Re: Grrr... modprobe.conf
On Mon, 2010-09-20 at 11:56 +0200, Michał Piotrowski wrote: 2010/9/20 Bryn M. Reeves b...@redhat.com: On 09/20/2010 06:43 AM, Ralph Loader wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Looks like it's a minor security hole too: Not sure I'd call that minor considering what you can do via entries in that file. You can blacklist the firewall modules - it can be critical :) Why on earth would that be critical? The firewall is just a band-aid. If it does anything useful, your system was broken (or infected) already. Seriously, if there is *any* case where the lack of firewall would be 'critical', please file a bug for that. There are *much* more interesting things that someone could do with arbitrary write access to /etc/modprobe.conf -- dwmw2 -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
W dniu 21 września 2010 16:33 użytkownik David Woodhouse dw...@infradead.org napisał: On Mon, 2010-09-20 at 11:56 +0200, Michał Piotrowski wrote: 2010/9/20 Bryn M. Reeves b...@redhat.com: On 09/20/2010 06:43 AM, Ralph Loader wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Looks like it's a minor security hole too: Not sure I'd call that minor considering what you can do via entries in that file. You can blacklist the firewall modules - it can be critical :) Why on earth would that be critical? The firewall is just a band-aid. If it does anything useful, your system was broken (or infected) already. Real-life situation: - a few servers with postgres - no authentication - setup for pgpool - a firewall which blocks access from the outside to postgres Yes - it's broken setup, but it works with firewall. Seriously, if there is *any* case where the lack of firewall would be 'critical', please file a bug for that. There are *much* more interesting things that someone could do with arbitrary write access to /etc/modprobe.conf Surely, but I don't have enough cracker imagination to quickly come up with some good examples :) -- dwmw2 Regards, Michal -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
Once upon a time, David Woodhouse dw...@infradead.org said: Why on earth would that be critical? The firewall is just a band-aid. If it does anything useful, your system was broken (or infected) already. There are still a number of network daemons that don't have any practical IP ACL setup. TCP wrappers only kicks in after the socket is open, which is often not what you want. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Tue, 2010-09-21 at 15:33 +0100, David Woodhouse wrote: Why on earth would that be critical? The firewall is just a band-aid. If it does anything useful, your system was broken (or infected) already. Seriously, if there is *any* case where the lack of firewall would be 'critical', please file a bug for that. There are *much* more interesting things that someone could do with arbitrary write access to /etc/modprobe.conf In that case, please stop bikeshedding. Your post doesn't add anything significant to the discussion, since we all agree that a world-writeable modprobe.conf is an obvious security problem. Arguing about the implementation details of an attack against modprobe.conf isn't really a lot of use. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On 09/20/2010 06:43 AM, Ralph Loader wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Looks like it's a minor security hole too: Not sure I'd call that minor considering what you can do via entries in that file. Bryn. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
2010/9/20 Bryn M. Reeves b...@redhat.com: On 09/20/2010 06:43 AM, Ralph Loader wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Looks like it's a minor security hole too: Not sure I'd call that minor considering what you can do via entries in that file. You can blacklist the firewall modules - it can be critical :) Bryn. Regards, Michal -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
Tom Horsley horsley1953 at gmail.com writes: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. It's definitely not the system-config-network bug, since that's now fixed in everything except F12, and even that has a fixed version in updates-testing. Also, the permissions of the modprobe.conf that bug generates are 644, not 666. Maybe abrtd should add a special inotify thread that watches /etc/ for a modprobe.conf file being created . If you can't track it down from the creation time, you could try running a several-line script that checks for the file once per second and notifies you when it's created. Or, if you can reproduce it in a VM with the same package set, you could remove package groups until you find what's causing it. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Sun, 19 Sep 2010 09:08:43 -0400 Tom Horsley wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Well, I found something with a grep -r of the whole f14 partition :-). https://bugzilla.redhat.com/show_bug.cgi?id=635640 Don't know if dracut is really the source of the file though. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Mon, 20 Sep 2010 11:56:56 +0200 Michał Piotrowski wrote: You can blacklist the firewall modules - it can be critical :) Actually, I think you can run any arbitrary command to load a module, so it is probably a gigantic security hole. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On 09/20/2010 01:37 PM, Tom Horsley wrote: On Mon, 20 Sep 2010 11:56:56 +0200 Michał Piotrowski wrote: You can blacklist the firewall modules - it can be critical :) Actually, I think you can run any arbitrary command to load a module, so it is probably a gigantic security hole. Kinda what I was thinking. This should be fairly easy to track down with the amount of tracing and debugging tools we have in the distro now. I'm not convinced it's dracut's doing but if I have time to get a VM installed later on I'll try to have a poke around. Cheers, Bryn. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Mon, 2010-09-20 at 08:35 -0400, Tom Horsley wrote: On Sun, 19 Sep 2010 09:08:43 -0400 Tom Horsley wrote: After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Well, I found something with a grep -r of the whole f14 partition :-). https://bugzilla.redhat.com/show_bug.cgi?id=635640 Don't know if dracut is really the source of the file though. So, if this bug is valid as described it's a significant security issue. However, I'm not sure it's simple. I've just checked, and none of my F14 test spins (basically RC2) have a modprobe.conf booted live. The clean installed system from the desktop live image that I have in my test VM currently doesn't have one either. Neither does my 'work' system itself. If it's dracut as you surmise, it may perhaps happen only on installing a kernel after initial install. I guess also it may only happen when installing from non-live media. We should definitely look into this urgently. What's the last-touched date of your /etc/modprobe.conf ? Do you know when that is in relation to the lifetime of the install? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Mon, Sep 20, 2010 at 7:49 AM, Adam Williamson awill...@redhat.com wrote: So, if this bug is valid as described it's a significant security issue. However, I'm not sure it's simple. I've just checked, and none of my F14 test spins (basically RC2) have a modprobe.conf booted live. The clean installed system from the desktop live image that I have in my test VM currently doesn't have one either. Neither does my 'work' system itself. If it's dracut as you surmise, it may perhaps happen only on installing a kernel after initial install. I guess also it may only happen when installing from non-live media. We should definitely look into this urgently. What's the last-touched date of your /etc/modprobe.conf ? Do you know when that is in relation to the lifetime of the install? I have some anecdotal evidence. I installed F13 (x86_64) on my dad's computer this weekend. I did not see the empty modprobe.conf until after I did a kernel update. The only packages I updated was the kernel and the firmware package at that time. Richard -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
2010/9/20 Bryn M. Reeves b...@redhat.com: On 09/20/2010 01:37 PM, Tom Horsley wrote: On Mon, 20 Sep 2010 11:56:56 +0200 Michał Piotrowski wrote: You can blacklist the firewall modules - it can be critical :) Actually, I think you can run any arbitrary command to load a module, Or pass any parameter to a module. so it is probably a gigantic security hole. Yeah - but it depends on conditions, system configuration etc. It can be treated as minor issue, major issue, high risk vulnerability or gigantic security hole - depends on system configuration and other things. Let's CC devel list. Kinda what I was thinking. This should be fairly easy to track down with the amount of tracing and debugging tools we have in the distro now. I'm not convinced it's dracut's My F13 devel system is not affected - it's a standard web developer system with databases, web servers, script languages etc. I don't think that dracut is the culprit. doing but if I have time to get a VM installed later on I'll try to have a poke around. Cheers, Bryn. Regards, Michal -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
2010/9/20 Richard Shaw hobbes1...@gmail.com: On Mon, Sep 20, 2010 at 7:49 AM, Adam Williamson awill...@redhat.com wrote: So, if this bug is valid as described it's a significant security issue. However, I'm not sure it's simple. I've just checked, and none of my F14 test spins (basically RC2) have a modprobe.conf booted live. The clean installed system from the desktop live image that I have in my test VM currently doesn't have one either. Neither does my 'work' system itself. If it's dracut as you surmise, it may perhaps happen only on installing a kernel after initial install. I guess also it may only happen when installing from non-live media. We should definitely look into this urgently. What's the last-touched date of your /etc/modprobe.conf ? Do you know when that is in relation to the lifetime of the install? I have some anecdotal evidence. I installed F13 (x86_64) on my dad's computer this weekend. I did not see the empty modprobe.conf until after I did a kernel update. I'm using compiled 2.6.35.4-28 here. So it can be issue with F13 kernel package. The only packages I updated was the kernel and the firmware package at that time. Richard Regards, Michal -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
Richard Shaw hobbes1069 at gmail.com writes: I have some anecdotal evidence. I installed F13 (x86_64) on my dad's computer this weekend. I did not see the empty modprobe.conf until after I did a kernel update. The only packages I updated was the kernel and the firmware package at that time. It could be this bug in system-config-network: https://bugzilla.redhat.com/show_bug.cgi?id=589593 It's been fixed since then in everything except F12 (which has a fixed updates-testing version) but the original F13 version was broken. This bug creates /etc/modprobe.conf with permission 644, not 666, so it shouldn't be a security issue. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
