also sprach Tim Haynes (on Sun, 01 Jul 2001 05:02:26PM +0100):
In the init.d scripts, you'll find it easiest to rip out the
start-stop-daemon stuff and run the command directly,
/usr/sbin/named -t /etc/bind -u named
unless you're a purist in which case, you tell me how instead ;)
also sprach Anders Gj?re (on Fri, 13 Jul 2001 10:52:09AM +0200):
do sudo default allow the sudo-user to run every program,
or just the program you spesify?
the latter, of course.
how will sudo work if you use the time command?
like time vim /etc/passwd
if you allow time with arbitrary
also sprach Dan Hutchinson (on Fri, 13 Jul 2001 03:51:49PM -0400):
Does anyone know of a secure network file system
like Active Directories from Microsoft
^
hahahahaha!
um. do you read bugtraq
or: have you ever administered one of those dreadfully sad
On Thu, Aug 30, 2001 at 11:14:33PM -0300, Alisson Sellaro wrote:
I was checking my firewall logs and have detected lots of TCP/113 dropped
packets. Checking /etc/services I realized it was ident traffic. What do
you think about such service? Should I let it blocked or should I allow it
also sprach Ethan Benson (on Fri, 31 Aug 2001 01:38:45AM -0800):
honest question: whose business is the name of a user who initiated a
connection??? identd is a horrible concept and elicits shrieks among
the security conscious. i do understand that you need it for this and
that, so
also sprach Martin Fluch (on Fri, 31 Aug 2001 01:02:58PM +0300):
Consider the following situation: You admin a computer and some user
tries to atack an other computer from this one. Then the admin of
the attacked computer can tell _you_, from which user the attack was
coming, which helps you.
also sprach Christian Kurz (on Fri, 31 Aug 2001 10:12:31AM +0200):
honest question: whose business is the name of a user who initiated a
connection???
It can be some sort of help if you have a system with lots of users and
complainments about one. Some admins may be able to send you the
also sprach Christian Kurz (on Fri, 31 Aug 2001 10:07:05AM +0200):
I have had a lot of problems running non-Debian software when I
disable ident. It seems like the licensing daemons expect to find
What the hell is a licensing daemon? And which package contains this
software in debian?
also sprach Colin Phipps (on Fri, 31 Aug 2001 11:31:53AM +0100):
Not if configured appropriately. Good identds don't allow reverse ident
scanning anymore.
okay, i must admit i didn't know this...
Agreed, leaking UIDs is serious. Which is why modern identds support returning
crypted uids
also sprach Layne (on Sat, 01 Sep 2001 12:30:54AM -0400):
I'M JUST JOKING .RIGHT. I GOT 80 SPAM MESSAGES YOSTERDAY AND 80
MORE TODAY I DIDN'T SUBSCRIBE TOWHAT GIVES. THIS IS NUTS.
which are clearly my fault, you impersonation of freudian depression.
do me a favor and leave the list
also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400):
MARTIN FONDLES YOUNG BOYS.
which one?
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:; net@madduck
--
and no one sings me lullabies,
and no one makes me close my eyes,
and so i
also sprach Bud Rogers (on Sat, 01 Sep 2001 07:13:06AM -0500):
I put him in a filter. Every mail I receive from him gets forwarded back to
him and to postmaster and abuse at his ISP. I don't think he'll be around
long.
i think all this started because i auto-reply to micro$oft users,
also sprach Bud Rogers (on Sat, 01 Sep 2001 07:58:12AM -0500):
i think all this started because i auto-reply to micro$oft users,
telling them about www.vcnet.com/bms and www.unix-vs-nt.org and he
didn't like that :)
Martin, you may have set him off but I don't think you're responsible.
also sprach Lupe Christoph (on Sat, 01 Sep 2001 12:40:44PM +0200):
also sprach Layne (on Fri, 31 Aug 2001 11:04:30PM -0400):
MARTIN FONDLES YOUNG BOYS.
which one?
Which Martin or which boy? *-O
boys is plural. so syntactically speaking the one can only refer to
martin. but hey, i agree
also sprach Alvin Oga (on Mon, 10 Sep 2001 09:08:51AM -0700):
for the firewall ...
