Security meassures or just plain stupidity
Hi. In the last couple of weeks I have been reading a lot of security related literature with a strong emphasis on web related issues. It seems to me that a lot of people tend to call themselves Security Experts and they work with security and they write articles and/or books about the subject. But.. is it just me or is there something wrong somewhere!? A LOT of the examples provided in the material are just so damn stupid that I can't believe anyone can take them serious. A lot of the material are using example where a malicious user inserts some code into the web page which is pointing towards a hostile server. In order for this thread to be executed the attacker must hack the server (we are not talking about cross-site problems). WTF!? Someone hacks the server and the document talks about a session fixation attack. Yea, sure, someone might hack a web server in order to insert malicious code, but I don't really think that's our main problem then, our main problem would be to take the damn server off-line and start working out the main problem: How the h... the server got hacked in the first place. For example in the Threat Classification manual written by different people from the Web Application Security Consortium there is this example: snip Issuing a cookie using an HTTP response header. The attacker forces either the target web site, or any other site in the domain, to issue a session ID cookie. This can be achieved in many ways: * Breaking into the web server in the domain (e.g., a poorly maintained WAP server). /snip I have also found a lot of other examples in other books, Chris Shiflett's book about PHP security also uses some rather obscure examples (no offence Chris) in which I tend to think: Dude if that can happen to someone running a web server he's to stupid to understand what you are writing and he shouldn't be running a web server in the first place. Is this just me or!? Best regards. Rico.
Chrooting users the right way
Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
inetd on by default
Hi Here we go again, why is inetd on by default? I am very sorry to ask this question! My guess is that it has been asked a thousand times. I did look in the archives and on google, trying to find a clear answer but I must have mised it. The note on the inetd.conf file, which states, that it is almost always needed, doesn't provide that as the reason why it is on. The reason why I post this is because I have read many times about OpenBSD, that EVERYTHING is off by default. I never gave it much thought until I had to do some testing at work, with both FreeBSD and NetBSD. I was rather surprised that both FreeBSD and NetBSD have inetd off by default but OpenBSD doesn't. So what? So nothing! One of the first things I do, after installing OpenBSD, is to turn it off. Later if needed I turn it on but I have never needed it except on a machine running tftp. I do understand that since it is running by default it doesn't provide a risk, otherwise OpenBSD would have turned it off. With the risk of being flamed: In my opinion it should be off be default. That way absolutely nothing is running before it is turned on by the user. Best and kind regards, Rico
Re: Firefox keeps crashing
After some more tests it shows that the problem exists on several installations. We have recently upgraded desktop and laptop machines to 3.9. in our datacenter. KDE 3.5.1 as desktop and firefox 1.5.0.1 is the main browser. I have tried changing the resources in login.conf and I have also tried unlimit -d, but the problem persist. Also firefox is running very slow. We are also facing some other small complications which didn't exist on obsd 3.8 with KDE 3.4. As a temp solution, I think, because of demand will be to go back to obsd 3.8 and KDE 3.4. In general, on the different installations, the KDE desktop is working much slower, and strange problems occur on the HP laptop installations. Rebooting sometimes stops and the error: arpresolve: can't allocate llinfo, apears, crashes during shutdown also occurs - I haven't had time to look into those just yet. Also some problems starting KDE with the startkde command, in which the screen freezes. All in all some strange things are going on. Firefox is a resource hog, and tends to leak resources worse than the plumbing job I've been working on for my girlfriend. The difference is, my plumbing leaks will be fixed, and I'm not going to be telling everyone how wonderful it is until they are. (ok, yes, I've been waiting to use that analogy since the THIRD time I disassembled the pipes to fix a leak I can't see, can't fix in place, only feel the water very slowly dripping. But I digress) The default login.conf settings for normal users seems to be too restrictive for Firefox. When Firefox tries to use more than it is permitted, it is silently shut down, no core, no error message, it just vanishes. Promote yourself to staff, you will probably find it works better. Bump the staff limits up, you will probably find you can make it run Darned Well. Wish I could tell you which one (or two) settings it is but I haven't figured out how to determine which is too snug. But after bumping things up, I usually run Firefox for many weeks at a time with lots of tabs and a few windows... Nick.
