also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]:
> There is a problem with that, namely responsible disclosure. The
> team cannot be too big or else the other organisations in the
> consortium will object for danger of leakage.
>
> I think what we
s recognition that it's a problem that needs a solution.
So if we all recognise it as a problem, it will solve itself?
Wouldn't a ticket system (possibly request-tracker3) be helpful
here?
--
Please do not send copies of list mail to me; I read the list!
.'
ld be needed for
some of the innovative approaches I have in mind. Thus, I'd love to
hear opinions.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansy
se it.
We are working to fix it. The last thing we need now are people
complaining and moaning.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansys
ms and automate security patch releases
> - it's a task for debian-man .. more than what super-man or
> bat-man can do
people "volunteering" are useless. people actually doing something
are not.
--
Please do not send copies of list mail to me; I read the list
l these servers
with something else because that'll be cheaper than the risk of
having them compromised.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://
childhood problems to resolve themselves
(read: sarge r1). That said... of course woody is currently also
potentially vulnerable.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian develope
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.17.0944 +0200]:
> also sprach Michael Buchholz <[EMAIL PROTECTED]> [2005.06.17.0857 +0200]:
> > And also, when you write any block, you have to reencrypt all the
> > remaining blocks.
>
> Yes, don't
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.28.1108 +0200]:
> No, he installed Sarge because it was cool back at the time.
Yeah so this whole thing has been growing on me a little too much.
Sorry for being snappy in the last two posts (to Marek and Alvin).
I am going to
wn security updates until
we caught up.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better
, and how to modify packages and properly
integrate them with APT.
0. http://debiansystem.info
Cheers,
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://deb
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1215 +0200]:
> Unfortunately you are right :-( At this moment there is no secure
> Debian distribution.
unstable. :)
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. kr
o me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
no problem. But giving root access to others is the
problem.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian -
also sprach Tim Haynes (on Sun, 01 Jul 2001 05:02:26PM +0100):
> In the init.d scripts, you'll find it easiest to rip out the
> start-stop-daemon stuff and run the command directly,
> /usr/sbin/named -t /etc/bind -u named
> unless you're a purist in which case, you tell me how instead ;)
also sprach Dossy (on Sun, 01 Jul 2001 10:10:42PM -0400):
> No. IIRC, 53/tcp is also used for DNS queries (not just XFER's)
> when the size is larger than the RFC specifies for the UDP-based
> payload. Or, some such type of edge-case of the DNS spec.
uhm - which is only the case if you slave a
also sprach GARGIULO Eduardo INGDESI (on Mon, 02 Jul 2001 04:25:57PM -0300):
> I was using ipchains, but now I have kernel v2.4.5 with iptables.
> I want to know how to monitor masqueraded connections. I mean the
> output of
>
> ipchains -L -M -v
>
> using iptables. I didn't found it in man ipta
also sprach Anders Gj?re (on Fri, 13 Jul 2001 10:52:09AM +0200):
> do sudo default allow the sudo-user to run every program,
> or just the program you spesify?
the latter, of course.
> how will sudo work if you use the "time" command?
> like "time vim /etc/passwd"
if you allow time with arbitr
also sprach Dan Hutchinson (on Fri, 13 Jul 2001 03:51:49PM -0400):
> Does anyone know of a secure network file system
> like Active Directories from Microsoft
^
hahahahaha!
um. do you read bugtraq
or: have you ever administered one of those dreadfully sad
also sprach Juha J?ykk? (on Mon, 16 Jul 2001 11:03:41AM +0300):
> Anyone care to help me: I need some _strong_ points in favour of
> Debian, against SuSE. No crap, please. I need to presuade my superiors
> to turn from RH to Debian instead of SuSE as they would like to do. I
> need strong eviden
also sprach Ethan Benson (on Mon, 16 Jul 2001 04:14:51AM -0800):
> > this isn't an answer, but install Debian, then change /etc/issue as
> > well as /etc/motd to suggest SuSE, and trust me, none of your
> > superiors are going to get it :)
>
> like they would ever login to the machine anyway.