- it should be running a secure linux/bsd distro
and only ipchains
( some might wanna run dns on it too...but...
for the entire thread, not just alvinn
ipchains/iptables is really just
also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100):
Unless I'm well mistaken, of course... But I'd never trust a key whose
fingerprint had turned up in public before.
that's a little ridiculous, isn't it, given that i can use my gpg to
view the fingerprint of your public key, which
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2001.10.04 09:48:08+0600]:
What can I do, if my programm working in a chrooted enviroment
and using filesystem /proc.I use chroot ant mount all /proc filesystem in
chrooting enviroment.
Can I mount part of /proc.
with 2.4.x kernels:
mount --bind
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2001.10.18 15:02:19-0400]:
Please let me know also,
because I have been getting empty messages from root too
snort in stable and in testing seems to do this out of the box.
however, the UID *is* weird...
--
martin; (greetings from the heart
* Tom Breza [EMAIL PROTECTED] [2001.10.18 21:26:17+0100]:
but I don't have a snort, and this message I got second times, first time
I benn to busy and just ignore, but that seems to be repeat...
what time? if 6am'ish, then try all you cron.daily scripts by hand and
see which one emails you
is stock (non Debian) 2.4.12 now secure or not? i am getting confused.
if it isn't, where can i find patches for it to make it secure?
sorry to be asking so blatantly, but i don't have much time to worry
about my private systems these days. please help.
--
martin; (greetings from
* eim [EMAIL PROTECTED] [2001.10.22 12:44:03+0200]:
Is this a good choice ? or should I put another machine in my
Network, between the Gateway and the Servers, which acts as Firewall ?
what's a firewall for you? a packet filter? you can surely install a
packet filter on every box. iptables of
* Bryan Andersen [EMAIL PROTECTED] [2001.11.06 05:23:05-0600]:
Another possibility would be to have them replace the hubs with
switches, this assumes you are using twisted pair, not thin net
or thick net.
which is not secure due to arp flooding.
i'll happily give you a POP3 account over
* Bryan Andersen [EMAIL PROTECTED] [2001.11.15 12:51:01-0600]:
B... Wrong.
If you don't trust root, your hosed. Root can change the app so he
has your keys... Root can also change the tty drivers so they are
all silently logged. There is no way to secure it fully unless you
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 15:06:54+0100]:
well, i thought this is the definition of root.
no. with LIDS you can protect files and syscalls even from root. in my
setup, root cannot even write to his own home directory.
... which root can change at convenience. this
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 14:36:30+0100]:
Root is God. Anything you do on the system is potentially visible to
root.
this is, with the right patches applied, not true.
^^
can very fine tune the setup. for a real
* Wade Richards [EMAIL PROTECTED] [2001.11.15 22:17:39-0800]:
This is the sort of absolutist nonsense that gives security experts a
bad name. After all, anyone armed with a chainsaw can cut through a
solid oak door in a matter of hours, so why bother installing a deadbolt
on your door?
get
* Mathias Gygax [EMAIL PROTECTED] [2001.11.18 17:58:46+0100]:
excellent. you know what i did: i just remove the root:0:... line from
/etc/passwd and /etc/shadow. now i can't be root. that must be perfect
security. yeah!
before you shout, think twice. this is READ-only on my system. you
* op [EMAIL PROTECTED] [2001.11.27 10:23:57+0100]:
I specify the users in /ets/ssh/sshd_config who are allowed to connect via
ssh. But I'd like some more control. I'd like to control which subnets user x
can connect from. Some should be allowed to connect from anywhere but some
should
* Wichert Akkerman [EMAIL PROTECTED] [2001.11.27 12:23:04+0100]:
The @HOST bit may be new in OpenSSH 3 though.
yes. and it can't take a network, so you'd have to enter one entry per
user/machine permutation...
--
martin; (greetings from the heart of the sun.)
\ echo mailto:
* Giacomo Mulas [EMAIL PROTECTED] [2001.11.28 18:11:40+0100]:
I've installed a linux bridge with 2.4.14 kernel and the
bridge-utils packages
I am VERY interested, since I administer a transparent firewall
myself. My firewall uses proxy arp (I implemented it in the old
2.2.x kernel +
* Simon Murcott [EMAIL PROTECTED] [2001.11.29 16:31:12+1300]:
One point you are missing is that it is possible using this kind of
configuration to create a firewall where you cannot address any of it's
external interfaces. So how can you do an intrusion attack on a firewall
that you cannot
* Attila Nagy [EMAIL PROTECTED] [2001.11.29 14:30:56+0100]:
a firewall needs to have IP routing capabilities to be able to enforce
rules (same for a packet filter),
?
