' (postfix's sendmail) program. So when I'm getting a large amount of messages there is approx. 15-20 spamc/spamd running. I want to limit this to ~5. How can I do this. The spam user's passwd entry looks like this: spam:x:2528:2528:spamd:/no/where:/no/shell It has no shell, so I can not use the ulimit function in bash. But what else could I do? Thanks a lot! Daniel -- LeVA
syslog.conf question
Hi! I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog After this, I have the mail log lines: mail.* -/var/log/mail/mail.log mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err-/var/log/mail/mail.err But if I change the syslog line, then the mail system doesn't log anywhere. And if I switch it back, then it will log to the syslog and the /var/log/mail/ dir too. What did I do wrong? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
syslog.conf question
Hi! I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog After this, I have the mail log lines: mail.* -/var/log/mail/mail.log mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err-/var/log/mail/mail.err But if I change the syslog line, then the mail system doesn't log anywhere. And if I switch it back, then it will log to the syslog and the /var/log/mail/ dir too. What did I do wrong? Thanks! Daniel -- LeVA
can not kill a process
Hi! I have a process running, and I can not kill it. Really weird. See: # ps ax 2965 ?RW 3:21 [nopromo] # kill -9 2965 # ps ax 2965 ?RW 3:21 [nopromo] # You see, I've killed it, but it is still there. What should I do? I don't want to reboot the machine. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
can not kill a process
Hi! I have a process running, and I can not kill it. Really weird. See: # ps ax 2965 ?RW 3:21 [nopromo] # kill -9 2965 # ps ax 2965 ?RW 3:21 [nopromo] # You see, I've killed it, but it is still there. What should I do? I don't want to reboot the machine. Thanks! Daniel -- LeVA
Re: passwords changed?
2004. prilis 11. 06:21 dtummal Noah Meyerhans ezt rta: On Sat, Apr 10, 2004 at 09:19:00PM +0200, LeVA wrote: Only as ftp. But there have been a number of locally exploitable kernel vulnerabilities fairly recently, and an attacker could use one of these to obtain root access once they had shell access as a non-root user. Are you running a safe kernel? noah I always compile the latest stable 2.4 kernel with loadable modules disabled, but I don't apply any kernel patches. Is this safe, or I must apply some security patch? Thanks! Daniel -- LeVA
Re: passwords changed?
2004. április 11. 06:21 dátummal Noah Meyerhans ezt írta: On Sat, Apr 10, 2004 at 09:19:00PM +0200, LeVA wrote: Only as ftp. But there have been a number of locally exploitable kernel vulnerabilities fairly recently, and an attacker could use one of these to obtain root access once they had shell access as a non-root user. Are you running a safe kernel? noah I always compile the latest stable 2.4 kernel with loadable modules disabled, but I don't apply any kernel patches. Is this safe, or I must apply some security patch? Thanks! Daniel -- LeVA
Re: passwords changed?
2004. prilis 10. 18:09 dtummal [EMAIL PROTECTED] ezt rta: Proftp was vulnerable to this one: http://www.kb.cert.org/vuls/id/405348 but I don't consider it a high risk, because someone would have to upload the file. The passwords were reasonably secure. Hi! I am just curious, that if my proftpd runs as user 'ftp', than the one who uses this vulnerability could only run arbitrary code as user ftp, or as root? Thanks! Daniel -- LeVA
Re: passwords changed?
