Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
This thread is now closed, please don't try to continue it. - todd
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
If I'm explaining security or lack of security, or saying things like "this is not enough", it's not as part of a speech that's meant to whine. I'll explain: I could've just asked, in my first message, whether OpenBSD has a mechanism like Ctrl-Alt-Delete on Windows, and whether it has sandboxing for desktop apps, without explaining the rationale of having such security features. Then, someone could've come and tell me that these security features aren't necessary, or that I'm focusing on a minor security aspect. I wanted an informed discussion, so I was explaining the rationale behind these to make readers understand why I was asking about them. Furthermore, in my recent message about the faking of a doas/sudo prompt and User Account Control (UAC) on Windows, there was a part where I said that the sandboxing that OpenBSD provides for certain apps "[that alone] is not enough"; I said that in the context of explaining the security that UAC provides on Windows compared to what there seems to be with the default installation of OpenBSD, notice the rest of the message and how that comment of mine was in parantheses. It may sound like I'm completely knowledgeable about OpenBSD, but I'm not. I understand certain generally-applying concepts, but I don't know if, for example, there's a sysctl(2) or something that can optionally toggle into that. (As an example, until recently, I didn't know there was an optional sysctl(2) that can enable extra hardening for malloc.) I hope this clears up why I'm writing things the way I do.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Sunday, March 31, 2024, Jose Maldonado wrote: > El Sun, 31 Mar 2024 01:10:15 + > Dan escribió: > > On Wednesday, March 27, 2024, Dan wrote: > > > > Hi @list! > > Lots of discussion and useless talk when the solution is in your hands > @Dan: > > 1.- Are you worried about the fact that apps on X11 may suffer Emphasis on "may". > input-spoofing? Great, start writing all the code necessary to prevent > that from happening and help us improve the security of OpenBSD and any > other OS that uses X11. There's already rootless X on OpenBSD, it may prevent that? The thing is, I don't know. So I asked. And there's already efforts to replace X11 with Wayland, and already efforts to port Wayland to OpenBSD. > > Coming here and saying that we are not attentive to security and that Where did I say that? False accusation. > is why we "HAVE" to do something, is utter Where did I say anybody has to do anything? False accusation. > idiocy. Start doing > something yourself, if you want to collaborate beyond a stupid speech. "Speech"? These are important questions. > > 2.- Do you want a mechanism that prevents logins being stolen? Same Why should I want something to be added when it might already exist and I'm missing it? Again, I asked. > story, start writing kid, crying at the list doesn't help. Where did I "cry" or whine about OpenBSD? False accusation. Quite the contrary, I praised OpenBSD at various times, and I wouldn't have come here in the first place if I wouldn't have had appreciation for OpenBSD. > > 3.- Do you want more applications to have pledge/unveil to improve Which "more" applications? I do not know whether this: https://openports.pl/search?file=unveil https://openports.pl/search?descr=unveil Is the exhaustive list of all third-party apps that are sandboxed with pledge/unveil. I asked whether people knew of other programs or whether it's possible to list other programs beyond that. It seems that you expect me to assume that these links list all sandboxed programs exhaustively, but I do not assume, I ask. > security? Same story...start writing the code necessary for it and stop > crying. Where did I "cry" or whine about OpenBSD? False accusation. > > Nobody is here to serve your designs or needs. Which ones? I didn't know I had any. > Want something? Write it > down, it contributes to the project more than What if it's already written down? > tantrums and tears. Which ones? > > My last and unique message in this thread: Don´t feed the fucking > troll! In case you're referring to me feeding trolls rather than being the troll: Peter N. M. Hansteen said he blocked me after merely my second message in this thread. Because of his reputation, I lost sense of whether I'm perceived as a troll here.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
