other file if they are
`open'
i still maintain that users owning a directory in /var/run/screen is
not really a big deal since there are loads of world writable
directories in /var. maybe if tex is fixed i might be convinced.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
Does anyone know what port 13223 is? today i have been getting a
massive number of connection attempts to that port from several
different addresses.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
. (its in the FAQ)
but then i could be missing something, im tired ;-)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
;-)
can someone else running a production postfix server comment on this?
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
, if the volume of spam is of concern to an admin, he should read the
docs and fix it himself.
yes.
i am forwarding this back to the list.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
, it allows all members of group video to grab a
copy of the current framebuffer contents. 620 is safer.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
a security tag in
the initial discussion on -devel but i didn't follow that thread
terribly closely. check the archives, read the thread on bug tags.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
environment/windowmanger if you
start almost any gnome program it will launch all sorts of other little
things.
that still does not explain how that file ended up in / though. do
you run any gnome programs as root? (an evil practice IMO)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP
On Mon, Nov 20, 2000 at 09:28:29PM +0100, Michel Dänzer wrote:
Ethan Benson wrote:
hour:/home/kr0n# ls -ls /dev/fb0
0 crw--w--w-1 root tty 29, 0 Jul 5 14:44 /dev/fb0
apparently writing random garbage into the fb devices is not supposed
to cause a kernel panic
the desktop to the laptop taking
over the IP address. all NFS cares about is the source IP, not very
strong...)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
who is screwing around)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
fb* caused a crash with atyfb IIRC.
It's still a problem without the crash since any local user can overwrite the
console screen with garbage.
Regards,
Chris
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
so that might be something different. as far as i can tell
debian's lprng never logs anything so perhaps never calls syslog().
i wish debian released security unadvisories when thier package is not
vulnerable to a certain bug like this...
--
Ethan Benson
http://www.alaska.net/~erbenson
the chroot in the initscript itself, thats what i do for bind.
that way when the debian package is upgraded and bind is restarted the
new binaries are copied into the chroot before the daemon is started.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
far (clear, reset -Q, ESC[2J ESC[0;0H in /etc/issue) just
clear the immediately visible screen, not the console scroll-back.
how about:
case "$(tty)" in
/dev/tty[0-9])
t=$(v=`tty` ; echo ${v##*ty})
clear
chvt 63; chvt "$t"
;;
ck history. the scrollback history is being kept
by the kernel, its not known to the various terminal software. shift
page-up is not part of normal terminals.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
better?
Ehm.. I did this:
knopje# echo -e "\033[2J\033[1;1H" issue.new
knopje# cat /etc/issue issue.new
knopje# mv issue.new /etc/issue
or you could replace getty with mingetty.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
knows, nobody cares.
yup
Perhaps someone should expose the truth of the general lack of email
security to the media, and let them scare everybody!
they would botch it. they have already tried scaring everyone about
virus/worm problems yet everyone still uses MS Outlook.
--
Ethan Benson
http
PROTECTED]
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
(). this is fixed in
2.2.19pre9 and presumably 2.4.2pre4.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
to exploit a cgi script and deface the web site served by the
Mac. in most cases such an attack would never allow site defacment on
unix since the site is not owned by the webserver UID that the cgi
script generally runs as.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
use NOBODY INSTALLS SECURITY UPDATES! same thing with bind.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
cheat by changing the --localuser option in /etc/cron.daily to
--localuser='-s /bin/sh nobody'
but i don't think bogus shells really adds much security, other then
perhaps being caught by pam_shells.so which will reject logins to
accounts with a shell not listed in /etc/shells.
--
Ethan Benson
. it can't hurt anything ;-)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
?
always install security updates, thats HOW debian fixes security
problems.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
of no exploit for the ptrace race at this time, there is a proof of
concept exploit for the sysctl() bug).
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
OpenBSD's nologin, which does the same thing as falselogin
but with FAR less code. OpenBSD nologin compiles just fine on linux.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
home directory is owned by root and read-only it shouldn't
be possible to make any persistent changes to the account.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
and later. that
kernel disabled a capability from the bounding set in order to fix
that nasty security hole, this also has the side affect of breaking
this pam module (among other capability related things). check the
pam-list archives for a recent explanation by andrew about this.
--
Ethan Benson
http
=no]
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Tue, Mar 27, 2001 at 10:05:00AM +0200, Alson van der Meulen wrote:
for irc: i never had problems with it, just accept ident lookups and
all outgoing stuff
ever try dcc ?
protocols that require incoming connections are lame anyway
unfortunatly many do this.
--
Ethan Benson
http
= no in main.cf. also
procmail likes to do this as well. im not sure how to stop procmail
from doing it. just told ippl to ignore it:
ignore icmp type 3 from localhost
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
and NOT root to the compromised disk, there could be
kernel modules installed which will hide things.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
its funky to configure, breaks things and
still makes admining the box a royal pain.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
as soon as nfs-common
gets restarted.
either that or block all privileged ports, which is usually not hard
to do. some rpc services register on non-privileged ports and they
are much harder to block unless you don't mind breaking all kinds of
stuff.
