Re: security(8) and maildir
It is hard to guess what you need from the scarce information you provide. I'm sorry... On hindsight, that was _very_ little information. I'm running 5.0, with postfix as an MTA, delivering mail for two virtual domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. Can you show the output of # ls -al /var/mail $ ls -l /var/mail total 2148 -rw--- 1 root wheel 1076477 Jan 14 16:13 root drwx-- 4 vmail vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users 0 Jan 10 2011 zeloff Inside /var/mail/vmail is a folder of each of the virtual domains, and inside that one for every user, etc. Every thing from here on down has either 700 (folders) or 600 (files) permissions. on the machine in question, and the exact messages you see in your daily security emails? Running security(8): Checking mailbox ownership. user vmail mailbox is drwx--, group vmail If I chmod 600 /var/mail/vmail, security(8) runs clean, so its the executable bit that's causing the trouble, but unsetting it is not an option for the obvious reasons. Relocating the whole thing is most probably the best idea, but is there anything wrong with this patch I came up with? --- /usr/libexec/security Mon Apr 16 10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@ my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user $name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | + (S_ISDIR(S_IFMT($mode)) S_IXUSR) ), sprintf 'user %s mailbox is %s, group %s', $name, strmode($mode), $gname; } I have no proper perl skills whatsoever, but I tested it on a few files with different permissions and it appears to work properly... So, what's the verdict? Should maildirs be kept out of /var/mail altogether, or is patching security(8) a viable alternative? Many thanks Zi (with an acute-accented 'e', damn encodings...)
Re: security(8) and maildir
On Mon, 16 Apr 2012 12:45:12 +0100, Zi Loff wrote: It is hard to guess what you need from the scarce information you provide. I'm sorry... On hindsight, that was _very_ little information. I'm running 5.0, with postfix as an MTA, delivering mail for two virtual domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. Can you show the output of # ls -al /var/mail $ ls -l /var/mail total 2148 -rw--- 1 root wheel 1076477 Jan 14 16:13 root drwx-- 4 vmail vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users 0 Jan 10 2011 zeloff Inside /var/mail/vmail is a folder of each of the virtual domains, and inside that one for every user, etc. Every thing from here on down has either 700 (folders) or 600 (files) permissions. on the machine in question, and the exact messages you see in your daily security emails? Running security(8): Checking mailbox ownership. user vmail mailbox is drwx--, group vmail If I chmod 600 /var/mail/vmail, security(8) runs clean, so its the executable bit that's causing the trouble, but unsetting it is not an option for the obvious reasons. Relocating the whole thing is most probably the best idea, but is there anything wrong with this patch I came up with? --- /usr/libexec/security Mon Apr 16 10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@ my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user $name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | + (S_ISDIR(S_IFMT($mode)) S_IXUSR) ), sprintf 'user %s mailbox is %s, group %s', $name, strmode($mode), $gname; } I have no proper perl skills whatsoever, but I tested it on a few files with different permissions and it appears to work properly... So, what's the verdict? Should maildirs be kept out of /var/mail altogether, or is patching security(8) a viable alternative? Many thanks Zi (with an acute-accented 'e', damn encodings...) Formatting properly doesn't work for you? That made my eyes bleed. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: security(8) and maildir
It is hard to guess what you need from the scarce information you provide. I'm sorry... On hindsight, that was _very_ little information. I'm running 5.0, with postfix as an MTA, delivering mail for two virtual domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. Can you show the output of # ls -al /var/mail $ ls -l /var/mail total 2148 -rw--- 1 rootwheel 1076477 Jan 14 16:13 root drwx-- 4 vmail vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users0 Jan 10 2011 zeloff Inside /var/mail/vmail is a folder of each of the virtual domains, and inside that one for every user, etc. Every thing from here on down has either 700 (folders) or 600 (files) permissions. on the machine in question, and the exact messages you see in your daily security emails? Running security(8): Checking mailbox ownership. user vmail mailbox is drwx--, group vmail If I chmod 600 /var/mail/vmail, security(8) runs clean, so its the executable bit that's causing the trouble, but unsetting it is not an option for the obvious reasons. Relocating the whole thing is most probably the best idea, but is there anything wrong with this patch I came up with? --- /usr/libexec/security Mon Apr 16 10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@ my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user $name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | + (S_ISDIR(S_IFMT($mode)) S_IXUSR) ), sprintf 'user %s mailbox is %s, group %s', $name, strmode($mode), $gname; } I have no proper perl skills whatsoever, but I tested it on a few files with different permissions and it appears to work properly... So, what's the verdict? Should maildirs be kept out of /var/mail altogether, or is patching security(8) a viable alternative? Many thanks Ze (with an acute-accented 'e', damn encodings...)