El Sun, 31 Mar 2024 01:10:15 + Dan escribió: > On Wednesday, March 27, 2024, Dan wrote: > Hi @list! Lots of discussion and useless talk when the solution is in your hands @Dan: 1.- Are you worried about the fact that apps on X11 may suffer input-spoofing? Great, start writing all the code necessary to prevent that from happening and help us improve the security of OpenBSD and any other OS that uses X11. Coming here and saying that we are not attentive to security and that is why we "HAVE" to do something, is utter idiocy. Start doing something yourself, if you want to collaborate beyond a stupid speech. 2.- Do you want a mechanism that prevents logins being stolen? Same story, start writing kid, crying at the list doesn't help. 3.- Do you want more applications to have pledge/unveil to improve security? Same story...start writing the code necessary for it and stop crying. Nobody is here to serve your designs or needs. Want something? Write it down, it contributes to the project more than tantrums and tears. My last and unique message in this thread: Don´t feed the fucking troll! This thread to /dev/null -- * Dios en su cielo, todo bien en la Tierra
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Wednesday, March 27, 2024, Dan wrote: > Hello, I have 3 security-related questions: > (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure > Attention Key, or SAK) to prevent malware (or a website in fullscreen, for > example) from faking a logout process and/or faking a login prompt? On > Windows the kernel ensures that the operating system captures this key > combination and takes over with a real login prompt that malware can't fake > without first defeating the OS security. > (Let me clarify for the rest of this message: malware is any program that acts maliciously; it doesn't *necessarily* bypass exploit mitigations or security features of the OS (e.g. it could work around them, or abuse the lack of them).) Something recent that I found that's relevant: https://www.bleepingcomputer.com/news/security/decade-old-linux-wall-bug-helps-make-fake-sudo-prompts-steal-passwords/ (From March 28, 2024. Note that this isn't a vulnerability in how the OS separates users or enforces security, this is a vulnerability that could be used to make a convincing "phishing" attack.) This isn't exactly the issue that SAK prevents, because the SAK is meant to be used at login time (not when already logged in as one user and trying to doas/sudo one program/command into another user), but I'll repeat the two links I sent before: https://security.stackexchange.com/a/34975 https://learn.microsoft.com/windows/win32/winstation/desktops The second link being the more relevant one. Notice how Microsoft describes that User Account Control takes over the screen with a secure desktop mode. UAC is the equivalent of doas/sudo. There's an additional problem though: malware and websites in fullscreen could mimic the sound and visual dimming effect that UAC does on Windows. While UAC doesn't ask the user to press a privileged key combination like Ctrl-Alt-Delete (so the user has no guarantee that the UAC prompt is authentic, even with the said perceptual effects), it does something else: it asks for authorization (and details what is authorized exactly) without relying on knowledge of the passphrase as proof for authorization. Malware on OpenBSD that knows the root passphrase, or the passphrase of a doas-capable/sudoer user, can escalate its privileges; malware on Windows (including web content that escapes the browser's sandbox) that knows the passphrase of a user in the Administrators group cannot escalate its privileges without first compromising the integrity of Windows, because asking Windows to escalate privileges would ensure that the user authorizes the escalation regardless of the passphrase (let's assume that UAC is set to its highest (fourth) level, rather than the default (third) level that excepts some system programs from causing a UAC prompt when escalating). (Web content that escapes the browser's sandbox of Chromium, Firefox, and Tor Browser on OpenBSD would need to compromise the integrity of OpenBSD, because it sandboxes them further using pledge(2) and unveil(2) (or find a weakness in how these two are set up). So that's already a very good thing, but that alone is not enough.) It's important to emphasize that it doesn't matter whether UAC asks or doesn't ask for a passphrase to authorize, rather the important thing here is that it takes over the computer temporarily in a way that cannot be interfered with by normal programs and asks for explicit authorization; it could as well ask for a passphrase too as a second factor. Malware that fakes a UAC prompt and get "authorized" by the user would achieve nothing, as it hasn't really asked Windows to escalate, whereas malware on OpenBSD that convincingly fakes a doas prompt and gets "authorized" by the user can then impersonate the "authorizing" user going forward.