Re: What bad things could happen if we don't use sudoedit?
Yeah, that LD_PRELOAD trick NOEXEC uses doesn't work so well with static executables. Thank you, so there is a way tricking noexec with vi to get a root shell. But how exactly? Why isn't it fixed? :O On Mon, Apr 27, 2015 at 9:49 PM, Christian Weisgerber na...@mips.inka.de wrote: On 2015-04-27, whynot sudo whynots...@safe-mail.net wrote: Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi foouser LOCALHOST = NOPASSWD: NOEXEC: FOO Can the foouser escape to root prompt? Let's try! $ sudo ed !sh # id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) # Yeah, that LD_PRELOAD trick NOEXEC uses doesn't work so well with static executables. -- Christian naddy Weisgerber na...@mips.inka.de
Re: What bad things could happen if we don't use sudoedit?
You are perfectly correct, it was ed, not vi and sudoedit could be the solution, thanks. I will try to search the internet how to do the LD_PRELOAD trick with ed. Thanks :) On Tue, Apr 28, 2015 at 7:09 AM, Philip Guenther guent...@gmail.com wrote: On Mon, Apr 27, 2015 at 9:43 PM, someone thisistheone8...@gmail.com wrote: Yeah, that LD_PRELOAD trick NOEXEC uses doesn't work so well with static executables. Thank you, so there is a way tricking noexec with vi to get a root shell. No, that's not what naddy demonstrated. He showed that NOEXEC didn't work with /bin/ed. Are you assuming that /bin/ed and /usr/bin/vi are the same program? Why did you list programs in /etc/sudoers that you didn't careful inspect and think about? But how exactly? Why isn't it fixed? :O BECAUSE WE HAVE SUDOEDIT! You asked why you should use the solution that was provided, and now that this was demonstrated you're asking why there isn't a solution? Philip Guenther
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
13-year-old SSL/TLS Weakness Exposing Sensitive Data in Plain Text http://thehackernews.com/2015/03/rc4-ssl-tls-security.html On Tue, Mar 17, 2015 at 5:08 PM, someone thisistheone8...@gmail.com wrote: How much do we bet in $$$ that March 19. will be an RC4 related security bug? On Sat, Mar 7, 2015 at 3:33 PM, Stuart Henderson s...@spacehopper.org wrote: (ridiculous formatting adjusted) On 2015-03-06, someone thisistheone8...@gmail.com wrote: SUGGEST THE WORLD TO ONLY USE PERFECT FORWARD SECRECY AND REMOVE ALL THE WEAK CIPHERS IN LIBRESSL AND OPENSSL! There is still not widespread support for PFS. Some of this is probably due to use of old software for whatever reason (slackness? not wanting to change something which has been tested?), some will be due to sites not wishing to increase CPU use (which PFS does). I just tried a handful of online banking sites in the qualys checker. Only *one* of the ones I tried (nice job triodos) supports PFS at all.
Manux - all processes chrooted - Can it be done on OpenBSD?
Hello, I recently seen an OS: http://www.manux.info/en/ The userspace architecture is unlike any other, with all processes chrooted (yes, even /bin/true). And programs that can launch others require no access to their chroot for this; Can this be done on OpenBSD too? Or the installer size would be much larger?
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
How much do we bet in $$$ that March 19. will be an RC4 related security bug? On Sat, Mar 7, 2015 at 3:33 PM, Stuart Henderson s...@spacehopper.org wrote: (ridiculous formatting adjusted) On 2015-03-06, someone thisistheone8...@gmail.com wrote: SUGGEST THE WORLD TO ONLY USE PERFECT FORWARD SECRECY AND REMOVE ALL THE WEAK CIPHERS IN LIBRESSL AND OPENSSL! There is still not widespread support for PFS. Some of this is probably due to use of old software for whatever reason (slackness? not wanting to change something which has been tested?), some will be due to sites not wishing to increase CPU use (which PFS does). I just tried a handful of online banking sites in the qualys checker. Only *one* of the ones I tried (nice job triodos) supports PFS at all.
