Re: SUID permission on Bash script
Michael David Crawford m...@prgmr.com wrote: It's not that setuid shell scripts are really more inherently insecure than programs written in C. Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Check the hackers@ archives. It was discussed a little over a month ago. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SUID permission on Bash script
per...@pluto.rain.com wrote: Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Wow. I had no idea. A while back a coworker asked me to help figure out why he couldn't get his script to run setuid on Linux. Some investigation turned up that the Linux kernel explicitly forbids setuid programs whose first two bytes are # and !. So it disables even setuid scripts that don't use the shell, like Python or Perl scripts. I came across a page that explained all the different ways setuid scripts could screw up - one would have to be a rocket scientist to avoid all the potential pitfalls. Mike -- Michael David Crawford m...@prgmr.com prgmr.com - We Don't Assume You Are Stupid. Xen-Powered Virtual Private Servers: http://prgmr.com/xen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SUID permission on Bash script
On Sat, 29 Aug 2009 00:17:24 -0700, Michael David Crawford m...@prgmr.com wrote: I came across a page that explained all the different ways setuid scripts could screw up - one would have to be a rocket scientist to avoid all the potential pitfalls. Hi Michael, It would be a very useful addition to the list archives if you pointed at the URI of the page. This way future readers will find it too :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SUID permission on Bash script
On Sat, 29 Aug 2009 00:06:29 -0700 per...@pluto.rain.com wrote: Michael David Crawford m...@prgmr.com wrote: It's not that setuid shell scripts are really more inherently insecure than programs written in C. Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Check the hackers@ archives. It was discussed a little over a month ago. But is isn't that the same issue that Matthew Seaman was saying was fixed years ago (in the link I gave before), and is described in the follow-up: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.html That's entirely in the kernel, it doesn't require interpreter support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
R taking a holiday except on the Derby day. The ugliest little ra
Ere we not sufficiently convinced of the danger and the arduousness of our attempt, by our own experience and by analogy, we should have found abundant reason for diffidence in the often repeated counsels of Russians, who all unite in asserting that there is something so peculiarly delicate and inimitable in the diction and versification of these li ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Information on Setting up a Jailed Webserver
2009/8/28 Ruben de Groot mai...@bzerk.org On Thu, Aug 27, 2009 at 12:28:26PM -0400, APseudoUtopia typed: Two more questions then I should be ready to go with my jail(s). In order to minimize the HDD space of the jail, can I add things in my src.conf such as WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF? Yes you can. Another option is to use read only nullfs mounts for e.g. /usr, /lib, /sbin/ /bin to populate the jail. That will cost you no HDD space at all. The ezjail port, allready mentioned, can more or less automate this. I do use pf on the host system, but it isn't needed inside the jail as well, correct? Rather, it's not possible to use inside a standard (non-vimage) jail. There's only one network stack. Also, is it possible to compile a port (specifically nginx) inside the host, then simply cp it into the jail and run it? I'd like to do this to avoid installing a compiler into the jail itself. make package-recursive Ruben Thanks again for the help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I've not seen all this post so sorry if this has been mentioned before. Apache has a module called mod_jail, that means (im pretty sure) you dont have to build the full jail environment. I've not looked at it in detail but it's probably worth looking at before you start hacking around with full jails http://www.freebsdsoftware.org/www/mod_jail.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ATI HD 4550 xorg.conf radeon driver