--
Ethan Benson
http://www.alaska.net/~erbenson
your username. many sites
make ident queries. its useful if you have users in that if one of
them causes problems somewhere you can ask for ident results to find
out who the troublemaker is.
if you block it you will be denied access to many irc servers.
--
Ethan Benson
http
them and the permissions get fixed.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
up having to do pretty
much everything from the console (depending on the config i suppose),
and well if i wanted that i would use NT ;-)
and it sounds like lids may not be portable to arch != i386.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
of behavior.
[0] none that i can think of at the moment.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
, but instead have
the CAP_NET_RAW capability bit turned on. this way it runs
unprivileged except for being allowed to open raw sockets.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
screaming warning of mismatched host
keys, or does not take any steps to verify that a new host key they
accept from a new machine really belongs to that machine.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
. does the current apt-get know how to get and check this
signature on its own?
There is also a way to sign individual packages. dpkg, debsigs,
debsig-verify
is there any plans for .debs to be individually gpg signed by the time
woody ships?
--
Ethan Benson
http://www.alaska.net/~erbenson
[unecessary 9 steps deleted]
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
)
and thus there is no root hole in our default install'
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
really think the samba maintainer is going to
leave a security hole unpatched just because Theo has an abrasive
personality...
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
key or worse they will use methods that make you very very eager to
reveal it
stegfs *might* but then again if the entity your dealing with is
horrible enough it won't matter whether or not the alleged data really
exists or not, if they think it does then...
--
Ethan Benson
http
package takes care of all this correctly
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
.
the `testing' distribution (now woody) is the least secure branch you
can run.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
, if you use any
branch other then stable you are responsible for checking that
security fixes are getting made and installed, there won't be an
advisory.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
of problems.
the exploit does work though, i had to tweak it a bit (which is
probably intentional).
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
at
once.
in this case you must make very large sacrifices to accomplish this.
including giving up kernel modules and X11.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
installed.
system adminsitrator == root
cracker == root
you can't trust one without trusting the other.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
to /dev/hda* and
remove the immutable bits (ive written a script to remove chattr +i
and +a even when CAP_LINUX_IMMUTABLE is removed from the bounding set,
no reboot required).
otherwise the attacker can just replace your kernel image and reboot
(which is of course fairly noticable).
--
Ethan
is
prevent them from conveniently getting the statd port number, that
doesn't stop them from finding it via nmap.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Mon, Jun 18, 2001 at 08:56:03AM +0200, Philipp Schulte wrote:
On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote:
you would need to fix filesystem immutability and block device access
as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there
is no way to deny
mailcrypt into security.debian.org.
gnupg is installable, if you remove mailcrypt. ;-)
not ideal but thats the way the way the cookie crumbles.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
found anyone who
actually did need all of those.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
to use ftp, smtp and telnet only for my local network.
if you don't know why your running them you don't need them. simple
as that.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote:
On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote:
chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is
removed from the bounding set. however that does not prevent root
from messing with /dev
the FAQ that seemed to be
implyed).
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
on remaining ignorant.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
a spoofing trick to attach the victims chargen port to its echo
port.
i don't know if that is still possible, in the olden days it was, had
quite ammusing result too.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
of debian.
if gnupg broke deps on a another package in main i think you would
have a point, but it broke something outside the distribution which is
beyond the concerns of the security team, they only need to care about
the distribution which is main and non-US/main.
--
Ethan Benson
http
on the servers, in the bug system, and so forth.
it is policy, just because they are on debian servers does not make
them part of the debian distribution. non-free and contrib are NOT
parts of debian. this is really fairly well known...
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP
protection. that would
be nice :)
ulimit -u 20
thats all it takes.
BTW your Mail-Followup-To header is broken.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Tue, Jun 19, 2001 at 10:09:51AM +0200, Christian Jaeger wrote:
At 2:17 Uhr +0200 19.6.2001, Ethan Benson wrote:
what if the attacker can poisen your DNS, or routing tables? then he
can trick apt into downloading his 37337 `security update' (more like
unsecurity update heh)
Yes
On Wed, Jun 20, 2001 at 12:02:47AM -0600, Hubert Chan wrote:
Ethan == Ethan Benson [EMAIL PROTECTED] writes:
Ethan echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' /etc/passwd.d/eb
Ethan login whe r00t!
Hmm. Forgot about that. I guess that would be a bit of a security
hole
, period, end of story.
as for sudo for my own purposes i don't see the point, i don't want my
normal account to be a root account nor do i want my user passwd to be
a/the root passwd. the logging is nothing more then an annoyance
since i know what i run anyway.