wo
On Thu, Aug 30, 2001 at 11:14:33PM -0300, Alisson Sellaro wrote:
> I was checking my firewall logs and have detected lots of TCP/113 dropped
> packets. Checking /etc/services I realized it was ident traffic. What do
> you think about such service? Should I let it blocked or should I allow it
> wit
also sprach Ethan Benson (on Fri, 31 Aug 2001 01:38:45AM -0800):
> > honest question: whose business is the name of a user who initiated a
> > connection??? identd is a horrible concept and elicits shrieks among
> > the security conscious. i do understand that you need it for this and
> > that, so
also sprach Ethan Benson (on Fri, 31 Aug 2001 01:45:29AM -0800):
> identd is for the admin RUNNING the identd, not for the admin making
> identd requests, if one of your users is abusing someones network in
> some way (attempting to send spam, causing trouble on some irc network
> etc) the admin o
also sprach Martin Fluch (on Fri, 31 Aug 2001 01:02:58PM +0300):
> Consider the following situation: You admin a computer and some user
> tries to atack an other computer from this one. Then the admin of
> the attacked computer can tell _you_, from which user the attack was
> coming, which helps y
also sprach Christian Kurz (on Fri, 31 Aug 2001 10:12:31AM +0200):
> > honest question: whose business is the name of a user who initiated a
> > connection???
>
> It can be some sort of help if you have a system with lots of users and
> complainments about one. Some admins may be able to send you
also sprach Christian Kurz (on Fri, 31 Aug 2001 10:07:05AM +0200):
> > I have had a lot of problems running non-Debian software when I
> > disable ident. It seems like the licensing daemons expect to find
>
> What the hell is a licensing daemon? And which package contains this
> software in debi
also sprach Colin Phipps (on Fri, 31 Aug 2001 11:31:53AM +0100):
> Not if configured appropriately. Good identds don't allow reverse ident
> scanning anymore.
okay, i must admit i didn't know this...
> Agreed, leaking UIDs is serious. Which is why modern identds support returning
> crypted uids
also sprach Ethan Benson (on Fri, 31 Aug 2001 03:30:54AM -0800):
> rubbish, if the admin is incompetent enough to be running these things
> as root he will have a cracked box regardless of whether identd is
> running or not.
you have a point, even though there is no need to become offensive!
>
also sprach Christian Kurz (on Fri, 31 Aug 2001 04:15:55PM +0200):
> > process accounting. process accounting.
>
> Would you care to explain that a bit more and especially compare it with
> ident protocol (advantages and disadvantages)?
process accounting is simply the kernel keeping track of al
also sprach Layne (on Sat, 01 Sep 2001 12:30:54AM -0400):
> I'M JUST JOKING .RIGHT. I GOT 80 SPAM MESSAGES YOSTERDAY AND 80
> MORE TODAY I DIDN'T SUBSCRIBE TOWHAT GIVES. THIS IS NUTS.
which are clearly my fault, you impersonation of freudian depression.
do me a favor and leave the lis
also sprach Layne (on Fri, 31 Aug 2001 11:35:12PM -0400):
> WEL I GUESS YOU'RE STILL PRETTY FUCKING CLUELESS. I DON'T WANT ANY MORE OF
> YOUR USELESS E-MAIL SENT TO THIS GOT IT?? TAKE THE HINT, TAKE A
> CLUE
unsubscribe then, of you superior being!
martin; (greetings fr
also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400):
> MARTIN FONDLES YOUNG BOYS.
which one?
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
--
"and no one sings me lullabies,
and no one makes me close my eyes,
and
also sprach Bud Rogers (on Sat, 01 Sep 2001 07:13:06AM -0500):
> I put him in a filter. Every mail I receive from him gets forwarded back to
> him and to postmaster and abuse at his ISP. I don't think he'll be around
> long.
i think all this started because i auto-reply to micro$oft users,
te
also sprach Bud Rogers (on Sat, 01 Sep 2001 07:58:12AM -0500):
> > i think all this started because i auto-reply to micro$oft users,
> > telling them about www.vcnet.com/bms and www.unix-vs-nt.org and he
> > didn't like that :)
>
> Martin, you may have set him off but I don't think you're respons
also sprach Lupe Christoph (on Sat, 01 Sep 2001 12:40:44PM +0200):
> > also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400):
> > > MARTIN FONDLES YOUNG BOYS.