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Saturday, March 30, 2024, hahahahacker2009 wrote: > Vào Th 7, 30 thg 3, 2024 vào lúc 11:19 Dan đã > viết: > > >> > >> > >> > I've looked at the > >> > source code and issue tracker of upstream Firefox in the past and it > has > >> > upstream support for pledge(2) and unveil(2). > >> > >> Great, you figured it out: if you want to know if a given piece of > >> software uses pledge, grep its source code for pledge. > > > > > > Sounds very tiresome and cumbersome to check. You failed to point at any > rule according to which I'm not permitted to ask a general question about > such software without resorting to tiresome and cumbersome manual methods > like what you're suggesting here, and you consistently ignore this by > bringing the same manual grep/find suggestion again and again with no > sensible reason given what I explained now. > > Even "friendly" linux communities would tell you to check yourself. There's no problem in being told to do that, just as there's no problem in asking if people know about such programs without me having to tiresomely check everything. Perhaps there's a website somewhere that lists all pledged/unveiled apps and I'd be duplicating the effort needlessly? > You are wasting people's time. Subjective. > And before spamming in the list can you make your message > fit 72 character per line and disable HTML? First, I'm not spamming. Second, no, I can't. The Gmail web interface for mobile (which I'm using) doesn't let me disable HTML, and I don't see how I could limit line length except by manually counting characters and breaking lines, and I'm obviously not gonna do that. Sorry. I may switch to a different email client/interface in the future, this Gmail interface seems to not be paid much attention to by Google. > > > > > >> > >> You really need to shut the fuck up now. > >> > >> Please note that I am replying to you directly, off-list. > >> Hint: there is a reason for that. > > > > > > I am deliberately shaming you on a public mailing list because you're a > troll. I may also block you in my Gmail settings if I'll find the setting > in mobile. I'm giving you a middle finger. > > > > ~ | ~ | ~ | ~ | ~ | ~ > > > > (Note for everyone: This message is intended to shame a troll; if you're > here to follow the technical discussion only, feel free to skip reading > this message.) > > Dan, I see you are a troll too. False. I asked legitimate questions and I answer honestly and precisely. > You are sending HTML emails and it doesn't fit 72 char per line. Ditto. > It is annoying. Your message include a bunch of not needed trash. I answer everything that's brought up as comprehensively as needed, so I don't see what's "not needed". > > You ask the whole list things that you can research yourself, they are Ditto. > not highly advanced topics. These topics are repeatedly asked by people > who will never read man pages or faq. That That doesn't appear in the man pages or FAQ, and in my very first message I've already mentioned how Chromium, Firefox, and Tor Browser are sandboxed, so I obviously did look up things before asking here. So you're wrong here in two aspects. attitude should only exist > on reddit/lemmy and other linux communities which tries to be "friendly". Please elaborate, what attitude are you referring to precisely? That's a vague statement. Also, please explain the reasoning (or point to a rule) whereby the attitude should not exist here. > So please: > > Do your homework before you post. Ditto. > > > I saw Jan Stary's messages > (https://marc.info/?a=10863507214=1=2) > are mostly answering people's question. > But your messages are asking people to do research for you. False. I didn't tell anyone to do anything for me. I asked questions. > > If you can't do research yourself, why expecting people to do it for you? Both premises are false. Ditto. > They might think that you don't have any knowledge and thus ignore you > (for example, they think you might not understand what they are writing). I'm not sure what logic follows from asking questions about specific things (specific as they are in the question) to drawing a conclusion that the asker lacks knowledge about things not specified/asked about in the questions. Regarding the things that are specified/asked about in the question, it's obvious that the asker doesn't know about them, because I wasn't presenting a riddle, and this is true universally to everyone. I don't understand how I'm special here from any other people that ask questions here. > Or simply, if you cannot respect yourself, why expect others to respect > you? Excuse me? > > In Viet Nam, you are simply called "animals" (súc vật, very offensive) and > then ignored. > Excuse me? What the fuck did you call me??
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Saturday, March 30, 2024, hahahahacker2009 wrote: > Vào Th 6, 29 thg 3, 2024 vào lúc 07:40 Dan đã > viết: > > > This only lists third-party packages that have an OpenBSD > ports-originated addition of pledge/unveil configuration files; packages > that use pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., > and hold our personal thoughts and memories, so I believe that they > shouldn't get compromised just because the user entered the wrong website > on a bad day, or opened the wrong video, or the wrong file, etc. OpenBSD > already has the excellent system calls pledge(2) and unveil(2), and already > uses them extensively in the base system and for the aforementioned > browsers, but what about other programs? > > You can help on applying pledge and unveil to your other programs > now, instead of spamming on mailing list like this. Are you the > Nowarez Market guy again? > What spam exactly? I have no idea who is "Nowarez Market guy".