A proxy firewall doesn't need to have IP routing capabilities (eg.
forwarding packet between interfaces). And a proxy
* William R. Ward [EMAIL PROTECTED] [2001.11.29 18:00:40-0800]:
Question: Is it generally considered secure enough to sudo a bash
script like your sucpaliases? Or should a C equivalent be written
instead?
no. especially not the quick'n'dirty version that alvin posted. i am
not criticizing,
* Wichert Akkerman [EMAIL PROTECTED] [2001.12.02 12:59:38+0100]:
Wrong :). Someone (forgot his name unfortunately) already implemented
this. If you ask on the netfilter list they should be able to point
you to the right patch.
oh my, everyone is misunderstanding my non-important, trivial
* Wichert Akkerman [EMAIL PROTECTED] [2001.12.02 22:30:02+0100]:
Why is a filtering bridge no longer a bridge? It does not route, it
does not change packets, it just selectively does not pass some on.
A broken bridge maybe from a strict standpoint, but still a bridge.
because it's filtering
* William R Ward [EMAIL PROTECTED] [2001.12.04 10:48:19-0800]:
Right; but assumin gone takes care of this kind of issue, is there
anything inherently unsafe about running shell scripts through sudo?
I understand that there are risks of race conditions with setuid shell
scripts, and so they
* Wichert Akkerman [EMAIL PROTECTED] [2001.12.03 00:57:48+0100]:
It filters based on packet content that just happens to be IP
information. Just like the u32 filter, except the syntax is easier.
It still bridges.
i guess you are right. my only problem is that a bridge does MAC/SNAP
and is
* Rens Houben [EMAIL PROTECTED] [2001.12.03 13:02:50+0100]:
Anyways, I've been following this thread and wondering: Is there any
reason why snort would or would not work with a bridge?
snort is a tool that primarily assesses ip, tcp, and application level
protocols. if you run it on a bridge,
also sprach Matthias Juchem [EMAIL PROTECTED] [2002.01.06.1914
+0100]:
Does Debian (potato or woody) have tools to account IP traffic per user?
iptables, as others have suggested.
AFAIK, the recommended method of doing this is to create a chain for
every user or group of users that you intend
(i have started a thread on this on debian-isp btw.)
also sprach Matthias Juchem [EMAIL PROTECTED] [2002.01.07.0244 +0100]:
There is one problem with this: the module that matches user IDs
can only be used in the OUTPUT chain (as said in the netfilter how-to).
oh man, this sucks!
The big
also sprach Matthias Juchem [EMAIL PROTECTED] [2002.01.07.0244 +0100]:
The big problem are the ssh shell accounts. The user can start almost any
program that listens on a socket. You wouldn't have log files from this
program and you can only account the outgoing traffic with iptables.
well
alright, my users don't know how to do shell, and they can't change
passwords. now, i just upgraded to squirrelmail (upgraded because i had
IMP before, barf!), which has a plugin to change the password. it's TLS
encrypted, so not too much of a problem, but in testing out poppassd,
the underlying
also sprach Balazs Javor [EMAIL PROTECTED] [2002.01.09.2130 +0100]:
Recently I've installed some IP logging packages like ippl.
A few days ago a lot of ICMP - destination unreachable - bad port
messages started showing up comming from my DSL router.
are you behind a firewall?
what's the exact
also sprach Alan Aldrich [EMAIL PROTECTED] [2002.01.11.0502 +0100]:
Not sure what all it did, but really played havoc with SSH and some other
networking components and is keeping my aventail authentication server from
honoring socks requests.
Can someone help undo whatever it did or point me
also sprach Angus D Madden [EMAIL PROTECTED] [2002.01.11.0649 +0100]:
agreed. full disk format and reinstall from backup is the only secure
option. unless you are running something like tripwire there is no way
to tell what the intruder did, and even then ...
... if, only if, you have the
also sprach Preben Randhol [EMAIL PROTECTED] [2002.01.11.1543 +0100]:
This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the net/CD distro and update all programs that
has security fixes.
yeah sorry, i meant that actually. reinstall debian from
also sprach Ricardo B [EMAIL PROTECTED] [2002.01.11.1804 +0100]:
There is no need for a rootkit to reboot the machine in order to hide himself.
