Re: A Little Tip for OpenBSD Users of KDE
On Monday 26 December 2005 22:12, J.C. Roberts wrote: On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel [EMAIL PROTECTED] wrote: Don't use sudo in any konsole session. Dave, I don't think you're nuts but the fear mongering without providing any proof or details of a compromise is questionable at best. If you really were compromised while running OpenBSD, you aren't the first and probably won't be the last. As for leaving a terminal window open with root privs, sudo or su, it has *always* been a bad idea: I never run root any more. Just long enough to install, add a user or two, and set up sudo. I have added a large number of packages and also compiled and installed other software not in the OpenBSD package collection. So I may have introduced a few holes at the user level myself. I have constantly been looking for signs of changes only possible via root. So far I have almost been able to convince myself that the intruder is doing whatever with my user privileges only. I am prepared to reinstall OpenBSD from scratch without Xorg and KDE if I become convinced that root access has been compromised. My respect for OpenBSD's security has increased substantially during the past few days. I think the security problems I am experiencing are in Xorg and KDE sockets. Rm'ing all the files in /tmp and Tmp (I have TMPDIR=/home/daf/Tmp) and then exiting and restarting KDE seems to disable the intruder temporarily. There also is some problem with DCOPserver, but again, restarting KDE seems to fix that. http://seclists.org/lists/bugtraq/2002/May/0294.html As you can see from what happened to Dug Song and monkey.org, the problem may not be konsole itself, instead, your sudo-enabled konsole session could have been taken over via an exploit in some other application you are running. I'm not familiar with what happened to Dug Song, The problem with using Sudo in a Konsole session is that either the sudo password may be captured for use in subsequent login, or (and I don't know whether this is possible) an eavesdropper might inject sudo commands during the 5-minute window that sudo remains enabled. The remedy for this is to always switch back to your login console when typing in passwords and using sudo since the login console is secure. This is possible by executing startkde . This problem exists because the kde pty allocation program shipped with KDE was not ported to OpenBSD, the result being that all the OpenBSD [pt]typ's allocated to konsole sessions by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. jcr I have learned a lot about OpenBSD, Xorg and KDE in the last week dealing with this problem. If I weren't an OpenBSD diehard before, I certainly am now. Dave Feustel -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: A Little Tip for OpenBSD Users of KDE
On Tue, 27 Dec 2005, Dave Feustel wrote: by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. Dunno about KDE but can you elaborate or give refs why having a world writable unix domain socket is considered a problem? The references I've found talk about a missing sticky bit on the /tmp/.X11-unix dir, which is something different. -Otto
Re: A Little Tip for OpenBSD Users of KDE
On 12/27/05, Dave Feustel [EMAIL PROTECTED] wrote: On Monday 26 December 2005 22:12, J.C. Roberts wrote: On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel [EMAIL PROTECTED] wrote: Don't use sudo in any konsole session. Dave, I don't think you're nuts but the fear mongering without providing any proof or details of a compromise is questionable at best. If you really were compromised while running OpenBSD, you aren't the first and probably won't be the last. As for leaving a terminal window open with root privs, sudo or su, it has *always* been a bad idea: I never run root any more. Just long enough to install, add a user or two, and set up sudo. I have added a large number of packages and also compiled and installed other software not in the OpenBSD package collection. So I may have introduced a few holes at the user level myself. I have constantly been looking for signs of changes only possible via root. So far I have almost been able to convince myself that the intruder is doing whatever with my user privileges only. Have you done any intrusion detection beyond this? What's your network topology? What is your first impression of how the intruder is getting in? Is it another local user, i.e. one who already has an account on your box? If there are no other local users on your box are you monitoring connections to the possibly exploited system from another system? Greg
Re: A Little Tip for OpenBSD Users of KDE