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
James Huddle : > I live in post-2016 USA and have essentially given up hope of any sort of > computer security. Personal thought and from USA where the core of private data business resides. Due to different reasons and the env I work in I results attacked very often under OpenBSD, in X. Having the name of the vulnerability makes not such a difference to me, thanks for the insight anyway. However, I think to not say it wrong recalling that most of people are here for the sempliticy applied to security and portability subjects In OpenBSD. Minimize the security subject at this point seems having a purpose, wrong. -Dan Mar 30, 2024 18:23:38 James Huddle : > I live in post-2016 USA and have essentially given up hope of any sort of > computer security.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
When X11 came to my attention, in the 1980's, it was called X11. "What," I wondered back then, "could that mean?" Back then, we would get to know new software long before version 11, so it seemed an odd name. Back then. It's been X11 for millennia. I discovered Exfiltrator (or Exfiltration, 'ex'+10) about a year ago. LOL. I actually did not know about the vulnerability. Thanks, Matthew. And yes, I was voicing the untested theory of precisely what you articulated, Luke. I live in post-2016 USA and have essentially given up hope of any sort of computer security. The mantra I developed, as my coworkers insisted on using (for instance) the React JS package that had "Exfil" as a dependency, was: "When in Rome." On Fri, Mar 29, 2024 at 4:44 PM wrote: > Luke A. Call writes: > > > > On 2024-03-29 09:01:07-0400, James Huddle > wrote: > > > Exfiltrator. There's an 11-letter word that starts with "ex". X11. > > > > After a quick web search, I'm not sure I follow. Is that a reference to > > a program that exfiltrates data after a computer is compromised? Can you > > elaborate a little? I realize this is an ignorant question. > > In short, there is a well known shortcoming or feature depending > on who you ask inherent in the X protocol's design where any > application which uses the X server (ie. can access the tcp port > or unix socket and has the correct xauth key, which is to say all > of them) can request (and get) the ability to read all of the X > events, which includes every key press and mouse movement in every > application. > > Exfiltrator is 11 letters and we are at X protocol version 11. > > There are common mitigations against this problem, such as not > giving strangers the ability to run unknown programs on your console. > > Matthew > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Replying now to cho...@jtan.com: >[…] any >application which uses the X server (ie. can access the tcp port >or unix socket and has the correct xauth key […] The default PF configuration blocks access to the ports, but only on non-loopback interfaces. https://github.com/openbsd/src/blob/master/etc/pf.conf Again, I'm not an X11 expert, but it looks like the X auth file exists because anyone can connect to these ports on localhost, so the file would mediate it further. PF can match packets based on UIDs, but if I understand pf.conf(5) correctly, it matches based on the user owning the listening socket (which would be the dedicated X11 account) rather than the user that tries to connect to the X server. The xauth(1) and Xsecurity(7) man pages seem relevant, I'll have a deeper look at them later.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
(Note for everyone: This message is intended to shame a troll; if you're here to follow the technical discussion only, feel free to skip reading this message.) ~ | ~ | ~ | ~ | ~ | ~ On Friday, March 29, 2024, Jan Stary wrote: > > > > (The person > > > > you're replying to should be in the To field, and the mailing list > in the > > > > Cc field.) > > > > > > I replied to the list. > > > If you are not subscribed to the list, > > > you don't get the list replies. > > > > I did not know that. > > Please don't send anything else to this mailing list. Shut up. That's warranted given that this is essentially what you're telling me here (also more explicitly in the last part of your message, as quoted at the bottom here). > > > > Repeat after me: I can display what looks like a login screen; > > > I don't to have anything to do with ctrl-alt-del to display that. > > > > I do not need to repeat mantras. I did not deny that programs can do > that, > > quite the opposite: I explicitly acknowledged that programs can do that, > > and asked what mechanism OpenBSD provides to ensure, at the user's > request, > > that the operating system temporarily takes over with a real login prompt > > that cannot be interfered with or snooped on. > > OpenBSD provides no "mechanism" to make it impossible for a user > to display something that looks like a login screen; just like > no other OS provides no such mechanism. Once again, that's the opposite of what I said, and completely missing what I said. > > > I've looked at the > > source code and issue tracker of upstream Firefox in the past and it has > > upstream support for pledge(2) and unveil(2). > > Great, you figured it out: if you want to know if a given piece of > software uses pledge, grep its source code for pledge. Sounds