--
Ethan Benson
http
to root yourself, in which case you have saved yourself a
root compromise.
i have known people who have had root cracked due entirely to sudo.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
or later.
Ethan sudo is a very large cannon which is difficult to keep aimed
Ethan away from the foot...
That it is. But then, the root password is basically a very large
cannon built into your shoe.
i would not go that far.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP
audit (especially when you find the case broken and
cut open...).
compare this to your envolope idea where the machine need not even be
shutdown and tell me which is more likely to go by unnoticed.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
understand that statd usually crashes before logging
anything anyway.
if your not using nfs you should remove the nfs-common package
anyway.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
and sudoers man pages.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Mon, Jul 16, 2001 at 12:52:20PM +0200, Martin F. Krafft wrote:
this isn't an answer, but install Debian, then change /etc/issue as
well as /etc/motd to suggest SuSE, and trust me, none of your
superiors are going to get it :)
like they would ever login to the machine anyway.
--
Ethan
On Tue, Jul 17, 2001 at 12:29:45PM +0100, Nick Phillips wrote:
On Tue, Jul 10, 2001 at 05:29:32AM -0800, Ethan Benson wrote:
nice to know pam_pwdfile gained md5 support, iirc it only did the
anchient crappy crypt before..
now there just needs to be a passwd command to work
rpc.statd.
incompetant `morons with root password' (i won't call them sysadmins)
who won't install security updates are really the worse problem.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
on the internet today.
that is sort of like saying `you really cannot blame people for not
hiring expensive archetectural engineers and letting some semi
competant carpenter design your 10 story office building'
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Sat, Jul 21, 2001 at 02:00:48PM -0700, Jacob Meuser wrote:
On Sat, Jul 21, 2001 at 12:09:07AM -0800, Ethan Benson wrote:
On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote:
You really can not blame people for not hiring
expensive unix sysadmins and letting some semi competent
, fool me twice shame on me
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
treat computers like toasters
anymore. deal with it.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
with `but
they are not exploitable' which is rubbish of course.
go annoy someone else. i can change nothing in debian, i am not a
debian developer, go annoy one of them.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
started if you install them, a very
logical assumption. criticising debian's choices in regards to what
services are priority: standard could be a valid argument.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
]
Do you want something like that?
or:
WARNING: Coffee is served HOT! [0]
--
Ethan Benson
http://www.alaska.net/~erbenson/
[0] for those who don't remember there was a case some years ago where
a woman sued McDonalds after she spilled a cup of thier coffee in her
lap and as a result was burned
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote:
I think it is quite fitting.
i think is a 21st century varient of Godwin's law developing.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
you installed a zillion services and didn't know what
they did thus opening lots of `security holes'.
yeah whatever.
what part of `don't install the service if you don't need it/don't
know how to configure it' don't you understand?
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote:
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote:
I mentioned that OpenBSD has a policy of not starting services by
default. Ethan Benson went off on how OpenBSD is rubbish. As
no i said the claim that OpenBSD starts
will clutter the output to the point of
unusability)
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
tend to agree to that, but i don't agree that the kernel
should start processes with a broken umask to begin with.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
why?
not configuring $EDITOR correctly. mutt doesn't have an editor, it
uses vi, emacs or whatever you set $EDITOR to.
for emacs add this to your ~/.emacs:
(setq auto-mode-alist (cons '(/tmp/mutt* . auto-fill-mode)
auto-mode-alist))
--
Ethan Benson
http://www.alaska.net
.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
obscurity is all your really gaining.
i am more concerned that the services i run are properly configured
and have all security updates applied then whether someone knows what
userid they are running as.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
transgressions, complete with
ident responses from your machines, if you configured your identd not
to lie, and not to allow your users to make it lie you will most
likely have an accurate pointer to the troublemaker so you can proceed
to lart them.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP
.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Fri, Aug 31, 2001 at 08:09:23PM -0700, Scott Sawyer wrote:
Hey dude,
the advice was fairly clear and didn't seem to be derogatory that I read.
Just remember we all started out as clueless.
not THAT clueless!
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
only
option is either upgrading to woody or backporting the woody ssh
package to potato (probably not very hard at all).
i recommend backporting the sid ssh packages to potato. if someone
hasn't already done that...
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
features in
debhelper not present in potato. anyone with basic shell scripting
and a bit of Makefile experience should be able to handle that with
not much difficulty.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
: this is the only way until
the new version is backported.
which will never happen, except possibly by someone doing it unofficially.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
On Sat, Sep 22, 2001 at 11:14:43AM -0400, Hubert Chan wrote:
As root:
# apt-get build-dep openssh
that doesn't work on pototo's apt. you have to do it the old way:
cd openssh-*
grep ^Build debian/control
look at list and apt-get install each package.
--
Ethan Benson
http://www.alaska.net
1 - 100 of 335 matches
Mail list logo