From IFC
Good day, An inquest by my bank (IFC) conducted on inactive/dormant account, revealed that you are a potential beneficiary to an unclaimed sum The similarity in your name and email (misc@openbsd.org) makes it possible for us to liquidate the deceased account in your favour. Please contact me via: harri_c...@w.cn mailto:harri_c...@w.cn mailto:hari.c...@yahoo.co.uk mailto:haric...@w.cn so we can discuss how to take advantage of this opportunity. Regards Harry Cole
Call for Presenter: OpenBSD/IDS @ITSec class
Dear OpenBSD Misc, I am looking for a presenter to give an open source IDS related speech at the University of Applied Sciences in Augsburg, Germany. If you are interested in, for instance, give a talk on OpenBSD-based Intrusion Detection or Prevention, then this is your chance to speak to a security class with approx. 100 students. The speech will be part of the IT Security I class that takes place on each Monday at 14:00. If you are interested in giving such a talk, don't hesitate to contact me. With best regards, Steffen Wendzel -- With best regards, Steffen Wendzel, M.Sc. Head of Research HSASec (http://www.hsasec.de) Coordination Bureau IT4SE (http://www.it4se.net) Faculty of Computer Sciences Augsburg University of Applied Sciences Friedberger StraCe 2a 86161 Augsburg Telefon: +49 (0)821 5586-3633 Telefax: +49 (0)821 5586-3499 Web: http://www.hs-augsburg.de/~swend/
Boleto bancario cobranca..
Boleto_Cobranca.jpg Segue abaixo o boleto de cobranga, referente aos produtos que foram entregues. boleto_cobranca.pdf(60,2k kb) Atenciosamente, Global Assessoria de Cobrangas Ltda [IMAGE]FALE CONOSCO (11) 5579-2821 / (47) 3461-0800Atendemos de 2* a 6* Feira, das 09:00 `s 18:00 hs E-mail verificado pelo Windows Live Anti-Spam
DynDNS client
Hello, Is there a DynDNS client for OpenBSD? Cheers, Laurence.
Re: DynDNS client
Hi, see http://ftp.openbsd.org/pub/OpenBSD/5.0/packages/amd64/ddclient-3.8.0p3.tgz On Mon, Apr 16, 2012 at 11:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hello, Is there a DynDNS client for OpenBSD? Cheers, Laurence.
Re: DynDNS client
I use ipcheck. On Mon, Apr 16, 2012 at 10:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hello, Is there a DynDNS client for OpenBSD? Cheers, Laurence.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hello, Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. You could do it in shell with tools in base with a little bit of scripting effort. http://dyn.com/support/developers/api/
Re: DynDNS client
On Mon, Apr 16, 2012 at 11:04:35AM -0500, Beto wrote: Hi, see http://ftp.openbsd.org/pub/OpenBSD/5.0/packages/amd64/ddclient-3.8.0p3.tgz On Mon, Apr 16, 2012 at 11:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hello, Is there a DynDNS client for OpenBSD? Cheers, Laurence. Besides ddclient there is also ipcheck-0.207p5.tgz available as package.
Re: DynDNS client
Hi, Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. If IP changes are rare for you and just want to update your IP manually now and then, using the web interface most providers offer is probably sufficient, and you don't even need your own script. If you want to run the client as a daemon, i'd advise against rolling your own. Most providers block accounts that update too frequently, and getting the logic right to prevent excessive updates is tricky. My experience is mostly with ddclient; i have contributed a few patches that were accepted upstream. The maintainer is a nice guy, not very actively supporting ddclient, but not letting it rot completely either. For home use, it is clearly good enough. For enterprise use, it is usable (if you are willing to help and fix the occasional bug), but certainly not great. However, the code quality is positively revolting. I have rarely seen Perl code looking that ugly. Still, as it is a small code base, you can find your way around it. But hacking into it is not fun, and if you value reliability a lot, you should probably look into other options, too, and compare.