very tiresome and cumbersome to check. You failed to point at any rule according to which I'm not permitted to ask a general question about such software without resorting to tiresome and cumbersome manual methods like what you're suggesting here, and you consistently ignore this by bringing the same manual grep/find suggestion again and again with no sensible reason given what I explained now. > > > Your "if there is one [program I care about]", "duh", and other things > > you've said so far to me and I haven't pointed out in this paragraph show > > that you're very disrespectful towards me. > > Nothing gets past you. False. I strive to exercise critical thinking, analytical thinking, and logic as much as possible. Nonsense, however, doesn't "get past me", as I rightfully evaluate it as nonsense and therefore dismiss it. Ditto regarding true but irrelevant things. > > > I saw that I got replied to using marc.info, > > No you didn't. Maybe you'll understand it better if I'll rephrase, because you're definitely lying here, with no basis: I saw, using marc.info, that I got replied to. > > > and proceeded to log into my > > email to reply, but then I didn't see that reply in my inbox. So I looked > > at an old thread I had a few years ago on this mailing list that I knew > > that worked well, and looked at the To and Cc fields in the exchange of > > messages, and I assumed this is how it's always meant to be. > > You assumed wrong. Correct; I assumed you made a honest mistake. I had no better way to know what's true, however, so it's not really my fault, because I acted in a good way within the limits of my then-current knowledge and range of possible reactions I could react in the situation. > > > this isn't my first time using a mailing list, > > but I'm pretty sure it's my second time, and I'm fairly new > > to how mailing lists work. I deserve none of your disrespectful attitude > > and your wrong assumption of ill intentions from me; furthermore, you > > completely ignored the substance of the discussion in this thread, and > did > > not contribute anything useful to the discussion. Your entire reply was > > meant to purposely be rude to me and attack me ad hominem. Take an > example > > from Luke (luke...@onemodel.org), they actually contributed something > > meaningful to the discussion and didn't act like an asshole to me. I > > recognize your name, I know you publish lots of material about OpenBSD, > for > > example the links in your signature, and you're also part of the > editorial > > team of undeadly.org, which I frequently visit. It's a shame you're > such an > > asshole, though. Disgusting. > > Right, everybody knows PNH is a disgusting asshole contributing nothing. Peter N. M. Hansteen's disgusting behavior has absolutely nothing to do with any contribution he may or may not have contributed whatsoever. Furthermore, I said quite the opposite: I mentioned how he's part of the OpenBSD news website that I love to visit and that I've seen his name in many places (for example, I found his networking tutorials in the past, and saved the links for myself because it's good learning material and interesting). I
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Luke A. Call writes: > > On 2024-03-29 09:01:07-0400, James Huddle wrote: > > Exfiltrator. There's an 11-letter word that starts with "ex". X11. > > After a quick web search, I'm not sure I follow. Is that a reference to > a program that exfiltrates data after a computer is compromised? Can you > elaborate a little? I realize this is an ignorant question. In short, there is a well known shortcoming or feature depending on who you ask inherent in the X protocol's design where any application which uses the X server (ie. can access the tcp port or unix socket and has the correct xauth key, which is to say all of them) can request (and get) the ability to read all of the X events, which includes every key press and mouse movement in every application. Exfiltrator is 11 letters and we are at X protocol version 11. There are common mitigations against this problem, such as not giving strangers the ability to run unknown programs on your console. Matthew
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On 2024-03-29 09:01:07-0400, James Huddle wrote: > Exfiltrator. There's an 11-letter word that starts with "ex". X11. After a quick web search, I'm not sure I follow. Is that a reference to a program that exfiltrates data after a computer is compromised? Can you elaborate a little? I realize this is an ignorant question. > On Thu, Mar 28, 2024 at 7:39???PM Luke A. Call wrote: > > > On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > > > (2) I've learned that X11 allows locally running malware to sniff the > > > > keystrokes input to any other X11-using app running under any user. > > > > > > I don't believe that's true. > > > Where have you "learned" that, and how does that work? > > > "Dear X11, what is $user typing into his firefox textarea"? > > > > I'm no X expert, but I think what you are saying is technically correct > > across users, but I believe it is possible for one application to > > sniff the keystrokes input to another app running under the *same* user, at > > least, and under different users in the same X session depending on how > > they