He can be loaded as a kernel module and then hide all traces of its presence in
the system, by overriding the proper system calls and /proc info.
also sprach Noah L. Meyerhans [EMAIL PROTECTED] [2002.01.11.2240 +0100]:
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is Swedish for drugged.) It allows files,
processes, network connections, and network interface promiscuity to be
also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]:
I have run chkrootkit and get
Checking `bindshell'... INFECTED (PORTS: 31337)
What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once you
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2002.01.15.1316 +0100]:
Debian being what it is, are there any reasons why the debian bind
package should not be chroot as the default instalation?
RTFM. That is:
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2002.01.16.1905 +0100]:
On Wed, Jan 16, 2002 at 04:19:31PM +0100, martin f krafft wrote:
got ya. i'll think about it. deadlines?
None really. However, less than a month would be nice :)
:(
i don't think i can make
i need to provide a way for my users to change their password on my
machines. however, most of them are too stupid for the console. so i
played with poppassd, and it might end up being my option, but today i
had another idea. so without having given it much though, i'll ask you:
what would speak
also sprach Steve Mickeler [EMAIL PROTECTED] [2002.01.18.0010 +0100]:
If they are using mindterm, then they are already in a browser, which
means you might as well just have them use a form via ssl to change their
password via poppassd.
yes, but did you see my recent posts on poppassd and its
libpam-cracklib is nice, but how do i get PAM to enforce at least one
upper case letter, and at least on of {symbol,digit}?
also, are there any PAM programmer cracks here? i have a program here
[1] that registers with PAM as the passwd service, but since it runs as
root, it ignore
also sprach Phillip Hofmeister [EMAIL PROTECTED] [2002.01.18.1951 +0100]:
I am not quite sure why you would want root's attempts to fail. root
(I assume you) should know a good password from a bad one when you set
it. The system will generally warn you that the passwd that you are
setting
also sprach Christian Jaeger [EMAIL PROTECTED] [2002.01.19.0130 +0100]:
You could just use the cracklib yourself before accepting the
password and feeding it to the passwd command. I'm doing it this way.
but that wouldn't solve my problem. it wouldn't enforce digits and/or
symbols. cracklib
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.19.2304 +0100]:
Firstly the servers are physically secure and there is no relevant issue
about having a local root console open for administration purposes.
mh. no comment. sure, if physical access would be available, no box is
secure. but
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.19.2304 +0100]:
The question I have is if I su - username and then browse the web,
etc. is it impossible for a remote user who managed to gain access to
that user session to become root by exiting out of the user account?
an addition: your
also sprach Nathan E Norman [EMAIL PROTECTED] [2002.01.20.2105 +0100]:
What I'm wondering is if PAM or some other mechanism can be used to
prevent a user from logging in via a network connection. It looks
like people here don't know; that's fine, I'll continue researching.
i don't know why
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.20.0245 +0100]:
If the use of switch user has remote security implications I want to
be able to understand them. The same as I want to be able to
understand if leaving a root console open has remote security
implications. Don't worry about
also sprach Antropov Anton [EMAIL PROTECTED] [2002.01.21.1231 +0100]:
Also, which mailserver would you recommend? (I have to learn one
anyway.)
I'd recommend QMail. Why? - Read some mailing lists... And this is commonly
the question of religion.
and i'd recommend postfix.
trying hard
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.21.1444 +0100]:
Martin, it's a server in my spare room :-) The only person installing a
backdoor on the server would be an unlawful intruder. Or a cat who can
type ;-) Your points are well taken and I would follow the same security
practices
assuming i have SecurID tokens with licenses, can i make linux
authenticate based on these *without* the use of external or commercial
software (like ACE/Server)? any experience anyone?
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:;
also sprach Phillip Hofmeister [EMAIL PROTECTED] [2002.01.21.1511 +0100]:
Please, everyone flame me if this is a blatant security hole
consider yourself flamed.
Make your [setuid] shell script secure, non-interuptable
good luck. there is *a lot* of insecurity in a shell script. you
this is a proof-of-concept post. it's a FreeBSD exploit, thus it may or
may not have been, be, or will be applicable to Debian Linux or Linux in
general. you have been warned. properly.
http://www.aerasec.de/security/index.html?id=ae-200201-053lang=en
--
martin; (greetings from
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.21.2304 +0100]:
as sad as it sounds, unlawful intruders happen. this being a true
story, i have 11 machines in my spare room, and my house was broken
in once. the *only* thing the intruder did was reboot one of the
machines (that was his
also sprach Dave Kline [EMAIL PROTECTED] [2002.01.21.2340 +0100]:
Woah, that does sound a little far-fetched. I am assuming there is a
little more to this story? I would think most *physical* intruders
would try to nab DVD players, valuables, and money, not wander into a
spare room and whip
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.21.2307 +0100]:
Federico, are you saying that if you su - to a user account (from root)
and then start X that you are running X as root? If so that is a major
problem.
no, he actually says that with exec, you should theoretically be more
also sprach Christian Jaeger [EMAIL PROTECTED] [2002.01.22.0111 +0100]:
Now you may say don't build packages as root, use fakeroot instead.