Hi folks!!! Homework done! updated to STABLE 7.2: uname -a: [iscariote@ /usr/home/iscariote]$ uname -a FreeBSD 7.2-STABLE FreeBSD 7.2-STABLE #1: Sat Aug 29 15:04:29 UTC 2009 root@:/usr/obj/usr/src/sys/GENERIC amd64 [iscariote@ /usr/home/iscariote]$ Installed radeonhd from radeonhd: /usr/ports/x11-drivers/xf86-video-radeonhdhttp://www.freebsd.org/cgi/cvsweb.cgi/ports/x11-drivers/xf86-video-radeonhd/ after this, i edited my /etc/X11/Xorg.conf editing that line: [iscariote@ /usr/home/iscariote]$ cat /etc/X11/xorg.conf | grep radeonhd Driver radeonhdhttp://www.freebsd.org/cgi/cvsweb.cgi/ports/x11-drivers/xf86-video-radeonhd/ after, i did install glxgears ant runned: Seems to be working fine, the gears run smothly... But... When I try to set up the effects on gnome... the option still not available... Any ideas? Thanks in advance! 2009/8/27 Jeronimo Calvo jeronimocal...@googlemail.com bedankt voor de duidelijke uitleg!! Thanks 4everything! 2009/8/27 Mark Stapper st...@mapper.nl Jeronimo Calvo wrote: Lekker! Lekker! Much more clear now mate! so that means as well, that the procedure for a fresh installation as mine, is installing any RELEASE version and after this updated to any of the available STABLE snapshots, (as there is not STABLE isos) Lekker? Is that an English word? Seems to be Dutch to me... Ja toch? :-) Anyway, you hit the nail on the head. However, STABLE isn't a snapshot, it's in continuous development. RELEASE can be seen as a snapshot of the STABLE branch. Anyway, you get the idea by now. Greetz, Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SUID permission on Bash script
On Fri, Aug 28, 2009 at 08:10:59PM -0600, Tim Judd wrote: On 8/28/09, RW rwmailli...@googlemail.com wrote: On Fri, 28 Aug 2009 11:54:19 +0300 Giorgos Keramidas keram...@ceid.upatras.gr wrote: On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo jeronimocal...@googlemail.com wrote: As far as i know, using SUID, script must runs with root permissions... so i shoudnt get Permission denied, what im doing wrong?? No it must not. There are security reasons why shell scripts are not setuid-capable. You can find some of them in the archives of the mailing list, going back at least until 1997. I'm bit puzzled by this, previous threads have given the impression that this is a myth, for example: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185134.html So are scripts actually incapable of running setuid? Dunno, but this dawns on me.. what defines a script? I've always defined a script that starts with a #! shebang. So the script can be SUID, but the interpreter/shell isn't. Is that why it doesn't work? It doesn't work because the system does not allow it - for security reasons. You could fish around and defeat that but don't. The most common way to get around it is create a tiny binary that can run Setuid which merely invokes your script. The better way is to use Sudo as has been suggested already in this thread. jerry --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ATI HD 4550 xorg.conf radeon driver
On Sat, Aug 29, 2009 at 03:11:29PM +, Jeronimo Calvo wrote: snip updated to STABLE 7.2: snip Installed radeonhd from radeonhd: after this, i edited my /etc/X11/Xorg.conf editing that line: [iscariote@ /usr/home/iscariote]$ cat /etc/X11/xorg.conf | grep radeonhd Driver radeonhd after, i did install glxgears ant runned: Seems to be working fine, the gears run smothly... But... When I try to set up the effects on gnome... the option still not available... Any ideas? Hardware 3D accelleration for this GPU (codename RV710XT) isn't available yet, I think. If it was, the command 'grep Direct /var/log/Xorg.0.log' should return '(II) RADEONHD(0): Direct rendering enabled'. 3D accelleration support for newer Radeons is being worked on, though, and to quote Robert Noland it is coming along nicely. If you are willing to install the radeon kernel module and possibly libdrm and the radeonhd driver from their respective git repositories, it might work. Otherwise, you'll have to be patient for a while longer. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpkSt9OzsZUR.pgp Description: PGP signature
Re: SUID permission on Bash script
