Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd

> On 14 Feb 2020, at 19:18, Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not

Re: Old Stuff

> On 24 Jul 2019, at 18:57, Robert Simmons wrote: > > I wonder if FreeBSD should drop support for 32bit? Clean out and remove all > of it. It should make the code base easier to maintain, cleaner, and safer. Keeping 32 and 64 bit code has an interesting side effect. It kinda forces to keep

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

> On 15 May 2019, at 16:33, mike tancsa wrote: > >> on /etc/rc.conf with the devcpu-data port installed and as far as I know it >> updated the microcode. >> >> The script in /usr/local/etc/rc.d used cpucontrol(8) to load it. >> >> Or am I holding it wrong? > > Supposedly 2 ways to do it.

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

> On 15 May 2019, at 15:32, mike tancsa wrote: > > Actually, just tried this on RELENG_11 (r347613) and I get > > don't know how to load module '/boot/firmware/intel-ucode.bin' > > In boot/loader.conf I have > > cpu_microcode_load="YES" > cpu_microcode_name="/boot/firmware/intel-ucode.bin”

Re: Periodic jobs lockf timeout

> On 24 Oct 2017, at 17:25, Ian Lepore wrote: > > No, lockf -t 0 means to exit without waiting, with status EX_TEMPFAIL, > if the lock cannot be acquired immediately. In light of that, the rest > of your report/request doesn't make sense. Jobs won't stack up, > they'll fail

Re: Periodic jobs lockf timeout

> On 24 Oct 2017, at 16:41, Alan Somers <asom...@freebsd.org> wrote: > > On Tue, Oct 24, 2017 at 3:07 AM, Borja Marcos <bor...@sarenet.es> wrote: > Are you talking about the lockf in /usr/sbin/periodic? It already has > a timeout of 0, which should preven

Periodic jobs lockf timeout

Hi, I’ve come across a problem with the “daily” security job. On an overloaded system with lots of ZFS datasets, lots of files, heavy system load and, to add insult to injury, a ZFS crub going on the find’s issued by the periodic checks can take forever. They can take so long, I have found

Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh

On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote: On 8/27/2015 3:24 AM, Dag-Erling Smørgrav wrote: For the latter two, I am trying to understand in the context of a shared hosting system. Could one user with sftp access to their own directory use these bugs to gain access to another user's

Re: Proposal: tunable default/init label for MAC policies

On Feb 11, 2014, at 6:27 PM, Andreas Jonsson wrote: Hi list, I think that being able to set the MAC process label from rc.conf would be a better and more flexible way of moving forward, so that modifying rc-scripts everywhere would be unnecessary. For a default label, I think the right

Re: Upcoming FreeBSD Security Advisory

On Dec 3, 2009, at 12:27 PM, Ivan Voras wrote: Borja Marcos wrote: On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: A short time ago a local root exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code

Re: Upcoming FreeBSD Security Advisory

On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: A short time ago a local root exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root. Dr. Strangelove, or How I learned to love the MAC subsystem. #

Re: MAC subsystem and ZFS?

On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: On Mon, 9 Feb 2009, Borja Marcos wrote: On Feb 7, 2009, at 11:21 PM, Robert Watson wrote: I'm trying to upgrade the configuration of some web services, already using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS

Re: MAC subsystem and ZFS?

On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. If EA support in ZFS is mature, it should be fairly straight forward to implement multi-label

Re: MAC subsystem and ZFS?

On Feb 7, 2009, at 11:21 PM, Robert Watson wrote: I'm trying to upgrade the configuration of some web services, already using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS doesn't support MAC labels, even for a whole filesystem, which would be fine for me, I don't need

MAC subsystem and ZFS?

Hello, I'm trying to upgrade the configuration of some web services, already using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS doesn't support MAC labels, even for a whole filesystem, which would be fine for me, I don't need multilabel support. Any ideas? Have I

MAC subsystem problem (FreeBSD 7)

Hello, I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I use to run bind in low-integrity mode, so that neither it or any of its descendants can modify configuration files, etc. With previous FreeBSD versions there was a handy sysctl setting,

Proposal: MAC_BIBA and real-world usage

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are

Re: MAC policies and shared hosting

Unfortunately the MAC framework just doesn't seem to get as much attention as I'd like. I think the problem was that the TrustedBSD project seemed very 'closed' in that the site was quite rarely updated and it was difficult to get news on developments. It seemed, for a long time, that nobody was

Errors in the FreeBSD handbook (MAC framework)

(crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users nagios and www into the

Re: MAC policies and shared hosting

Regarding the multi-level idea, it would be a second phase. I would like to be able to contain effectively a possible root escalation from a poorly written CGI or PHP script. I know, it would be anyway extremely hard. But if we could launch the web server process with an additional lower

Mounting filesystems with noexec

Hello, I've been playing a bit with the noexec flag for filesystems. It can represent a substantial obstacle against the exploitation of security holes. However, I think it's not perfect yet. First thing, an attempt to execute a program from a noexec-mounted filesystem should be

Re: Mounting filesystems with noexec

As long as you can disable/limit the logging. One very nasty attack would be to loop trying to run a binary. Blow your logging partition. Somebody could then use that to do other things that would normally be logged, safe in the knowledge that their activities wouldn't be logged. I've