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
So I argumented against ex.: RC4/*DES with the https://jve.linuxwall.info/blog/index.php?post/TLS_Survey but nothing in reply came in as con this looks like a one-sided topic... I still don't understand why couldn't we put the KNOWN weak ciphers in the fucking trash.. do you really think servers that are installed nowadays are still using RC4? WHAT A BRIGHT FUTURE. Cryptographers are shouting LOUDly that do not use RC4/*DES ciphers, use ONLY PFS!!! On Wed, Mar 4, 2015 at 11:56 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: On Thu, 5 Mar 2015, at 07:37 AM, someone wrote: interoperable - you mean there are still softwares that really count and still cannot use/support HIGH ciphers? wow. What a world we live in.. :\ On Wed, Mar 4, 2015 at 7:27 PM, Miod Vallat m...@online.fr wrote: Sometimes you have to break things to make it better Yes, and getting people to stop using LibreSSL because it suddenly is not interoperable with anything would surely help a lot. Instead, we are trying to get developers to try and use LibreSSL provided libtsl, which defaults to sane, strong crypto choices. Miod Disable RC4 and non-PFS ciphers in Firefox (there are extensions, eg. SSleuth, that can help with doing this) and see how many sites stop Indeed. thisistheone is someone who throws out uneducated thoughts without any practice. Oh wait, this is misc. I forgot.
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
It's not about one person disabling weak ciphers, it's about more.. REMOVE the lame weak ciphers in LibreSSL/OpenSSL NOW! Don't let the world use them anymore! Don't be that NSA sponsored weak pussy! 99.9% of new or updated servers wont use RC4, 3DES, MD5, etc. S U G G E S T T H E W O R L D T O O N L Y U S E P E R F E C T F O R W A R D S E C R E C Y A N D R E M O V E A L L T H E W E A K C I P H E R S I N L I B R E S S L A N D O P E N S S L ! I tried to warn you... On Fri, Mar 6, 2015 at 5:18 PM, Alexandre Ratchov a...@caoua.org wrote: On Fri, Mar 06, 2015 at 04:43:00PM +0100, someone wrote: So I argumented against ex.: RC4/*DES with the https://jve.linuxwall.info/blog/index.php?post/TLS_Survey but nothing in reply came in as con this looks like a one-sided topic... I still don't understand why couldn't we put the KNOWN weak ciphers in the fucking trash.. do you really think servers that are installed nowadays are still using RC4? WHAT A BRIGHT FUTURE. Cryptographers are shouting LOUDly that do not use RC4/*DES ciphers, use ONLY PFS!!! You've libressl sources, so just disable ciphers you dislike on your system and use it.
Does LibreSSL support RSA export-grade keys? - FREAK Attack
Hello, --- Does LibreSSL supports RSA export-grade keys? - FREAK Attack Apple's SecureTransport and OpenSSL -- have a bug in them. This bug causes them to accept RSA export-grade keys *even when the client didn't ask for export-grade RSA.* The impact of this bug can be quite nasty: it admits a 'man in the middle' attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable *and *the server supports export RSA. The MITM attack works as follows: 1. In the client's Hello message, it asks for a standard 'RSA' ciphersuite. 2. The MITM attacker changes this message to ask for 'export RSA'. 3. The server responds with a 512-bit export RSA key, signed with its long-term key. 4. The client accepts this weak key due to the OpenSSL/SecureTransport bug. 5. The attacker factors the RSA modulus to recover the corresponding RSA decryption key. 6. When the client encrypts the 'pre-master secret' to the server, the attacker can now decrypt it to recover the TLS 'master secret'. 7. From here on out, the attacker sees plaintext and can inject anything it wants. http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html -- UPDATE: http://undeadly.org/cgi?action=articlesid=20150304092744 The following CVEs did not apply to LibreSSL: ... CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA why doesn't it apply? The US Export cyphers were removed? :) --- Couldn't LibreSSL only have HIGH ciphers and only PFS? All others should be removed, no? openssl ciphers HIGH --- Thanks, http://www.openbsdfoundation.org/
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
I think that's a win. What about PFS-only + HIGH ciphers? On Wed, Mar 4, 2015 at 4:32 PM, Ted Unangst t...@tedunangst.com wrote: someone wrote: Does LibreSSL supports RSA export-grade keys? - FREAK Attack Export ciphers were deleted from LibreSSL last summer.
