> On 14 Feb 2020, at 19:18, Ed Maste wrote:
>
> Upstream OpenSSH-portable removed libwrap support in version 6.7,
> released in October 2014. We've maintained a patch in our tree to
> restore it, but it causes friction on each OpenSSH update and may
> introduce security vulnerabilities not
> On 24 Jul 2019, at 18:57, Robert Simmons wrote:
>
> I wonder if FreeBSD should drop support for 32bit? Clean out and remove all
> of it. It should make the code base easier to maintain, cleaner, and safer.
Keeping 32 and 64 bit code has an interesting side effect. It kinda forces to
keep
> On 15 May 2019, at 16:33, mike tancsa wrote:
>
>> on /etc/rc.conf with the devcpu-data port installed and as far as I know it
>> updated the microcode.
>>
>> The script in /usr/local/etc/rc.d used cpucontrol(8) to load it.
>>
>> Or am I holding it wrong?
>
> Supposedly 2 ways to do it.
> On 15 May 2019, at 15:32, mike tancsa wrote:
>
> Actually, just tried this on RELENG_11 (r347613) and I get
>
> don't know how to load module '/boot/firmware/intel-ucode.bin'
>
> In boot/loader.conf I have
>
> cpu_microcode_load="YES"
> cpu_microcode_name="/boot/firmware/intel-ucode.bin”
> On 24 Oct 2017, at 17:25, Ian Lepore wrote:
>
> No, lockf -t 0 means to exit without waiting, with status EX_TEMPFAIL,
> if the lock cannot be acquired immediately. In light of that, the rest
> of your report/request doesn't make sense. Jobs won't stack up,
> they'll fail
> On 24 Oct 2017, at 16:41, Alan Somers <asom...@freebsd.org> wrote:
>
> On Tue, Oct 24, 2017 at 3:07 AM, Borja Marcos <bor...@sarenet.es> wrote:
> Are you talking about the lockf in /usr/sbin/periodic? It already has
> a timeout of 0, which should preven
Hi,
I’ve come across a problem with the “daily” security job. On an overloaded
system with lots of ZFS datasets,
lots of files, heavy system load and, to add insult to injury, a ZFS crub going
on the find’s issued by the
periodic checks can take forever. They can take so long, I have found
On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote:
On 8/27/2015 3:24 AM, Dag-Erling Smørgrav wrote:
For the latter two, I am trying to understand in the context of a shared
hosting system. Could one user with sftp access to their own directory
use these bugs to gain access to another user's
On Feb 11, 2014, at 6:27 PM, Andreas Jonsson wrote:
Hi list,
I think that being able to set the MAC process label from rc.conf would
be a better and more flexible way of moving forward, so that modifying
rc-scripts everywhere would be unnecessary.
For a default label, I think the right
On Dec 3, 2009, at 12:27 PM, Ivan Voras wrote:
Borja Marcos wrote:
On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote:
A short time ago a local root exploit was posted to the full-disclosure
mailing list; as the name suggests, this allows a local user to execute
arbitrary code
On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote:
A short time ago a local root exploit was posted to the full-disclosure
mailing list; as the name suggests, this allows a local user to execute
arbitrary code as root.
Dr. Strangelove, or How I learned to love the MAC subsystem.
#
On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:
On Mon, 9 Feb 2009, Borja Marcos wrote:
On Feb 7, 2009, at 11:21 PM, Robert Watson wrote:
I'm trying to upgrade the configuration of some web services,
already using the MAC subsystem, to use ZFS instead of UFS, but I
see that ZFS
On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:
This is the expected behavior for a single-label file system -- that
is to say, a file system that doesn't support storing multiple
labels. If EA support in ZFS is mature, it should be fairly
straight forward to implement multi-label
On Feb 7, 2009, at 11:21 PM, Robert Watson wrote:
I'm trying to upgrade the configuration of some web services,
already using the MAC subsystem, to use ZFS instead of UFS, but I
see that ZFS doesn't support MAC labels, even for a whole
filesystem, which would be fine for me, I don't need
Hello,
I'm trying to upgrade the configuration of some web services, already
using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS
doesn't support MAC labels, even for a whole filesystem, which would
be fine for me, I don't need multilabel support.
Any ideas? Have I
Hello,
I'm trying to set up a DNS server under FreeBSD using the mac_biba
policy. I use to run
bind in low-integrity mode, so that neither it or any of its
descendants can modify
configuration files, etc.
With previous FreeBSD versions there was a handy sysctl setting,
Hello,
Are there many people actually using the MAC subsystem in the real
world? I have been working to set up a shared hosting webserver and
I've stumbled against some limitations with the BIBA policy.
In short, it's an excellent model, and can be used succesfully if
applications are
Unfortunately the MAC framework just doesn't seem to get
as much attention as I'd like. I think the problem was
that the TrustedBSD project seemed very 'closed' in that the
site was quite rarely updated and it was difficult to get news
on developments. It seemed, for a long time, that nobody was
(crossposted to freebsd-security just in case someone has to slap me) :)
Hello,
I'm doing some work with the MAC subsystem in FreeBSD, and I have
spotted some errors in the MAC documentation in the handbook.
1- Section 15.14.4. Error in the example dropping users nagios and
www into the
Regarding the multi-level idea, it would be a second phase. I would
like to be able to contain effectively a possible root escalation
from a poorly written CGI or PHP script. I know, it would be anyway
extremely hard. But if we could launch the web server process with
an additional lower
Hello,
I've been playing a bit with the noexec flag for filesystems. It
can represent a substantial obstacle against the exploitation of
security holes.
However, I think it's not perfect yet.
First thing, an attempt to execute a program from a noexec-mounted
filesystem should be
As long as you can disable/limit the logging. One very nasty
attack would be
to loop trying to run a binary. Blow your logging partition.
Somebody could
then use that to do other things that would normally be logged,
safe in the
knowledge that their activities wouldn't be logged.
I've
22 matches
Mail list logo