connect. Specifically: > > > > 1) Under `man xterm' in the "SECURITY" section it says some related > > things that sound like that is what they are saying. I can't elaborate > > on what it says there but that made me want to be cautious. > > > > 2) running > >xinput list > > ...shows some devices, where on my system the /dev/wskbd has "id=6". > > Then taking that number 6 and doing > >xinput test 6 > > ...and typing in a separate xterm window shows the keystrokes from the > > second window, in the first. I believe the same would be true for any > > X application running as the *same* user. > > > > 3) I did some experimenting in the past with "ssh -X user@..." and > > "ssh -Y user@...", and only when using -Y were keystrokes visible across > > users. Similar things can be done with less cpu overhead using xauth > > and magic cookies etc (I played with that, with help from people on this > > list, scripted it for myself using what they and man pages helped me > > learn, and haven't > > thought about it much since then, except to use the scripts--but it is very > > handy for me to have things running as different users within the same X > > session, because of these boundaries around keyboard sniffing and also > > filesystem etc restrictions across users). > > > > 4) I am under the impression that the clipboard sharing between X users is > > not restricted as the above things are. Ie, one can spy on another > > freely. > > > > Luke Call > > > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Exfiltrator. There's an 11-letter word that starts with "ex". X11. On Thu, Mar 28, 2024 at 7:39 PM Luke A. Call wrote: > On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > > (2) I've learned that X11 allows locally running malware to sniff the > > > keystrokes input to any other X11-using app running under any user. > > > > I don't believe that's true. > > Where have you "learned" that, and how does that work? > > "Dear X11, what is $user typing into his firefox textarea"? > > I'm no X expert, but I think what you are saying is technically correct > across users, but I believe it is possible for one application to > sniff the keystrokes input to another app running under the *same* user, at > least, and under different users in the same X session depending on how > they connect. Specifically: > > 1) Under `man xterm' in the "SECURITY" section it says some related > things that sound like that is what they are saying. I can't elaborate > on what it says there but that made me want to be cautious. > > 2) running >xinput list > ...shows some devices, where on my system the /dev/wskbd has "id=6". > Then taking that number 6 and doing >xinput test 6 > ...and typing in a separate xterm window shows the keystrokes from the > second window, in the first. I believe the same would be true for any > X application running as the *same* user. > > 3) I did some experimenting in the past with "ssh -X user@..." and > "ssh -Y user@...", and only when using -Y were keystrokes visible across > users. Similar things can be done with less cpu overhead using xauth > and magic cookies etc (I played with that, with help from people on this > list, scripted it for myself using what they and man pages helped me > learn, and haven't > thought about it much since then, except to use the scripts--but it is very > handy for me to have things running as different users within the same X > session, because of these boundaries around keyboard sniffing and also > filesystem etc restrictions across users). > > 4) I am under the impression that the clipboard sharing between X users is > not restricted as the above things are. Ie, one can spy on another > freely. > > Luke Call > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Replying now to Luke (luke...@onemodel.org): Thank you, that's interesting! I appreciate that you're contributing a meaningful answer to my questions, and I also appreciate that you're nice to me. :) Also h.kampm...@web.de seems to be nice to me, unless I misinterpreted what they said (I'm not sure, sorry). ~ | ~ | ~ | ~ | ~ | ~ On Thursday, March 28, 2024, Jan Stary wrote: > On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > > You didn't "Reply All", so I didn't get your reply in my inbox. > > Apparently, you did. No, I did not. You're assuming I reply to your message in my inbox; that's a wrong (and fallacious) assumption. I checked marc.info for replies when not logged into my email (as this is more convenient than logging in repeatedly). When I saw your reply in marc.info, I logged into my email to reply to you but couldn't find your message in my inbox, and didn't know why. Fortunately, I am smart, so I created a new message with the same subject line (including the "Re:" part at the start) and CCed the mailing list so marc.info would detect it as if it's in the same thread, and apparently I succeeded. I also copied your sentences from marc.info and pasted them into my reply, along with prepending > signs. > > > (The person > > you're replying to should be in the To field, and the mailing list in the > > Cc field.) > > I replied to the list. > If you are not subscribed to the list, > you don't get the list replies. I did not know that. I really am not subscribed. I don't want to subscribe to the entire mailing list, I just think it's useful to get