Re: DynDNS client
Hi Laurence, I'm using ipcheck-0.207p5 which is fully compliant DynDNS.org client. -- With regards, Eugene Sudyr On 4/16/2012 7:00 PM, Laurence Rochfort wrote: Hello, Is there a DynDNS client for OpenBSD? Cheers, Laurence.
Re: DynDNS client
Thank you everybody for the information. This is for home use and both ddclient and ipcheck look more than sufficient for my needs. Regards, Laurence On Apr 16, 2012 5:45 PM, Ingo Schwarze schwa...@usta.de wrote: Hi, Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. If IP changes are rare for you and just want to update your IP manually now and then, using the web interface most providers offer is probably sufficient, and you don't even need your own script. If you want to run the client as a daemon, i'd advise against rolling your own. Most providers block accounts that update too frequently, and getting the logic right to prevent excessive updates is tricky. My experience is mostly with ddclient; i have contributed a few patches that were accepted upstream. The maintainer is a nice guy, not very actively supporting ddclient, but not letting it rot completely either. For home use, it is clearly good enough. For enterprise use, it is usable (if you are willing to help and fix the occasional bug), but certainly not great. However, the code quality is positively revolting. I have rarely seen Perl code looking that ugly. Still, as it is a small code base, you can find your way around it. But hacking into it is not fun, and if you value reliability a lot, you should probably look into other options, too, and compare.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:43 AM, Ingo Schwarze schwa...@usta.de wrote: Hi, Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for simple updater. If IP changes are rare for you and just want to update your IP manually now and then, using the web interface most providers offer is probably sufficient, and you don't even need your own script. Mine are rare, but referencing the developer site ( http://dyn.com/support/developers/api/ ) does give you enough information to avoid having your client blocked, and how to make it comply with their TOS. If you want to run the client as a daemon, i'd advise against rolling your own. Most providers block accounts that update too frequently, and getting the logic right to prevent excessive updates is tricky. Not really. It's dead simple: check against a state file that has the last known IP, compare to the interface or a web site that returns the external IP address, and update if that changes. If there's a change, update dyn.com, update your state file, and exit. I run mine every 5 minutes or so from cron. If nothing else, it's a good scripting exercise and a very basic one as well. Dyn.com offers up testing DNS entries for developers to test their code against. My experience is mostly with ddclient; i have contributed a few patches that were accepted upstream. The maintainer is a nice guy, not very actively supporting ddclient, but not letting it rot completely either. For home use, it is clearly good enough. For enterprise use, it is usable (if you are willing to help and fix the occasional bug), but certainly not great. However, the code quality is positively revolting. I have rarely seen Perl code looking that ugly. Still, as it is a small code base, you can find your way around it. But hacking into it is not fun, and if you value reliability a lot, you should probably look into other options, too, and compare. All the more reason to write your own updater. You get to know what features you really need, vs the ugly crap that people include in their scripts.
Re: security(8) and maildir
On 2012-04-16, ZC) Loff zel...@zeloff.org wrote: It is hard to guess what you need from the scarce information you provide. I'm sorry... On hindsight, that was _very_ little information. I'm running 5.0, with postfix as an MTA, delivering mail for two virtual domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. Can you show the output of # ls -al /var/mail $ ls -l /var/mail total 2148 -rw--- 1 rootwheel 1076477 Jan 14 16:13 root drwx-- 4 vmail vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users0 Jan 10 2011 zeloff Inside /var/mail/vmail is a folder of each of the virtual domains, and inside that one for every user, etc. Every thing from here on down has either 700 (folders) or 600 (files) permissions. /var/mail is intended for user-owned mbox files, I would think moving your maildirs elsewhere is more sane. I tend to use /mail for virtual user mailboxes but each to their own :) Relocating the whole thing is most probably the best idea, but is there anything wrong with this patch I came up with? that looks alright as a local patch but I have no idea if there's something else which might be unhappy about nonstandard use of /var/mail.
VPN on OpenBSD: OpenSSH or OpenVPN?