> > which one?
> Which Martin or which boy? *-O
boys is plural. so syntactically speaking the one can only refer to
martin. but hey, i
also sprach Noah L. Meyerhans (on Sat, 01 Sep 2001 12:00:28PM -0400):
> Please don't do that. That's an incredibly rude practice. The people
> never asked for your opinion on operating systems or Microsoft. What
> about those who use a Windows mailer at their job and have no choice to
> do othe
also sprach Alvin Oga (on Mon, 10 Sep 2001 09:08:51AM -0700):
> for the firewall ...
> - it should be running a "secure linux/bsd distro"
> and only ipchains
> ( some might wanna run dns on it too...but...
ipchains/iptables is really just not a firewall. it's a packet fil
also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100):
> Unless I'm well mistaken, of course... But I'd never trust a key whose
> fingerprint had turned up in public before.
that's a little ridiculous, isn't it, given that i can use my gpg to
view the fingerprint of your public key, which
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2001.10.04 09:48:08+0600]:
> What can I do, if my programm working in a chrooted enviroment
> and using filesystem /proc.I use chroot ant mount all /proc filesystem in
> chrooting enviroment.
> Can I mount part of /proc.
with 2.4.x kernels:
mount --bi
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2001.10.18 15:02:19-0400]:
> Please let me know also,
> because I have been getting empty messages from root too
snort in stable and in testing seems to do this out of the box.
however, the UID *is* weird...
--
martin; (greetings from the he
* Tom Breza <[EMAIL PROTECTED]> [2001.10.18 21:26:17+0100]:
> but I don't have a snort, and this message I got second times, first time
> I benn to busy and just ignore, but that seems to be repeat...
what time? if 6am'ish, then try all you cron.daily scripts by hand and
see which one emails you
is stock (non Debian) 2.4.12 now secure or not? i am getting confused.
if it isn't, where can i find patches for it to make it secure?
sorry to be asking so blatantly, but i don't have much time to worry
about my private systems these days. please help.
--
martin; (greetings from t
* eim <[EMAIL PROTECTED]> [2001.10.22 12:44:03+0200]:
> Is this a good choice ? or should I put another machine in my
> Network, between the Gateway and the Servers, which acts as Firewall ?
what's a firewall for you? a packet filter? you can surely install a
packet filter on every box. iptables
* Bryan Andersen <[EMAIL PROTECTED]> [2001.11.06 05:23:05-0600]:
> Another possibility would be to have them replace the hubs with
> switches, this assumes you are using twisted pair, not thin net
> or thick net.
which is not secure due to arp flooding.
i'll happily give you a POP3 account ove
* Craig Dickson <[EMAIL PROTECTED]> [2001.11.15 10:28:33-0800]:
> Also note that root owns sendmail, or whatever MTA you're using. If he
> really wants to read your mail, it would be much easier for him to do it
> by configuring the MTA to silently copy him on all your messages, so all
> this conc
* Bryan Andersen <[EMAIL PROTECTED]> [2001.11.15 12:51:01-0600]:
> B... Wrong.
>
> If you don't trust root, your hosed. Root can change the app so he
> has your keys... Root can also change the tty drivers so they are
> all silently logged. There is no way to secure it fully unless you
* vdongen <[EMAIL PROTECTED]> [2001.11.15 19:30:35+0100]:
> accualy, root can also read you gpg key.
> so a simple copy of you mail and a gpg decoding using your key would be
> much easyer
except there is a passphrase! which can be obtained with a hacked
version of mutt or gpg, obviously...
> r
* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.16 15:06:54+0100]:
> > well, i thought this is the definition of root.
>
> no. with LIDS you can protect files and syscalls even from root. in my
> setup, root cannot even write to his own home directory.
... which root can change at convenience. this
* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.16 14:36:30+0100]:
> > > > Root is God. Anything you do on the system is potentially visible to
> > > > root.
>
> this is, with the right patches applied, not true.
^^
> can very fine tune the setup. f
* Wade Richards <[EMAIL PROTECTED]> [2001.11.15 22:17:39-0800]:
> This is the sort of absolutist nonsense that gives security experts a
> bad name. After all, anyone armed with a chainsaw can cut through a
> solid oak door in a matter of hours, so why bother installing a deadbolt
> on your door?
* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.18 17:58:46+0100]:
> > excellent. you know what i did: i just remove the root:0:... line from
> > /etc/passwd and /etc/shadow. now i can't be root. that must be perfect
> > security. yeah!
>
> before you shout, think twice. this is READ-only on my syst
* Mathias Gygax <[EMAIL PROTECTED]> [2001.11.18 17:59:29+0100]:
> > thanks, you just made me laugh!
> you set lamer detector to orange.
alright, so my first step is to scale back and *not* flame. i am sorry
for posting my sarcastic comment.
i shall now try to sum up my points. we have been talki
* op <[EMAIL PROTECTED]> [2001.11.27 10:23:57+0100]:
> I specify the users in /ets/ssh/sshd_config who are allowed to connect via
> ssh. But I'd like some more control. I'd like to control which subnets user x
> can connect from. Some should be allowed to connect from anywhere but some
> shoul
* Wichert Akkerman <[EMAIL PROTECTED]> [2001.11.27 12:23:04+0100]:
> The @HOST bit may be new in OpenSSH 3 though.
yes. and it can't take a network, so you'd have to enter one entry per
user/machine permutation...
--
martin; (greetings from the heart of the sun.)
\ echo mailt
* Giacomo Mulas <[EMAIL PROTECTED]> [2001.11.28 18:11:40+0100]:
> > I've installed a linux bridge with 2.4.14 kernel and the
> > bridge-utils packages
>
> I am VERY interested, since I administer a transparent firewall
> myself. My firewall uses proxy arp (I implemented it in the old
> 2.2.x kern
* Jeremy T. Bouse <[EMAIL PROTECTED]> [2001.11.28 09:07:53-0800]:
> If I'm not mistaken I believe the bridging code runs before
> the firewall code so the bridging by-passes the firewall filters
> completely... Please if I'm incorrect in this would someone care to
> correct me but that is w
okay, so i read the FAQ, they are possible. but they don't make sense.
in fact, i will argue that as soon as you employ netfilter or
ipchains on a linux bridge, you don't have a bridge anymore! you won't
have a packet filter or router either, but it's not going to be a
bridge as it concerns itse
* Simon Murcott <[EMAIL PROTECTED]> [2001.11.29 16:31:12+1300]:
> One point you are missing is that it is possible using this kind of
> configuration to create a firewall where you cannot address any of it's
> external interfaces. So how can you do an intrusion attack on a firewall
> that you cann
* Attila Nagy <[EMAIL PROTECTED]> [2001.11.29 14:30:56+0100]:
> > a firewall needs to have IP routing capabilities to be able to enforce
> > rules (same for a packet filter),
> ?
> A proxy firewall doesn't need to have IP routing capabilities (eg.
> forwarding packet between interfaces). And a pro
* William R. Ward <[EMAIL PROTECTED]> [2001.11.29 18:00:40-0800]:
> Question: Is it generally considered secure enough to sudo a bash
> script like your sucpaliases? Or should a C equivalent be written
> instead?
no. especially not the quick'n'dirty version that alvin posted. i am
not criticizin
* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.02 12:59:38+0100]:
> Wrong :). Someone (forgot his name unfortunately) already implemented
> this. If you ask on the netfilter list they should be able to point
> you to the right patch.
oh my, everyone is misunderstanding my non-important, trivial
* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.02 22:30:02+0100]:
> Why is a filtering bridge no longer a bridge? It does not route, it
> does not change packets, it just selectively does not pass some on.
> A broken bridge maybe from a strict standpoint, but still a bridge.
because it's filteri
* William R Ward <[EMAIL PROTECTED]> [2001.12.04 10:48:19-0800]:
> Right; but assumin gone takes care of this kind of issue, is there
> anything inherently unsafe about running shell scripts through sudo?
> I understand that there are risks of race conditions with setuid shell
> scripts, and so th
* Wichert Akkerman <[EMAIL PROTECTED]> [2001.12.03 00:57:48+0100]:
> It filters based on packet content that just happens to be IP
> information. Just like the u32 filter, except the syntax is easier.