Can't start any programs
Hi I made the terible, but not unknown, mistake to untar the src into usr. To save the system I used the upgrade function. I am running 3.9. After the upgrade all is ok again except that I can't run any programs. The command startkde doesn't work anymore and other programs such as mc doesn't work. The packages are installed and the files are present. Is there some way to fix this or do I have to reinstall completely? Best and kind regards. Rico.
XML converting
Hi all! I know this hasn't got anything to do with OpenBSD (other than I am actually doing the work on an OpenBSD driven machine), but the level and advice on this list is so valueable that I am going to ask anyway. Please forgive the direct lack of relation! Many buzzwords exists on the net, as you all know, and sometimes it is actually difficult to differ between what is buzzwords and what would might contain something usefull. Does anyone see any benefit in using XML format for some data, and then using XSL to convert this data into XHTML? Rather than just using XHTML in the first place? I ask because that I might have missed some good reason to do that. I can't see any reason why one would need to do that except if the actual XML data needed to be converted into several different things like both XHTML and WML etc. or perhaps because in the future XML would better serve as a way to contain the data. Any advice is appreciated. Best regards, Rico.
CUPS failing
Hi, During these past couple of weeks I have been making some extensive testing on the CUPS port/package. I have testet a Brother HL-1430 laser printer. I have got the apropriate PPD driver from foomatic. I have testet it on several OpenBSD installations, on different hadrware yet all i386. I can't get it to print no matter how I set it up. I have then testet the exact same PPD driver with CUPS on FreeBSD 5.4 RELEASE, and on Kubuntu 5.10. In both cases I have no problems printing. From the log I get the following using loglevel debug: D [08/Oct/2005:05:40:29 +0200] [Job 12] GNU Ghostscript 7.05 (2002-04-22) D [08/Oct/2005:05:40:29 +0200] [Job 12] Copyright (C) 2002 artofcode LLC, Benicia, CA. All rights reserved. D [08/Oct/2005:05:40:29 +0200] [Job 12] This software comes with NO WARRANTY: see the file PUBLIC for details. D [08/Oct/2005:05:40:29 +0200] [Job 12] Unknown device: hl1250 D [08/Oct/2005:05:40:29 +0200] [Job 12] renderer return value: 1 D [08/Oct/2005:05:40:29 +0200] [Job 12] renderer received signal: 1 D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with error closing *main::STDOUT, exit stat: 9 D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with Possible error on renderer command line or PostScript error. Check options., exit stat: 3 D [08/Oct/2005:05:40:29 +0200] [Job 12] error closing *main::STDOUT D [08/Oct/2005:05:40:29 +0200] [Job 12] Possible error on renderer command line or PostScript error. Check options. D [08/Oct/2005:05:40:29 +0200] [Job 12] 0 %%Trailer D [08/Oct/2005:05:40:29 +0200] [Job 12] Saw Trailer! D [08/Oct/2005:05:40:29 +0200] [Job 12] Saw EOF! D [08/Oct/2005:05:40:29 +0200] [Job 12] D [08/Oct/2005:05:40:29 +0200] [Job 12] Closing renderer D [08/Oct/2005:05:40:29 +0200] [Job 12] KID4 exited with status 9 D [08/Oct/2005:05:40:29 +0200] [Job 12] Renderer exit stat: 9 D [08/Oct/2005:05:40:29 +0200] [Job 12] Renderer process finished D [08/Oct/2005:05:40:29 +0200] [Job 12] Killing process 5158 (KID3) D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with Error closing renderer, exit stat: 9 D [08/Oct/2005:05:40:29 +0200] [Job 12] Error closing renderer E [08/Oct/2005:05:40:29 +0200] PID 414 stopped with status 9! I notice the Unknown device: hl1250 error, which is actually the name of the driver (hl1430 uses hl1250), but I can't make any sense of the above. How do I go from here? Friendly, Rico.
OpenBSD and KDE printing
Hi During my printer testing the last couple of days I have been running some few tests. I have made a test machine (i386) running OpenBSD 3.7 with KDE and all it's application. During this test I found that every single program, started from within KDE, crashes when I use the print option from (in most cases) the file menu. Kprinter crashes too. This is with or without any cups service running. I know this kind of question is unpopular, but I am going to ask it anyway... Does anyone on the list run OpenBSD 3.7 with KDE where the print option works? It doesn't matter if there actually is a printer installed, I just need to know if it crashes. If it doesn't crash - is it possible to start Kprinter? Thanks and cheers, Rico.