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
Sometimes you have to break things to make it better On Wed, Mar 4, 2015 at 5:13 PM, Miod Vallat m...@online.fr wrote: I think that's a win. What about PFS-only + HIGH ciphers? What about interoperability? It is too early to restrict LibreSSL to PFS ciphersuites, alas. Miod
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
interoperable - you mean there are still softwares that really count and still cannot use/support HIGH ciphers? wow. What a world we live in.. :\ On Wed, Mar 4, 2015 at 7:27 PM, Miod Vallat m...@online.fr wrote: Sometimes you have to break things to make it better Yes, and getting people to stop using LibreSSL because it suddenly is not interoperable with anything would surely help a lot. Instead, we are trying to get developers to try and use LibreSSL provided libtsl, which defaults to sane, strong crypto choices. Miod
Re: Does LibreSSL support RSA export-grade keys? - FREAK Attack
They are just using what the softwares provide. https://jve.linuxwall.info/blog/index.php?post/TLS_Survey This guy scanned Alexa's list of top 1,000,000 websites. At janvier 11 2014. 45% of them had TLS support. 1.23% of websites only accept 3DES, and 1.56% of websites only accept RC4. PFS support was 75% ! 38 websites only accept SSLv2. lol. TLS 1.2 support is 33% so shit, that still would need time. And this was one year ago. In the meantime we had POODLE, Heartbleed that had informed people to update. What did it took to disable SSLv3 in the main webbrowsers? Just a little push that is named POODLE. You are the OpenBSD team, break things to make it better! Just loud thinking, but isn't it time to say NO to weak things? No RC*/DES/MD5/non-PFS/etc. Many thanks for your hard work! On Wed, Mar 4, 2015 at 7:54 PM, Carlin Bingham c...@viennan.net wrote: On Thu, 5 Mar 2015, at 07:37 AM, someone wrote: interoperable - you mean there are still softwares that really count and still cannot use/support HIGH ciphers? wow. What a world we live in.. :\ On Wed, Mar 4, 2015 at 7:27 PM, Miod Vallat m...@online.fr wrote: Sometimes you have to break things to make it better Yes, and getting people to stop using LibreSSL because it suddenly is not interoperable with anything would surely help a lot. Instead, we are trying to get developers to try and use LibreSSL provided libtsl, which defaults to sane, strong crypto choices. Miod Disable RC4 and non-PFS ciphers in Firefox (there are extensions, eg. SSleuth, that can help with doing this) and see how many sites stop working. Better yet, see how many bank's sites stop working. -- Carlin
Re: How to run a GUI app without X?
Thanks for all the useful comments :) On Wed, Mar 4, 2015 at 12:33 PM, Jiri B ji...@devio.us wrote: On Tue, Mar 03, 2015 at 08:16:11PM +0100, someone wrote: If X security is so bad, how can one run a GUI app, ex.: Firefox without it? Using framebuffer? How can then someone use a GUI password manager to copy the pwd to the Firefox in the fb? google doesn't gives too many answers, to be more precise, zero per hour can someone at least give keywords to what to search for? thanks Check QubesOS and thei lightweight protocol for sharing graphical output. Make a research if something like that could be done on OpenBSD (yep, no virtualization but using different users...). j.