> It still bridges.
i guess you are right. my only problem is that a bridge does MAC/SNAP
and is
* Rens Houben <[EMAIL PROTECTED]> [2001.12.03 13:02:50+0100]:
> Anyways, I've been following this thread and wondering: Is there any
> reason why snort would or would not work with a bridge?
snort is a tool that primarily assesses ip, tcp, and application level
protocols. if you run it on a bridg
also sprach P Prince <[EMAIL PROTECTED]> [2001.12.30.1846 +0100]:
> The eaisest and most failsafe way to secure bind is to install djbdns.
you are kidding me, right? the question was how to secure bind. the
asker wasn't in need of other religious beliefs.
while i strongly believe that djb is a r
also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.06.1914
+0100]:
> Does Debian (potato or woody) have tools to account IP traffic per user?
iptables, as others have suggested.
AFAIK, the recommended method of doing this is to create a chain for
every user or group of users that you inte
(i have started a thread on this on debian-isp btw.)
also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.07.0244 +0100]:
> There is one problem with this: the module that matches user IDs
> can only be used in the OUTPUT chain (as said in the netfilter how-to).
oh man, this sucks!
> The b
also sprach Matthias Juchem <[EMAIL PROTECTED]> [2002.01.07.0244 +0100]:
> The big problem are the ssh shell accounts. The user can start almost any
> program that listens on a socket. You wouldn't have log files from this
> program and you can only account the outgoing traffic with iptables.
wel
alright, my users don't know how to do shell, and they can't change
passwords. now, i just upgraded to squirrelmail (upgraded because i had
IMP before, barf!), which has a plugin to change the password. it's TLS
encrypted, so not too much of a problem, but in testing out poppassd,
the underlying p
also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2130 +0100]:
> Recently I've installed some IP logging packages like ippl.
> A few days ago a lot of ICMP - destination unreachable - bad port
> messages started showing up comming from my DSL router.
are you behind a firewall?
what's the e
also sprach Micah Anderson <[EMAIL PROTECTED]> [2002.01.10.0127 +0100]:
> Potato has 1.2-14 as its latest for poppasswd... I agree that
> v1.8-ceti would be a better solution, especially considering the
> security issues you cited. What does it take to get this version into
> the security updates?
also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2329 +0100]:
> Anyway just in case I misinterpreted something...
> I live in Switzerland, and I have a ZyXEL Prestige 642R DSL
> router connected to the ADSL line, which performs some NAT and
> firewalling. The I connect my PCs through an et
also sprach Alan Aldrich <[EMAIL PROTECTED]> [2002.01.11.0502 +0100]:
> Not sure what all it did, but really played havoc with SSH and some other
> networking components and is keeping my aventail authentication server from
> honoring socks requests.
> Can someone help undo whatever it did or poin
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]:
> agreed. full disk format and reinstall from backup is the only secure
> option. unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...
... if, only if, you have t
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]:
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes.
yeah sorry, i meant that actually. reinstall debian from
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]:
> There is no need for a rootkit to reboot the machine in order to hide himself.
> He can be loaded as a kernel module and then hide all traces of its presence in
> the system, by overriding the proper system calls and /proc info.
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]:
> Oh, it certainly can! knark is a perfect example of a kernel module to
> do just this. (knark is Swedish for "drugged".) It allows files,
> processes, network connections, and network interface promiscuity to be
> *com
also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]:
> I have run chkrootkit and get
> "Checking `bindshell'... INFECTED (PORTS: 31337)"
> What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once
also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.15.1316 +0100]:
> > Debian being what it is, are there any reasons why the debian bind
> > package should not be chroot as the default instalation?
>
> RTFM. That is:
>
>http://www.debian.org/doc/manuals/securing-debi
also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.16.1522 +0100]:
> Can anyone volunteer?
i might...
> - a section host-oriented on how to setup firewall rules as a "last
> line of defense" (that's the one I have started writting) talking,
> basicly, on Debian-specific issu
also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2002.01.16.1905 +0100]:
> On Wed, Jan 16, 2002 at 04:19:31PM +0100, martin f krafft wrote:
> >
> > got ya. i'll think about it. deadlines?