2010/9/20 Michał Piotrowski mkkp...@gmail.com: 2010/9/20 Bryn M. Reeves b...@redhat.com: On 09/20/2010 01:37 PM, Tom Horsley wrote: On Mon, 20 Sep 2010 11:56:56 +0200 Michał Piotrowski wrote: You can blacklist the firewall modules - it can be critical :) Actually, I think you can run any arbitrary command to load a module, Or pass any parameter to a module. so it is probably a gigantic security hole. Yeah - but it depends on conditions, system configuration etc. It can be treated as minor issue, major issue, high risk vulnerability or gigantic security hole - depends on system configuration and other things. Let's CC devel list. Well depends on the cirumstances. As the file is supposed to be obsolete anyway ... we should just make modprobe ignore it ;) -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Mon, 20 Sep 2010 13:49:30 +0100 Adam Williamson wrote: What's the last-touched date of your /etc/modprobe.conf ? Do you know when that is in relation to the lifetime of the install? Just poking around, I get the impression that it may have happened near the first round of updates after I did the initial install of f14 alpha (from dvd): [r...@zooty ~]# ls -lc --full-time /spare/etc/modprobe.conf -rw-r--r-- 1 root root 0 2010-08-25 19:44:57.0 -0400 /spare/etc/modprobe.conf [r...@zooty ~]# ls -lt --full-time /spare/etc/modprobe.conf -rw-r--r-- 1 root root 0 2010-08-25 19:44:57.0 -0400 /spare/etc/modprobe.conf [r...@zooty ~]# ls -lt --full-time /spare/root/install.log -rw-r--r--. 1 root root 103892 2010-08-25 18:42:33.0 -0400 /spare/root/install.log Interesting that on my system at least, the file isn't world writable. I hadn't noticed that before. Maybe there are multiple ways it can get created, or maybe some process is inheriting a umask that might be different? (The /spare partition is where I have f14 installed). In the yum.log I see the time on modprobe.conf occurs in a gap in the yum updates: Aug 25 19:37:56 Updated: xorg-x11-drv-aiptek-1.3.1-1.fc14.x86_64 Aug 25 20:02:56 Updated: libgcc-4.5.1-1.fc14.x86_64 -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
2010/9/20 Tom Horsley horsley1...@gmail.com: On Mon, 20 Sep 2010 13:49:30 +0100 Adam Williamson wrote: What's the last-touched date of your /etc/modprobe.conf ? Do you know when that is in relation to the lifetime of the install? Just poking around, I get the impression that it may have happened near the first round of updates after I did the initial install of f14 alpha (from dvd): I checked on my laptop and there I don't experience this problem too. I installed F14 alpha from KDE Live, then installed Gnome and other stuff. Two days ago I did the update to rawhide. Regards, Michal -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
In the yum.log I see the time on modprobe.conf occurs in a gap in the yum updates: Aug 25 19:37:56 Updated: xorg-x11-drv-aiptek-1.3.1-1.fc14.x86_64 Aug 25 20:02:56 Updated: libgcc-4.5.1-1.fc14.x86_64 The fix for https://bugzilla.redhat.com/show_bug.cgi?id=589593 was pushed to F14 updates-testing on Aug. 23. Does yum.log show when system-config-network was updated? Aug 25 20:05:06 Updated: system-config-network-tui-1.6.1-1.fc14.noarch Aug 25 20:16:10 Updated: system-config-network-1.6.1-1.fc14.noarch Looks like it was updated right after the file was created. No doubt I had to run s-c-n to get my static IP setup right before I could download updates, so maybe that's the origin. The world writable version might be a different problem though. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
On Mon, 2010-09-20 at 09:53 -0400, Tom Horsley wrote: In the yum.log I see the time on modprobe.conf occurs in a gap in the yum updates: Aug 25 19:37:56 Updated: xorg-x11-drv-aiptek-1.3.1-1.fc14.x86_64 Aug 25 20:02:56 Updated: libgcc-4.5.1-1.fc14.x86_64 The fix for https://bugzilla.redhat.com/show_bug.cgi?id=589593 was pushed to F14 updates-testing on Aug. 23. Does yum.log show when system-config-network was updated? Aug 25 20:05:06 Updated: system-config-network-tui-1.6.1-1.fc14.noarch Aug 25 20:16:10 Updated: system-config-network-1.6.1-1.fc14.noarch Instead of searching the yum log - how about using yum history: yum history info system-config-network\* | less That'll list all the transactions that changed system-config-network* -sv -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
Ralph Loader suckfish at ihug.co.nz writes: Looks like it's a minor security hole too: $ ls -l /etc/modprobe.conf -rw-rw-rw- 1 root root 0 Jun 27 17:50 /etc/modprobe.conf ^^ Are you seeing this in F14? June 27 is pretty old. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Grrr... modprobe.conf
After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Maybe abrtd should add a special inotify thread that watches /etc/ for a modprobe.conf file being created :-). -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: Grrr... modprobe.conf
After all these years, something from the fedora repos (the only ones I have active in my F14 partition) is still creating an (empty) /etc/modprobe.conf file. Looks like it's a minor security hole too: $ ls -l /etc/modprobe.conf -rw-rw-rw- 1 root root 0 Jun 27 17:50 /etc/modprobe.conf ^^ I don't think I changed the permissions myself... Ralph. Maybe abrtd should add a special inotify thread that watches /etc/ for a modprobe.conf file being created :-). -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test