2004. április 10. 18:09 dátummal [EMAIL PROTECTED] ezt írta: Proftp was vulnerable to this one: http://www.kb.cert.org/vuls/id/405348 but I don't consider it a high risk, because someone would have to upload the file. The passwords were reasonably secure. Hi! I am just curious, that if my proftpd runs as user 'ftp', than the one who uses this vulnerability could only run arbitrary code as user ftp, or as root? Thanks! Daniel -- LeVA
chrooted apache-ssl
Hi! I have configured a chrooted apache server and it works fine. But the apache-ssl doesn't seem to be working as good as the apache. I can start it, but when I try to connect to it with a browser, I get these in my apache-ssl error log: [notice] caught SIGTERM, shutting down /usr/lib/apache-ssl/gcache started [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache-ssl/share/magic /usr/lib/apache-ssl/gcache started [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache-ssl/share/magic [notice] Apache/1.3.26 Ben-SSL/1.48 (Unix) Debian GNU/Linux configured -- resuming normal operations [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache-ssl/suexec) [notice] Accept mutex: sysvsem (Default: sysvsem) [error] SSL_accept failed [error] error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [error] SSL_accept failed [error] error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [error] SSL_accept failed [error] error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [error] SSL_accept failed [error] error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [error] SSL_accept failed [error] error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [error] SSL_accept failed [error] error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I don't think that it misses lib files, because I've run the ldd apache-ssl, and I have all the necessary lib file under my chroot environment. I've restarted apache-ssl with 'strace /etc/init.d/apache-ssl' but I can not see any misconfiguration or error. Maybe it misses some device file? What else could be the problem? Thanks! Daniel -- LeVA
get ip from samba
Hi! Is there a way to get a machine's ip address, if I only know it's netbios name? With 'smbtree -S' I see a machine with the name 'LEVA': $ smbtree -S Password: CMD \\LEVA LeVA - Samba Server (3.0.2a-Debian) But I want to know it's ip address. I don't know how to get netbios name from ip address either :) Maybe someone could tell me this too. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
get ip from samba
Hi! Is there a way to get a machine's ip address, if I only know it's netbios name? With 'smbtree -S' I see a machine with the name 'LEVA': $ smbtree -S Password: CMD \\LEVA LeVA - Samba Server (3.0.2a-Debian) But I want to know it's ip address. I don't know how to get netbios name from ip address either :) Maybe someone could tell me this too. Thanks! Daniel -- LeVA
can't see anything with 'w'
Hi! I've just managed to mess up my system :) But I did a lot of things, and now I don't know what is causing this problem: [EMAIL PROTECTED]:~$ w 11:12:52 up 26 days, 17:02, 0 users, load average: 0.04, 0.19, 0.22 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [EMAIL PROTECTED]:~$ I can not see the logged in users. I didn't install any kernel patches, and although I can see everything with 'ps ax', and I have read access to the /proc dir, the 'w' command isn't working. I thought that it will be something with the /var/log files, so I temporarely switched the attributes to 664 in all files, but still can not display the logged in users. Any ideas? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: can't see anything with 'w'
2004. április 7. 11:36 dátummal José Luis Ledesma ezt írta: Hi! I have never seen this before, but perhaps you can do a: $strace w to see what w is doing HTH, José Luis Ledesma ___ Competitiveness Telephone: +34 93 582 02 90 Email: [EMAIL PROTECTED] Website: http://www.competitiveness.com Hi! Thanks! I had to swith the /var/run/utmp file to o=r. Now it works. Daniel -- LeVA
can't see anything with 'w'
Hi! I've just managed to mess up my system :) But I did a lot of things, and now I don't know what is causing this problem: [EMAIL PROTECTED]:~$ w 11:12:52 up 26 days, 17:02, 0 users, load average: 0.04, 0.19, 0.22 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [EMAIL PROTECTED]:~$ I can not see the logged in users. I didn't install any kernel patches, and although I can see everything with 'ps ax', and I have read access to the /proc dir, the 'w' command isn't working. I thought that it will be something with the /var/log files, so I temporarely switched the attributes to 664 in all files, but still can not display the logged in users. Any ideas? Thanks! Daniel -- LeVA
Re: can't see anything with 'w'
2004. április 7. 11:36 dátummal José Luis Ledesma ezt írta: Hi! I have never seen this before, but perhaps you can do a: $strace w to see what w is doing HTH, José Luis Ledesma ___ Competitiveness Telephone: +34 93 582 02 90 Email: [EMAIL PROTECTED] Website: http://www.competitiveness.com Hi! Thanks! I had to swith the /var/run/utmp file to o=r. Now it works. Daniel -- LeVA
Re: [ [Dri-devel] XFree86 local root exploit]