RW wrote: On Sat, 29 Aug 2009 00:06:29 -0700 per...@pluto.rain.com wrote: Michael David Crawford m...@prgmr.com wrote: It's not that setuid shell scripts are really more inherently insecure than programs written in C. Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Check the hackers@ archives. It was discussed a little over a month ago. But is isn't that the same issue that Matthew Seaman was saying was fixed years ago (in the link I gave before), and is described in the follow-up: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.html That's entirely in the kernel, it doesn't require interpreter support. The race condition between the kernel opening the script and the interpreter doing so should certainly be fixed in any Unix or Linux distribution available today. Either, as above, by the kernel passing an open file descriptor to the invoked script, or simply by ignoring any setuid or setgid bits on interpreted scripts. There are other attacks against SUID scripts -- see for instance: http://www.tech-faq.com/suid-root-script-binary.shtml http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html most of which work by exploiting the sort of features of the scripting language that make it into a powerful and useful tool. Almost all of these sort of exploits can be avoided by careful programming -- for instance, always explicitly setting $IFS and $PATH to known good values, or using the one set of command line flags allowed on the #! line to block the '-i' trick (ie. use '#!/bin/sh --' which forces any subsequent items on the command line to be treated as files rather than command options). However, you (the programmer) would have to know all about the various tricks for exploiting suid-ness in order to counter them. The preferred way of running a script SUID is to write a very small C wrapper program that can be made SUID and that executes the script after gaining increased privileges. Done well, this is definitely the best and most secure approach. Note however that the C wrapper must be similarly as carefully written as a suid script or many of the same exploits could still be possible. So, unless you are an expert programmer and understand how to defend your code against attack, your best bet really is to just use sudo(8). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: SUID permission on Bash script
Perhaps a better idea than a setuid shell script, would be to figure out just what it is about your script that really needs to be executed as root. When write a C program that can do just that one thing - and absolutely nothing else. If it takes any kind of input, or command line parameters, then it must validate them very carefully, to ensure that it's not being misused. Then your script could call that C program whenever it needs that privileged operation performed. Suppose you were to give the keys to your Lamborghini to a parking attendant. Wouldn't you want to trust that he wasn't going to sell your Lamborghini to a chop shop? Writing a setuid program is just like that: writing one poorly is like handing your race car keys to a car thief. He might not steal your car today, but if you're not careful about how you hand out your trust, he will someday. Mike -- Michael David Crawford m...@prgmr.com prgmr.com - We Don't Assume You Are Stupid. Xen-Powered Virtual Private Servers: http://prgmr.com/xen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
About libc6-dev on FreeBsd
Hello, I'm using FreeBsd 6.3 and I trying to build APE-Server from [1]http://www.ape-project.org. To compile APE -Server its riquire: - GCC - libc6-dev Could you please give me any suggestion about howto install libc6-dev on FreeBsd? Thank you. Best regards, Vladimir M References 1. http://www.ape-project.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: About libc6-dev on FreeBsd
On Sat, 29 Aug 2009 09:35:49 -0700, Vladimir M vol...@techemail.com wrote: Could you please give me any suggestion about howto install libc6-dev on FreeBsd? I'm not sure what libc6-dev refers to, maybe development version 6 of the C library? In this case, FreeBSD already has version 7 which should be compatible. /usr/lib/libc.so@ - /lib/libc.so.7 There usually are compatibility libraries for lower versions, such as /usr/local/lib/compat/libc.so.4 /usr/local/lib/compat/libc.so.5 /usr/local/lib/compat/libc.so.6 An initial approach would be to download the sources and try to compile them. Because it's not a FreeBSD port, # ./configure (e. g. with specific options) # make # make install would be the way. But the documentation should be more precise. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Boot from RAIDZ in 8.0-BETA3?