Well I have always used it, and somehow thought I'm safe, but I'm
not: the permissions modes (like 4755) make it through to the real
filesystem, only
also sprach Wichert Akkerman [EMAIL PROTECTED] [2002.01.22.0122 +0100]:
There is some support in PAM and in OpenSSH. I have a cryptocard
RB-1 token now which I intent to get working with OpenSSH at least
once I have some free time to spent on it.
yeah, but that's OpenSSH only (which *is* 99%
also sprach Christian Jaeger [EMAIL PROTECTED] [2002.01.22.0129 +0100]:
They were accessible, because I didn't realize that there was a risk,
and because it's convenient when other users on the system can grab
the finished .deb's from the build dir (to install them on their
machine)
also sprach Adam Warner [EMAIL PROTECTED] [2002.01.22.0511 +0100]:
I realise now that I have witnessed this kind of issue before (In some
circumstances, it's possible for a non-privileged process to have `root'
as the login name returned by getlogin.)
okay, and that does it for me. can you
also sprach Ralf Dreibrodt [EMAIL PROTECTED] [2002.01.24.1905 +0100]:
and then no user, who has a valid shell has to enter the old password
from user x, when he wants to change the password of user x.
perhaps even if x=root ;-)
/bin/passwd does not allow the specification of a username,
also sprach Jerry Lynde [EMAIL PROTECTED] [2002.02.25.2218 +0100]:
I just wouldn't suggest anyone use BIND is the same sense that I wouldn't
suggest they
ride a Harley naked on snow-packed icy roads... something bad's bound to
happen...
you are asking for it... i would consider my BIND
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2002.03.07.1054 +0100]:
Debian could provide, with only some effort from package
maintainers versions of daemons chrooted to given environments. This
however, might break Policy (IMHO).
how would it break policy?
also sprach Noah Meyerhans [EMAIL PROTECTED] [2002.03.29.2149 +0100]:
No, it is in fact not fixed. We are still vulnerable. I have confirmed
this myself with the proftpd packages from security.debian.org.
If you don't believe me, try it...
i did. and it wasn't vulnerable. i will try again
so proftpd_1.2.0pre10-2.0potato1_i386.deb is buggy. and that's known
for over a year, supposedly. i can't NMU yet, so someone please
rebuild the package, add the following to the Global context of
/etc/proftpd.conf
DenyFilter \*.*/
and then NMU it, or Johnie's listening and will do it
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:
proftpd
also sprach Noah Meyerhans [EMAIL PROTECTED] [2002.03.29.2332 +0100]:
Such a package has existed at http://people.debian.org/~ivo/ for over a
year.
okay, but noone knows about it. why isn't it on security.debian.org
yet???
--
martin; (greetings from the heart of the sun.)
also sprach Wichert Akkerman [EMAIL PROTECTED] [2002.03.31.1602 +0200]:
i don't get it. will someone please push this package ivo made as an
NMU into security.debian.org ASAP? i'd do it myself, but i am still
waiting for DAM approval...
I'ld like someone to answer my question first: how
also sprach Wichert Akkerman [EMAIL PROTECTED] [2002.03.31.2009 +0200]:
Because it might impact other packages as well.
sure, but the upload won't.
I'ld rather make sure we don't have a bug in multiple packages then
a reasonably harmless semi-bug in a single package.
that's a purist
also sprach Wichert Akkerman [EMAIL PROTECTED] [2002.04.02.1250 +0200]:
I does, and in fact it's a very good approach: make sure you study
what the real problem is instead of trying to fix things with bandaid.
wrong. fix things with bandaid to give you more time to find the real
problem. i am
dear list,
look, i am really not here to start a flame war and heck no, i don't
want one. please excuse if my behaviour has been leading you onto this
belief (or maybe not). i am simply failing to grasp the arguments laid
out by wichert. that is, i don't disagree with him per se, but i have
the
also sprach Andrew Pimlott [EMAIL PROTECTED] [2002.04.03.1754 +0200]:
There are several good reasons:
- If a band-aid fix is allowed, there is less incentive to find
the correct fix.
true. doesn't mean that we have to fall into that hole.