Hello all, if this has been discussed in the past, forgive my asking and please point me to the archives. I am interested in building a server VPN solution for a sensitive corporate LAN. The use case is travelling, roaming users who just want a secure access in the corporate LAN. I am not interested in permanent VPN setups (for which I guess IPSEC tunnels would be more appropriate). The server OS will be OpenBSD of course. The main concerns and project requirements are: - client remote access to a corporate LAN - on demand VPN for the duration of the need only - ability to support multiple users concurrently - cross platform (clients should be supported in as many OSes as possible) - performance - strong security (of course) and easy, automated configuration for the client - IPv6 and IPv4 support (in a perhaps NATed environment) Should I go for OpenSSH with its tun(4) VPN features or do you think an OpenVPN solution would be more appropriate? After a quick search, my main source of information is [1] and [2]. It is also mentioned that tunneling over TCP can have issues especially in bad connection environments (not sure if this is true or not). Any input highly welcome :) Regards, Kostas [1] http://www.kernel-panic.it/openbsd/vpn/index.html [2] http://www.daemonforums.org/showthread.php?t=2610 -- Kostas Zorbadelos twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba () www.asciiribbon.org - against HTML e-mail proprietary attachments /\
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
Am Mon, 16 Apr 2012 22:35:16 +0300 schrieb Kostas Zorbadelos kzo...@otenet.gr: if this has been discussed in the past, forgive my asking and please point me to the archives. I am interested in building a server VPN solution for a sensitive corporate LAN. The use case is travelling, roaming users who just want a secure access in the corporate LAN. I am not interested in permanent VPN setups (for which I guess IPSEC tunnels would be more appropriate). We are running OpenVPN on OpenBSD-servers for roaming users AND for site-to-site-connections for approx. 5 years now. Only tcp, no udp. Roaming users use WinXP, Vista, Win7, Ubuntu and opensuse with certificates (managed by easy-rsa). Site-site-connections use OpenVPN-static-keys (and non-standard-ports, of course). Runs pretty stable, even if a link is temporary overloaded or if the UMTS-connection gets interrupted by a railway tunnel... ;) The only thing that doesn't work well, is OSPF over OpenVPN, but maybe this is only due to the really old release of one of the OpenBSD-Servers. Regards, Tobias.
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On 16 April 2012, Kostas Zorbadelos kzo...@otenet.gr wrote: [...] Should I go for OpenSSH with its tun(4) VPN features or do you think an OpenVPN solution would be more appropriate? [...] You should probably avoid SSH. Without actually looking at the code, I'd say SSH VPNs are prone to TCP-over-TCP meltdown. The better options are OpenVPN and IPsec. OpenVPN is relatively straightforward to set up, and it mostly works. IPsec is more robust, and can interoperate with more systems, but setting it up involves a deeper understanding of what you're doing, and possibly more fiddling. Regards, Liviu Daia
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Tue, 17 Apr 2012 03:40:53 +0300, Liviu Daia wrote: You should probably avoid SSH. Without actually looking at the code, I'd say SSH VPNs are prone to TCP-over-TCP meltdown. And plenty of people use TCP in preference to the original UDP in OpenVPN. Sometimes it works very well for a long time and then no-one knows why failures happen. We didn't change anything I never suffered from problems with OpenVPN using UDP. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Mon, Apr 16, 2012 at 9:35 PM, Kostas Zorbadelos kzo...@otenet.gr wrote: Hello all, if this has been discussed in the past, forgive my asking and please point me to the archives. I am interested in building a server VPN solution for a sensitive corporate LAN. The use case is travelling, roaming users who just want a secure access in the corporate LAN. I am not interested in permanent VPN setups (for which I guess IPSEC tunnels would be more appropriate). The server OS will be OpenBSD of course. The main concerns and project requirements are: - client remote access to a corporate LAN - on demand VPN for the duration of the need only - ability to support multiple users concurrently - cross platform (clients should be supported in as many OSes as possible) - performance - strong security (of course) and easy, automated configuration for the client - IPv6 and IPv4 support (in a perhaps NATed environment) Should I go for OpenSSH with its tun(4) VPN features or do you think an OpenVPN solution would be more appropriate? After a quick search, my main source of information is [1] and [2]. It is also mentioned that tunneling over TCP can have issues especially in bad connection environments (not sure if this is true or not). Any input highly welcome :) Regards, Kostas [1] http://www.kernel-panic.it/openbsd/vpn/index.html [2] http://www.daemonforums.org/showthread.php?t=2610 This one is good overview as well http://undeadly.org/cgi?action=articlesid=20090903183235 -- Kostas Zorbadelos twitter:@kzorbadelos B B B B B http://gr.linkedin.com/in/kzorba () B www.asciiribbon.org - against HTML e-mail proprietary attachments /\