2004. februr 12. 19:45 dtummal Ryan Underwood ezt rta: Thanks a lot! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [ [Dri-devel] XFree86 local root exploit]
2004. február 12. 19:45 dátummal Ryan Underwood ezt írta: Thanks a lot! Daniel -- LeVA
blocking AXFR record query
Hi! Anyone could tell me how could I deny the AXFR record query on my bind server? I'm looking for some global variable, not specifiing per-address. Thanks! Daniel -- LeVA
cvs newpg compile error
Hi! Anybody experiencing this compile problem with the cvs newpg? newpg/$./autogen.sh --###-- Running aclocal Running autoheader... configure.ac:358: error: `po/Makefile.in' is already registered with AC_CONFIG_FILES. autoconf/status.m4:844: AC_CONFIG_FILES is expanded from... configure.ac:358: the top level autom4te: /usr/bin/m4 failed with exit status: 1 autoheader: /usr/local//bin/autom4te failed with exit status: 1 Running automake --gnu -a configure.ac:358: error: `po/Makefile.in' is already registered with AC_CONFIG_FILES. autoconf/status.m4:844: AC_CONFIG_FILES is expanded from... configure.ac:358: the top level autom4te: /usr/bin/m4 failed with exit status: 1 configure.ac: no proper invocation of AM_INIT_AUTOMAKE was found. configure.ac: You should verify that configure.ac invokes AM_INIT_AUTOMAKE, configure.ac: that aclocal.m4 is present in the top-level directory, configure.ac: and that aclocal.m4 was recently regenerated (using aclocal). configure.ac: installing `./install-sh' configure.ac: installing `./missing' automake: no `Makefile.am' found or specified Running autoconf configure.ac:358: error: `po/Makefile.in' is already registered with AC_CONFIG_FILES. autoconf/status.m4:844: AC_CONFIG_FILES is expanded from... configure.ac:358: the top level autom4te: /usr/bin/m4 failed with exit status: 1 --###-- I've successfully compiled the cvs libgpg-error, libksba, libgcrypt, libassuan and dirmngr sources before that newpg. What could be the problem with it? Thanks! Daniel -- LeVA
Re: GnuPG can not read some pgp signatures
Wednesday 07 January 2004 08:34 dátummal Adrian 'Dagurashibanipal' von Bidder ezt írta: Clinging to sanity, LeVA mumbled in his beard: Reason: No appropriate crypto plug-in was found. Hi, I guess that your problem is NOT idea, but inline gpg signed msgs (like this one) versus PGP/MIME signed messages. Not really. Your messages doesn't produce that No appropriate crypto plug-in was found. message. For your mail, KMail says this: Message was signed with unknown key 0xE5A7F7D6. The validity of the signature cannot be verified. There are some emails, which has an attached *.asc file. For these mails, KMail says this: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. Any idea? Daniel There is currently no official gpg-agent and pinentry Debian packages, so you'll need to either get some unofficial ones (did anybody do any lately? I think Ralf Nolden's packages are not online anymore), or compile the software yourself as per [1] (last I tried, I had to disable threading on some components. But it's been a while, and new releases of most parts are out, so I don't know what the current status is). Greetings -- vbi [1] http://kmail.kde.org/kmail-pgpmime-howto.html -- Protect your privacy - encrypt your email: http://fortytwo.ch/gpg/intro -- LeVA
GnuPG can not read some pgp signatures
Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 But, sometimes I get messages, which has also a signature file attached, and it can be verified by KMail, and the signatures can be imported with gpg. For example these keys: http://www.debian.org/security/keys.txt I can import those keys, and KMail can verify these keys, when I'm getting emails from those guys. What could be the problem with the other signature files? If it helps, I can send you a signature, which is not working. Thanks for the help! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
2004. január 06. 18:26 dátummal Lukas Ruf ezt írta: I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. But there are not any gpg-idea packages anywhere. I mean, aren't there a hp for that idea plugin? On the www.gnupg.org site, there aren't any info about this plugin. Where can I download the sources of this idea plugin? Daniel wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
2004. január 06. 19:17 dátummal J.H.M. Dassen (Ray) ezt írta: On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz A quote from that .c file: however we suggest to avoid this algorithm entirely due to interoperability problems. Then it is not about my wrong configuration, or my problem if I can not use those signatures, right? This is the other partner's problem, that he/she uses an algorithm, which is not international? Am I right? Daniel and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
GnuPG can not read some pgp signatures
Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 But, sometimes I get messages, which has also a signature file attached, and it can be verified by KMail, and the signatures can be imported with gpg. For example these keys: http://www.debian.org/security/keys.txt I can import those keys, and KMail can verify these keys, when I'm getting emails from those guys. What could be the problem with the other signature files? If it helps, I can send you a signature, which is not working. Thanks for the help! Daniel -- LeVA