- If the problem isn't understood, there
also sprach Nathan E Norman [EMAIL PROTECTED] [2002.04.03.0732 +0200]:
well, i am calm, but i disagree. sure, it boils down to the question
who debian's audience are, but for all i am concerned, debian's
reputation _used_ to include security, and the reason why i'd (as in
would and had)
also sprach Andrew Pimlott [EMAIL PROTECTED] [2002.04.04.0135 +0200]:
this problem is understood by the developers of proftpd
Wichert said that nobody has explained why the current fix on s.d.o
doesn't work. If the problem is understood, why hasn't someone
explained this? That's all that
also sprach Alun Jones [EMAIL PROTECTED] [2002.04.04.0445 +0200]:
DenyFilter \*.*/
Just as a quick question, why not deny the string /../ (you may have to
deny the regex /\.\./, depending how the filter in question works)?
quick answer: because i merely copied the fix from the security
also sprach Halil Demirezen [EMAIL PROTECTED] [2002.04.16.1911 +0200]:
I am planning to write code that will load the users terminal screens to
my screen. And root will surely manage that. Is there anyone to tell me
any link which contains information about this subject.
also sprach Nik Engel [EMAIL PROTECTED] [2002.04.22.1204 +0200]:
Meaning to say, htaccess ist only working from outside. But when i want
to reache the apache sever from the inside network i don need to
authenticate ?
Order Allow,Deny
Allow from 10.0.0.0/8
AuthName realm name
AuthType Basic
also sprach Nik Engel [EMAIL PROTECTED] [2002.04.22.1236 +0200]:
That is clear, but i want to have an .htpasswd auth from outside anf
from inside noauth for the same host:
meaning :
.htpassws for any/0 ! 192.168.0.0/8
is this suitable ?
did you try my suggestion? it does what you
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]:
With https data will be encripted and it's impossible to
find out login and password because they're not sent over
the net in a clear way.
never say impossible.
--
martin; (greetings from the heart of the sun.)
\
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]:
Second more, if your users are allowed to have pages on the same
address as the login system, the browser can, without much effort,
be tricked into giving away your systems username and password to
a personal user page...
how?
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.27.2120 +0200]:
you know their algorithm against MAC table overflow?
No i dont.. I would be very interrested in reading about it, if you know of
a link.. Im sure that it would be possible to enforce some level of
security..
it's quite
also sprach Peter Cordes [EMAIL PROTECTED] [2002.05.10.2333 +0200]:
Err, I guess you would need get-selections|grep 'install$'|cut -f1
why not
dpkg --get-selections|grep -v 'deinstall$'|cut -f1
you want to save status, and since 'install$' matches lines ending in
'deinstall' as well ;^
--
also sprach Peter Cordes [EMAIL PROTECTED] [2002.05.11.0155 +0200]:
nope, purge is a possible status too.
since when?
fishbowl:~ dpkg --get-selections | grep purge
fishbowl:~
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:; net@madduck
also sprach David Stanaway [EMAIL PROTECTED] [2002.05.11.0904 +0200]:
Since the last time you hit _ in dselect maybe.
dstanawa@ciderbox:~$ dpkg --get-selections |grep purge
aptitude purge
dstanawa@ciderbox:~$ sudo dpkg --purge aptitude
(Reading database
also sprach Michelle Konzack [EMAIL PROTECTED] [2002.09.14.1334 +0200]:
It may be a very big security problem...
at least i can't reproduce that on a grsecurity 1.9.6 enabled kernel.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:;
also sprach Mark Janssen [EMAIL PROTECTED] [2002.09.24.0914 +0200]:
I suggest you first read:
http://home.rica.net/alphae/419coal/
Which clearly describes the working of this scam... Just ignore it, or
send it on to the relevant government agency...
I don't think that Brad was very
[joey, CCing you to make sure you see this immediately. you probably
read debian-security too, i'd assume...]
Check out
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2002.765.1
DSA 169 is htcheck, not tomcat, right? At least that's the case on
www.debian.org.
What's
also sprach martin f krafft [EMAIL PROTECTED] [2002.10.04.1810 +0200]:
Check out
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2002.765.1
DSA 169 is htcheck, not tomcat, right? At least that's the case on
www.debian.org.
Sorry, this has already been addressed
1 - 100 of 413 matches
Mail list logo