>
> None really. However, less than a month would be
i need to provide a way for my users to change their password on my
machines. however, most of them are too stupid for the console. so i
played with poppassd, and it might end up being my option, but today i
had another idea. so without having given it much though, i'll ask you:
what would speak
also sprach Steve Mickeler <[EMAIL PROTECTED]> [2002.01.18.0010 +0100]:
> If they are using mindterm, then they are already in a browser, which
> means you might as well just have them use a form via ssl to change their
> password via poppassd.
yes, but did you see my recent posts on poppassd and
libpam-cracklib is nice, but how do i get PAM to enforce at least one
upper case letter, and at least on of {symbol,digit}?
also, are there any PAM programmer cracks here? i have a program here
[1] that registers with PAM as the passwd service, but since it runs as
root, it ignore libpam-cracklib
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.18.1951 +0100]:
> I am not quite sure why you would want root's attempts to fail. root
> (I assume you) should know a good password from a bad one when you set
> it. The system will generally warn you that the passwd that you are
> sett
also sprach Christian Jaeger <[EMAIL PROTECTED]> [2002.01.19.0130 +0100]:
> You could just use the cracklib yourself before accepting the
> password and feeding it to the passwd command. I'm doing it this way.
but that wouldn't solve my problem. it wouldn't enforce digits and/or
symbols. crackli
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.19.2304 +0100]:
> Firstly the servers are physically secure and there is no relevant issue
> about having a local root console open for administration purposes.
mh. no comment. sure, if physical access would be available, no box is
secure. but
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.19.2304 +0100]:
> The question I have is if I "su - username" and then browse the web,
> etc. is it impossible for a remote user who managed to gain access to
> that user session to become root by exiting out of the user account?
an addition: y
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.20.2105 +0100]:
> What I'm wondering is if PAM or some other mechanism can be used to
> prevent a user from logging in via a network connection. It looks
> like people here don't know; that's fine, I'll continue researching.
i don't know w
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.20.0245 +0100]:
> If the use of switch user has remote security implications I want to
> be able to understand them. The same as I want to be able to
> understand if leaving a root console open has remote security
> implications. Don't worry abo
also sprach Antropov Anton <[EMAIL PROTECTED]> [2002.01.21.1231 +0100]:
> > Also, which mailserver would you recommend? (I have to learn one
> > anyway.)
> I'd recommend QMail. Why? - Read some mailing lists... And this is commonly
> the question of religion.
and i'd recommend postfix.
tryin
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.1444 +0100]:
> Martin, it's a server in my spare room :-) The only person installing a
> backdoor on the server would be an unlawful intruder. Or a cat who can
> type ;-) Your points are well taken and I would follow the same security
> pract
assuming i have SecurID tokens with licenses, can i make linux
authenticate based on these *without* the use of external or commercial
software (like ACE/Server)? any experience anyone?
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto:"
also sprach Phillip Hofmeister <[EMAIL PROTECTED]> [2002.01.21.1511 +0100]:
> Please, everyone flame me if this is a blatant security hole
consider yourself flamed.
> Make your [setuid] shell script secure, non-interuptable
good luck. there is *a lot* of insecurity in a shell script. yo
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or
may not have been, be, or will be applicable to Debian Linux or Linux in
general. you have been warned. properly.
http://www.aerasec.de/security/index.html?id=ae-200201-053&lang=en
--
martin; (greetings from th
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2304 +0100]:
> > as sad as it sounds, unlawful intruders happen. this being a true
> > story, i have 11 machines in my spare room, and my house was broken
> > in once. the *only* thing the intruder did was reboot one of the
> > machines (that
also sprach Dave Kline <[EMAIL PROTECTED]> [2002.01.21.2340 +0100]:
> Woah, that does sound a little far-fetched. I am assuming there is a
> little more to this story? I would think most *physical* intruders
> would try to nab DVD players, valuables, and money, not wander into a
> spare room and
also sprach Adam Warner <[EMAIL PROTECTED]> [2002.01.21.2307 +0100]:
> Federico, are you saying that if you su - to a user account (from root)
> and then start X that you are running X as root? If so that is a major
> problem.
no, he actually says that with exec, you should theoretically be more
201 - 300 of 477 matches
Mail list logo