Re: GnuPG can not read some pgp signatures
2004. január 06. 19:17 dátummal J.H.M. Dassen (Ray) ezt írta: On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz A quote from that .c file: however we suggest to avoid this algorithm entirely due to interoperability problems. Then it is not about my wrong configuration, or my problem if I can not use those signatures, right? This is the other partner's problem, that he/she uses an algorithm, which is not international? Am I right? Daniel and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design -- LeVA
Re: GnuPG can not read some pgp signatures
2004. január 06. 18:26 dátummal Lukas Ruf ezt írta: I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. But there are not any gpg-idea packages anywhere. I mean, aren't there a hp for that idea plugin? On the www.gnupg.org site, there aren't any info about this plugin. Where can I download the sources of this idea plugin? Daniel wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -- LeVA
creating password for a shadow file
Hello! I need to add users to a passwd/shadow file, but these files does not reside in /etc dir. Thus I can not use the adduser or useradd tool to add the users, because then they will be added to the /etc/passwd|shadow file, and my passwd/shadow files are in another directory. These passwd/shadow files are used by an ftp server. I have managed to create a passwd file, and wrote the user name and uid, and homedir etc... by hand. The shadow file's passwords must be encrytped with md5. So I used the 'htpasswd' program to create a password for the user. I typed: htpasswd -m shadow.ftp user The problem is that this program doesn't create a password like the adduser program used to create, and put to the /etc/shadow file. When I try to login with 'user' via ftp (using the newly created shadow file), it says username and/or password was not accepted, so the password generation didn't work. 'htpasswd -bmn user password' output: user:$apr1$DlJ9I...$E8VL0rjQKdl1pVgH2q10C. 'adduser user' (with same password as above) output: user:$1$NR.fOvEF$.hOr7l7msiIfz6sP4l0yS/ As you can see they don't match. So my question is, that is it possible to create passwords for a shadow file with a command line tool? Is this htpasswd the right tool for this, and I just can not use it? Or if this is not possible, then how can I specify another destination shadow/passwd file for the adduser/useradd program. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
creating password for a shadow file
Hello! I need to add users to a passwd/shadow file, but these files does not reside in /etc dir. Thus I can not use the adduser or useradd tool to add the users, because then they will be added to the /etc/passwd|shadow file, and my passwd/shadow files are in another directory. These passwd/shadow files are used by an ftp server. I have managed to create a passwd file, and wrote the user name and uid, and homedir etc... by hand. The shadow file's passwords must be encrytped with md5. So I used the 'htpasswd' program to create a password for the user. I typed: htpasswd -m shadow.ftp user The problem is that this program doesn't create a password like the adduser program used to create, and put to the /etc/shadow file. When I try to login with 'user' via ftp (using the newly created shadow file), it says username and/or password was not accepted, so the password generation didn't work. 'htpasswd -bmn user password' output: user:$apr1$DlJ9I...$E8VL0rjQKdl1pVgH2q10C. 'adduser user' (with same password as above) output: user:$1$NR.fOvEF$.hOr7l7msiIfz6sP4l0yS/ As you can see they don't match. So my question is, that is it possible to create passwords for a shadow file with a command line tool? Is this htpasswd the right tool for this, and I just can not use it? Or if this is not possible, then how can I specify another destination shadow/passwd file for the adduser/useradd program. Thanks! Daniel -- LeVA
kind of virtual server
Hello! Is it possible to make some kind of a little virtual server inside a debian box? I want to run a separate sshd (for example on port ), and when someone connects to it, it reads the passwd file, and the shadow file from a different directory than /etc (for example /users/etc). And under that /users dir there will be another home dir for the users, who connects to the port, and a separate /bin and so on. I thought that I could make this with installing everything (sshd, apache, etc...) undert that /users dir, and after that I'm chrooting to /users. But how can I setup debian to read a different shadow/passwd file right after the connection (not after chrooting to /users/). Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
kind of virtual server
Hello! Is it possible to make some kind of a little virtual server inside a debian box? I want to run a separate sshd (for example on port ), and when someone connects to it, it reads the passwd file, and the shadow file from a different directory than /etc (for example /users/etc). And under that /users dir there will be another home dir for the users, who connects to the port, and a separate /bin and so on. I thought that I could make this with installing everything (sshd, apache, etc...) undert that /users dir, and after that I'm chrooting to /users. But how can I setup debian to read a different shadow/passwd file right after the connection (not after chrooting to /users/). Thanks! Daniel -- LeVA