On Tuesday 27 December 2005 11:05, Otto Moerbeek wrote: On Tue, 27 Dec 2005, Dave Feustel wrote: by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. Dunno about KDE but can you elaborate or give refs why having a world writable unix domain socket is considered a problem? Here is a presentation of XFree86 security issues that I found yesterday that seems to be relevant. X0 permissions are specifically addressed. I am definitely having fewer (if any) problems after several times rm'ing the tmp files associated with Xorg and KDE. I've done it with no problems except when I do it while KDE is running. Then DCOP dies. The most reliable way of reactivating DCOP correctly is (right now) to reboot KDE. http://www.openbsd.org/papers/xf86-sec.pdf -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: A Little Tip for OpenBSD Users of KDE
On Tue, 27 Dec 2005, Dave Feustel wrote: On Tuesday 27 December 2005 11:05, Otto Moerbeek wrote: On Tue, 27 Dec 2005, Dave Feustel wrote: by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. Dunno about KDE but can you elaborate or give refs why having a world writable unix domain socket is considered a problem? Here is a presentation of XFree86 security issues that I found yesterday that seems to be relevant. X0 permissions are specifically addressed. I am definitely having fewer (if any) problems after several times rm'ing the tmp files associated with Xorg and KDE. I've done it with no problems except when I do it while KDE is running. Then DCOP dies. The most reliable way of reactivating DCOP correctly is (right now) to reboot KDE. http://www.openbsd.org/papers/xf86-sec.pdf Indeed this paper mentions problems withg unix domain sockets. But it is talking about socket _creation_, not _using_ the a unix domain socket. So far you only have given very vague, circumstantial evidence. -Otto
Re: A Little Tip for OpenBSD Users of KDE
On 12/27/05, Otto Moerbeek [EMAIL PROTECTED] wrote: On Tue, 27 Dec 2005, Dave Feustel wrote: by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. Dunno about KDE but can you elaborate or give refs why having a world writable unix domain socket is considered a problem? this is obviously a source of confusion. the permissions on a socket mean *nothing*. anyone can open any socket regardless of permissions, so long as they have necessary directory permissions to find it.
Re: A Little Tip for OpenBSD Users of KDE
Marc Espie and Dirk at kde have acknowledged the security problem OpenBSD has with kde kgrantpty. The problem with /tmp/.X11-unix/X0 addressed by the 2003 paper on XFree86 still exists today with Xorg. If the rest of you fail to see the problem, even when the evidence is available to you on your respective systems, so be it. On Tuesday 27 December 2005 14:56, Daniel Ouellet wrote: Dave, I keep reading your emails and many answer to them as well. So far, nothing is evidence or anything yet. Also, based on some of your latests emails, look like the intruder is still coming back to your box still and you reboot the KDE to kick him/here out. Look like you are saying there is a security problem, but yet you still provide no details what so ever on your setup, what you do, what's install, how he/she may get into, etc. If there is really a problem, then provide the informations, all of it. If the intruder is still coming in, then the entry door is still open then. So, I am not saying this should be done, but either provide all the details, or may be even better if someone from the project want to look at it as it is happening, then let them do so, if they want to obviously. If there is any security problem in OpenBSD of any kind, I am sure many developers would be all over it by now, but it doesn't look to me that there is one, project related anyway, or if it is from some packages provided by the project as well, I am sure they would love to know that and address it! After all they live for that, way of speaking anyway! With all due respect to you and I intend no disrespect what so ever, it really start to be annoying more then helping. Please provide details, ALL of it so that better mind can look at it seriously and if there is a problem, address it ASAP. Quite frankly, it is becoming clear to me that I'm better off to keep quiet about things I become aware of. And not just wrt computers. I'm perhaps relearning that lesson quite late in life. I was told in 7th Grade by an exasperated history teacher you don't let people *know* that(what?) you know! One of my survival skill perhaps? :-) If instead you try to keep the informations for yourself, for what ever reason, then so do it. But in all fairness what you do now is very much annoying at best. Again, believe me, I mean no offense to you or anyone else, but it is just how it is from my side. SO, if there is a real problem, put it under the spotlight and let get it fix, or else. Just an idea and that was my first and last email on that one. Daniel Your comments are taken in the spirit in which they are offered. I'll try hard in the future to let sleeping dogs lay. Happy New Year, Dave -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: A Little Tip for OpenBSD Users of KDE