Re: OpenBSD install has 1 not so logical part
Thanks for clarifying! On Tue, Mar 3, 2015 at 9:33 PM, Nick Holland n...@holland-consulting.net wrote: On 03/03/15 10:55, Thisis theone wrote: Hello, Do you expect to run the X Window System? [yes] no Do you want the X Window System to be started by xdm(1)? [no] no Isn't this a contradiction? Or is it related to machdep.allowaperture? If machdep.allowaperture isn't needed anymore, why is it still in the install? there's only one kind of hw out there, right? oh wait. :) At the moment, on i386/amd64, only radeon, intel and vesa can avoid the xf86(4) driver, there are a lot of other X servers and non-Radeon/non-Intel hw that can be handled by something better than vesa out there. The first question sets things up so X *could* be used (if needed). For security reasons, this can't be changed after the system has fully booted. The second determines if X should be started at boot, but X can certainly be started post-boot. Two different things. Nick.
kernel panic in OpenBSD 5.6 release
Hello, 1) If I run transmission-gtk with ex.: 20 torrent files and I'm on a 50 mbit/sec network, after ~10-15 minutes (network fully used, ethernet, not wifi) my OpenBSD 5.6 64bit on a T61 will always crash and brings up the gdb. Is that normal? How can I help debug it? I'm not running it as root, I'm running it as a normal user. I only set the default datasize-max=2048M in login.conf. 2) If I run mplayer with several videos on a kiosk (Devon IT TC5 x86), after ~21 days the OS crashed. gdb again showing. Before there was a winXP machine that did almost the same: after a given time, a few weeks, mplayer crashed. The solution: put a reboot in crontab for every week. How can a userspace program cause an OS crash? Or I am missing something? How can I help make it better? Or it's just an OS config? Thanks!
Re: uxterm is showing UTF-8 chars with errors?
Thank you for the tricks! :) (Google already indexed it, so less people will ask it in the future, lol) Is this an old bug or just a feature? I know it would be great if the world would only have 1 language: English, but that will be about ~1000 years away. http://www.wsj.com/articles/what-the-world-will-speak-in-2115-1420234648 On Tue, Mar 3, 2015 at 5:10 PM, Ted Unangst t...@tedunangst.com wrote: Thisis theone wrote: $ touch árvÃztűrÅ tükörfúrógép $ ls -lah -rw--- 1 user user 0B Feb 8 18:20 ??rv??zt??r?? t??k??rf??r??g??p $ I am using uxterm on OpenBSD 5.6. How can my uxterm show these accents in this way? Why doesn't it displays it as it is? ls doesn't know about utf-8. it only prints basic ascii characters, and replaces all other bytes with ?. The problem is not in xterm (or the filesystem). If you run echo * you should see the name echoed back correctly.
Almost offtopic question to the Improving Browser Security question
Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? If someone gets in via the webbrowser... it will have the id_rsa, the *.kdb, etc. If it will not be default what are the solutions for the people to run their webbrowser with another user? $ su - foo Password: $ /usr/local/bin/firefox-esr Error: no display specified $ exit echo $DISPLAY :0 $ su - foo Password: export DISPLAY=:0 $ /usr/local/bin/firefox-esr No protocol specified No protocol specified Error: cannot open display: :0 $ Or is X so bad that it's not worth it? Can I run _several X servers_ on my notebook (separated from each other)? Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X server, and CTRL+ALT+F3 another.. Many thanks,
Re: uxterm is showing UTF-8 chars with errors?
pkg_add colorls alias ls=colorls This one did it, many thanks!! On Tue, Mar 3, 2015 at 5:41 PM, Stefan Sperling s...@stsp.name wrote: On Tue, Mar 03, 2015 at 04:55:01PM +0100, Thisis theone wrote: $ touch árvÃztűrÅ tükörfúrógép $ ls -lah -rw--- 1 user user 0B Feb 8 18:20 ??rv??zt??r?? t??k??rf??r??g??p $ I am using uxterm on OpenBSD 5.6. How can my uxterm show these accents in this way? Why doesn't it displays it as it is? Many thanks! This is because ls(1) filters output with isprint(3) and is not aware of locales (i.e. it does not call setlocale(3)). Run pkg_add colorls and alias ls=colorls if you need multi-byte ls output. Please do not start a discussion about adding this feature to base ls(1) unless you're willing to invest a non-trivial amount of time and energy working on improved locale support for the entire OS. It's already been discussed before.