sendmail + mailscanner
Hello! I know this is not specially a security topic, but I need to do this for My security :)) I'm using sendmail, and I want to use mailscanner and spamassassin with it. I don't know how to configure sendmail to work with mailscanner. The mailscanner's howtos are very outdated, and in the mailscanner's homepage, there is the same howtos. So, if someone knows what should I do, to work sendmail with mailscanner, please let me know. Thanks. Levai Daniel [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: [despammed] ptrace
Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, [EMAIL PROTECTED] (debian-security) wrote: LeVA So it droped me a root shell. Well it is not good I think, after the LeVA patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz [EMAIL PROTECTED] http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing. - Dax, ST-DS9 | --- smime.p7s Description: S/MIME Cryptographic Signature
Re: [despammed] ptrace
Hello! Thanks, that was the problem. The patch works fine. Ed McMan wrote: Saturday, March 22, 2003, 8:26:44 PM, debian-security@lists.debian.org (debian-security) wrote: LeVA So it droped me a root shell. Well it is not good I think, after the LeVA patch... People have been saying that one of the exploits gives itself suid root after working sucessfully, so try deleting the executable and recompiling. --- | Eddie J Schwartz [EMAIL PROTECTED] http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing. - Dax, ST-DS9 | --- smime.p7s Description: S/MIME Cryptographic Signature
Re: PTRACE Fixed?
Hello! Is the 2.4.20 kernel vulnerable to this exploit? Phillip Hofmeister wrote: All, I just patched my kernel with the patch available on kernel.org. I downloaded, compiled and ran the km3.c exploit for this bug. How can I tell if the exploit failed or not? When I run the exploit as non-root it keeps starting children over and over again. When I run it as root it does the following: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. Does this mean the patch I downloaded worked? Thanks, smime.p7s Description: S/MIME Cryptographic Signature
ptrace
Hello! I have patched my kernel (2.4.20) with this patch: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt It compile correctly. Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c The km3.c doesn't write the OK! stuff, and it could run forever starting child processes... But the 'isec-ptrace-kmod-exploit.c' runs like this: $ ./isec-ptrace-kmod-exploit sh-2.05a# So it droped me a root shell. Well it is not good I think, after the patch... I heard another way to stop this exploit: The /proc/sys/kernel/modprobe contains a path for the modprobe executable. If I change it to /var/tmp for example, the exploit won't work. Now this is true on most of my boxes. I didn't need to patch my kernels, because this workaround helped me. But in one box, this isn't work either. So, to be clear. I have box with 2.4.20 (patched) kernel, and the exploit works fine. What should I do. Sorry for my terrible english, I hope you understand the brief of the message. Daniel smime.p7s Description: S/MIME Cryptographic Signature
Re: PTRACE Fixed?
Hello! Is the 2.4.20 kernel vulnerable to this exploit? Phillip Hofmeister wrote: All, I just patched my kernel with the patch available on kernel.org. I downloaded, compiled and ran the km3.c exploit for this bug. How can I tell if the exploit failed or not? When I run the exploit as non-root it keeps starting children over and over again. When I run it as root it does the following: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.+ 2131 uid=0(root) gid=0(root) groups=0(root) - 2131 ok! As non-root: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. Does this mean the patch I downloaded worked? Thanks, smime.p7s Description: S/MIME Cryptographic Signature
ptrace
Hello! I have patched my kernel (2.4.20) with this patch: http://www.kernel.org/pub/linux/kernel/v2.4/testing/cset/cset-1.1076.txt It compile correctly. Now I have downloaded the km3.c and isec-ptrace-kmod-exploit.c The km3.c doesn't write the OK! stuff, and it could run forever starting child processes... But the 'isec-ptrace-kmod-exploit.c' runs like this: $ ./isec-ptrace-kmod-exploit sh-2.05a# So it droped me a root shell. Well it is not good I think, after the patch... I heard another way to stop this exploit: The /proc/sys/kernel/modprobe contains a path for the modprobe executable. If I change it to /var/tmp for example, the exploit won't work. Now this is true on most of my boxes. I didn't need to patch my kernels, because this workaround helped me. But in one box, this isn't work either. So, to be clear. I have box with 2.4.20 (patched) kernel, and the exploit works fine. What should I do. Sorry for my terrible english, I hope you understand the brief of the message. Daniel smime.p7s Description: S/MIME Cryptographic Signature