On Tue, 27 Dec 2005, Ted Unangst wrote: On 12/27/05, Otto Moerbeek [EMAIL PROTECTED] wrote: On Tue, 27 Dec 2005, Dave Feustel wrote: by KDE are root-owned and world rw. There is also a problem with the socket /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD presentation on XFree86 from about 2002. Dunno about KDE but can you elaborate or give refs why having a world writable unix domain socket is considered a problem? this is obviously a source of confusion. the permissions on a socket mean *nothing*. anyone can open any socket regardless of permissions, so long as they have necessary directory permissions to find it. That used to be the case. But since quite some time, you'll need write permission to open a unix domain socket. http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/uipc_usrreq.c?rev=1.2content-type=text/x-cvsweb-markup -Otto
Re: A Little Tip for OpenBSD Users of KDE
Dave, I keep reading your emails and many answer to them as well. So far, nothing is evidence or anything yet. Also, based on some of your latests emails, look like the intruder is still coming back to your box still and you reboot the KDE to kick him/here out. Look like you are saying there is a security problem, but yet you still provide no details what so ever on your setup, what you do, what's install, how he/she may get into, etc. If there is really a problem, then provide the informations, all of it. If the intruder is still coming in, then the entry door is still open then. So, I am not saying this should be done, but either provide all the details, or may be even better if someone from the project want to look at it as it is happening, then let them do so, if they want to obviously. If there is any security problem in OpenBSD of any kind, I am sure many developers would be all over it by now, but it doesn't look to me that there is one, project related anyway, or if it is from some packages provided by the project as well, I am sure they would love to know that and address it! After all they live for that, way of speaking anyway! With all due respect to you and I intend no disrespect what so ever, it really start to be annoying more then helping. Please provide details, ALL of it so that better mind can look at it seriously and if there is a problem, address it ASAP. If instead you try to keep the informations for yourself, for what ever reason, then so do it. But in all fairness what you do now is very much annoying at best. Again, believe me, I mean no offense to you or anyone else, but it is just how it is from my side. SO, if there is a real problem, put it under the spotlight and let get it fix, or else. Just an idea and that was my first and last email on that one. Daniel
Re: A Little Tip for OpenBSD Users of KDE
On 12/27/05, Otto Moerbeek [EMAIL PROTECTED] wrote: this is obviously a source of confusion. the permissions on a socket mean *nothing*. anyone can open any socket regardless of permissions, so long as they have necessary directory permissions to find it. That used to be the case. But since quite some time, you'll need write permission to open a unix domain socket. wow, crazy. i knew it was like that on linux, but never checked at home. :)
Re: A Little Tip for OpenBSD Users of KDE
Dave Feustel wrote: The problem with /tmp/.X11-unix/X0 addressed by the 2003 paper on XFree86 still exists today with Xorg. What problem? X11 implements its own authentication. -d
Re: A Little Tip for OpenBSD Users of KDE
On Mon, Dec 26, 2005 at 11:39:22AM -0500, Dave Feustel wrote: Don't use sudo in any konsole session. Dave, either you tell us _why_ you think it's bad, or keep your tips to yourself and stop causing confusion. Tobias :)
Re: A Little Tip for OpenBSD Users of KDE
On 12/26/05, Dave Feustel [EMAIL PROTECTED] wrote: Don't use sudo in any konsole session. That's odd. Why shouldn't you use sudo? Mike
Re: A Little Tip for OpenBSD Users of KDE
On 26/12/05, Tobias Ulmer [EMAIL PROTECTED] wrote: On Mon, Dec 26, 2005 at 11:39:22AM -0500, Dave Feustel wrote: Don't use sudo in any konsole session. Dave, either you tell us _why_ you think it's bad, or keep your tips to yourself and stop causing confusion. I assume: http://marc.theaimsgroup.com/?t=11349940351
Re: A Little Tip for OpenBSD Users of KDE
On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel [EMAIL PROTECTED] wrote: Don't use sudo in any konsole session. Dave, I don't think you're nuts but the fear mongering without providing any proof or details of a compromise is questionable at best. If you really were compromised while running OpenBSD, you aren't the first and probably won't be the last. As for leaving a terminal window open with root privs, sudo or su, it has *always* been a bad idea: http://seclists.org/lists/bugtraq/2002/May/0294.html As you can see from what happened to Dug Song and monkey.org, the problem may not be konsole itself, instead, your sudo-enabled konsole session could have been taken over via an exploit in some other application you are running. jcr