Re: Almost offtopic question to the Improving Browser Security question
Wow, copying the .Xauthority to the separated user worked! But I'm still thinking that the separated user can give out the command: xinput test 6 and can see what anyone types in via X. On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman r...@slipgate.org wrote: On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? I think Ted specifically stated that jailing the browser under its own user was outside the scope of what he was intending to do.. If someone gets in via the webbrowser... it will have the id_rsa, the *.kdb, etc. If it will not be default what are the solutions for the people to run their webbrowser with another user? $ su - foo Password: $ /usr/local/bin/firefox-esr Error: no display specified $ exit echo $DISPLAY :0 $ su - foo Password: export DISPLAY=:0 $ /usr/local/bin/firefox-esr No protocol specified No protocol specified Error: cannot open display: :0 $ You'll need to copy the .Xauthority file from your main user (the one running X) to ~foo/.Xauthority From there, you can then run X apps as foo and they should work just fine. Or is X so bad that it's not worth it? Can I run _several X servers_ on my notebook (separated from each other)? Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X server, and CTRL+ALT+F3 another.. Many thanks,
Re: kernel panic in OpenBSD 5.6 release
Only running -release without patches. Ok, then I will try out newer versions before reporting anything, thanks! On Tue, Mar 3, 2015 at 5:56 PM, Josh Grosse j...@jggimi.homeip.net wrote: On 2015-03-03 11:37, someone wrote: 1) If I run transmission-gtk with ex.: 20 torrent files and I'm on a 50 mbit/sec network, after ~10-15 minutes (network fully used, ethernet, not wifi) my OpenBSD 5.6 64bit on a T61 will always crash and brings up the gdb. Is that normal? Do you mean *ddb*, rather than gdb? If so, its normal when the kernel panics, yes. How can I help debug it? ... Post the panic message, your dmesg(8), and the output from trace and ps commands in the ddb(4) kernel debugger. See crash(8) and ddb(4), and for the kind of information needed when problem reporting, see http://www.openbsd.org/report.html It's not clear if you are running 5.6-release or if you are running with any of the errata patches, or 5.6-stable. If you are running -release, please note there are 15 errata patches, two of which are for kernel panics.
How to run a GUI app without X?
If X security is so bad, how can one run a GUI app, ex.: Firefox without it? Using framebuffer? How can then someone use a GUI password manager to copy the pwd to the Firefox in the fb? google doesn't gives too many answers, to be more precise, zero per hour can someone at least give keywords to what to search for? thanks
Re: Almost offtopic question to the Improving Browser Security question
http://blogs.gnome.org/alexl/2015/02/17/first-fully-sandboxed-linux-desktop-app/ h, great, looks like X is not soo good regarding security.. maybe Wayland.. On Tue, Mar 3, 2015 at 6:09 PM, someone thisistheone8...@gmail.com wrote: Wow, copying the .Xauthority to the separated user worked! But I'm still thinking that the separated user can give out the command: xinput test 6 and can see what anyone types in via X. On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman r...@slipgate.org wrote: On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? I think Ted specifically stated that jailing the browser under its own user was outside the scope of what he was intending to do.. If someone gets in via the webbrowser... it will have the id_rsa, the *.kdb, etc. If it will not be default what are the solutions for the people to run their webbrowser with another user? $ su - foo Password: $ /usr/local/bin/firefox-esr Error: no display specified $ exit echo $DISPLAY :0 $ su - foo Password: export DISPLAY=:0 $ /usr/local/bin/firefox-esr No protocol specified No protocol specified Error: cannot open display: :0 $ You'll need to copy the .Xauthority file from your main user (the one running X) to ~foo/.Xauthority From there, you can then run X apps as foo and they should work just fine. Or is X so bad that it's not worth it? Can I run _several X servers_ on my notebook (separated from each other)? Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X server, and CTRL+ALT+F3 another.. Many thanks,