Hello, I'm experimenting with trying to boot from a RAIDZ on 8.0-BETA3 (amd64). The environment is VMware. I've been googling and reading what I can on this procedure, which sounds possible, but I have been unable to successfully get a system up and running with my technique. So far, this is what I've done... Installed 8.0-BETA3 on virtual machine's /dev/ad0 Shutdown, added three, 8GB SCSI disks to the VM, Power on VM: gpart create -s GPT da0 gpart add -b 34 -s 128 -t freebsd-boot da0 gpart add -b 162 -s 16777021 -t freebsd-zfs da0 gpart create -s GPT da1 gpart add -b 34 -s 128 -t freebsd-boot da1 gpart add -b 162 -s 16777021 -t freebsd-zfs da1 gpart create -s GPT da2 gpart add -b 34 -s 128 -t freebsd-boot da2 gpart add -b 162 -s 16777021 -t freebsd-zfs da2 gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0 gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da1 gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da2 zpool create bethesda raidz /dev/da[0-2]p2 cd /bethesda/ dump -0aLC16 -f- / | restore -rf- echo 'zfs_load=YES' /bethesda/boot/loader.conf echo 'vfs.root.mountfrom=zfs:bethesda' /bethesda/boot/loader.conf echo 'zfs_enable=YES' /bethesda/etc/rc.conf mkdir /boot/zfs zpool export bethesda zpool import bethesda Shutdown, remove ad0 from the virtual machine, Power on and it see... scrolls off screen error 4 lba 4292979877 error 4 lba 4292979883 error 4 lba 4292979883 error 4 lba 4292979882 ZFS: i/o error - all block copies unavailable Invalid format FreeBSD/i386 boot Default: bethesda:/boot/kernel/kernel boot: error 4 lba 4293052915 error 4 lba 4293052914 error 4 lba 4293052915 error 4 lba 4292979494 error 4 lba 4292979493 error 4 lba 4292979493 error 4 lba 4292980438 error 4 lba 4292980437 error 4 lba 4292980437 ZFS: i/o error - all block copies unavailable Invalid format FreeBSD/i386 boot Default: bethesda:/boot/kernel/kernel boot: And this is far as I have been able to get. Can anyone identify what I'm doing wrong, or overlooking? Pointers to docs, man pages, URLs appreciated. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Samba and busy network
On Fri, 28 Aug 2009, stan wrote: I have a FreeBSD machine serving as (among other things) a Samba server for an XP instance running under VirtualBox. The XP application is a data gathering one that polls continuously. I have set up things so that XP mounts the Samba share, and logs it's data there. Problem is that every morning I come in to find that the XP app is complaining of disk problems from the share. I am fairly certain that this problem is occurring in the middle of the night, when my Amanda backups run. This does load the network fairly good. The FreeBSD box, and the Linux box are on the same switch, and same subnet. Anyone have suggestions as to how to address this issue? Can you please share error logs on the xp share side ? What is the backup set size that Amanda is handling ? thanks Saifi. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: java config problem
On Fri, 28 Aug 2009, AN wrote: I'm trying to configure java on FreeBSD 7-stable and Gnome 2.26.3, with Firefox35. I tried the following commands, but still no ability to view java applets. ln -s libjavaplugin_oji.so /usr/local/lib/firefox/plugins ln -s libjavaplugin_oji.so /usr/local/lib/firefox3/plugins ln libjavaplugin_oji.so /usr/local/lib/firefox3/plugins installed package's: pkg_info | grep java javavmwrapper-2.3.3 Wrapper script for various Java Virtual Machines pkg_info | grep jdk diablo-jdk-1.6.0.07.02 Java Development Kit 1.6.0_07.02 Any help to get this working would be really appreciated. TIA Hi AN: To enable the java plugin in firefox, please do the following: . cd $HOME/.mozilla . cd plugins (if the plugins dir doesnot exist, please create one) . ln -s /usr/local/diablo-jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so . on doing ls -l, you'll see an entry look like this libjavaplugin_oji.so@ - /usr/local/diablo-jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so To check for java plugin support, you can try the following: . start firefox 3.5 . type about:plugins in the address bar . you should see entry like Java(TM) Plug-in 1.6.0_07-b02 File name: libjavaplugin_oji.so Java(TM) Plug-in 1.6.0_07 MIME Type Description SuffixesEnabled application/x-java-vm JavaYes application/x-java-applet JavaYes application/x-java-applet;version=1.1 JavaYes Hope this helps you get started with using Java on FreeBSD. thanks Saifi. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SUID permission on Bash script
RW rwmailli...@googlemail.com wrote: On Sat, 29 Aug 2009 00:06:29 -0700 per...@pluto.rain.com wrote: Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition ... isn't that the same issue that Matthew Seaman was saying was fixed years ago ... and is described in the follow-up: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.html That's entirely in the kernel, it doesn't require interpreter support. Er, I'm pretty sure it _does_ require support in the interpreter. It would do no good for the kernel to hand the interpreter an open descriptor if the interpreter did not somehow know to read the script from that open descriptor instead of opening the script file by name. This approach is exactly the careful cooperation between the kernel and the interpreter that I was referring to. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org