replies to my thread only; perhaps there's a way to accomplish that? > > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > > compromising the integrity of the operating system. The Windows kernel is > > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > > separate Secure Desktop mode that takes over the entire screen and no > other > > programs can intercept keystrokes from or send keystrokes to. > > https://security.stackexchange.com/a/34975 > > https://learn.microsoft.com/windows/win32/winstation/desktops > > Repeat after me: I can display what looks like a login screen; > I don't to have anything to do with ctrl-alt-del to display that. I do not need to repeat mantras. I did not deny that programs can do that, quite the opposite: I explicitly acknowledged that programs can do that, and asked what mechanism OpenBSD provides to ensure, at the user's request, that the operating system temporarily takes over with a real login prompt that cannot be interfered with or snooped on. Windows can already do that with Ctrl-Alt-Delete, but I couldn't find anything on the web to suggest that OpenBSD can do that. > > And it has nothing to do with OpenBSD. Ditto. > > > >I don't believe that's true. > > >"Dear X11, what is $user typing into his firefox textarea"? > > I'm not an X11 expert, and I'm not sure if the example provided in the > > following link is because the program and the desktop it's running under > > have different UIDs (rather than locking the desktop, logging into a > > different user with a new desktop session using a SAK like > Ctrl-Alt-Delete, > > and running it there), but I found this old blog post, by whom I believe > is > > the founder of Qubes OS, being cited somewhere: > > https://theinvisiblethings.blogspot.com/2011/04/linux- > security-circus-on-gui-isolation.html > > It is common knowledge that X11 is insecure by design, not (only) by the > > ancient code, so even if the blog post isn't relevant anymore, it > wouldn't > > surprise me if such attacks could still be done. > > Ah, so that's what you have "learned": a 13y old blogpost. Which is supposed to be relevant. Age isn't directly related to relevancy, especially when talking about much older tech (X11, which is 39 years old according to Wikipedia) that's still used today (2024, which is 0 years ago). Furthermore, I was linked to that article from madaidans-insecurities.github.io (a blog of one of the developers of Whonix). > Fine, show me how you read another user's keystrokes under X. Showing a proof of concept is not a necessity to convey or prove a point in an online discussion, and I don't follow orders from you. So I have no obligation whatsoever (including for the sake of argument, which is the most important here) to do that. > > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > > installed from the OpenBSD package manager/ports) are sandboxed with > > pledge(2) and unveil(2). > > >find /usr/po
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > (2) I've learned that X11 allows locally running malware to sniff the > > keystrokes input to any other X11-using app running under any user. > > I don't believe that's true. > Where have you "learned" that, and how does that work? > "Dear X11, what is $user typing into his firefox textarea"? I'm no X expert, but I think what you are saying is technically correct across users, but I believe it is possible for one application to sniff the keystrokes input to another app running under the *same* user, at least, and under different users in the same X session depending on how they connect. Specifically: 1) Under `man xterm' in the "SECURITY" section it says some related things that sound like that is what they are saying. I can't elaborate on what it says there but that made me want to be cautious. 2) running xinput list ...shows some devices, where on my system the /dev/wskbd has "id=6". Then taking that number 6 and doing xinput test 6 ...and typing in a separate xterm window shows the keystrokes from the second window, in the first. I believe the same would be true for any X application running as the *same* user. 3) I did some experimenting in the past with "ssh -X user@..." and "ssh -Y user@...", and only when using -Y were keystrokes visible across users. Similar things can be done with less cpu overhead using xauth and magic cookies etc (I played with that, with help from people on this list, scripted it for myself using what they and man pages helped me learn, and haven't thought about it much since then, except to use the scripts--but it is very handy for me to have things running as different users within the same X session, because of these boundaries around keyboard sniffing and also filesystem etc restrictions across users). 4) I am under the impression that the clipboard sharing between X users is not restricted as the above things are. Ie, one can spy on another freely. Luke Call
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Thu, Mar 28, 2024 at 09:16:45PM +, Dan wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) OH PUH-LEEZE. No. You send to a mailing list, people are supposed to reply to the mailing list. A select few may have their mail clients configured so the author of the message will receive a courtesy copy (aka Cc:). If I seem unresponsive to any followups to this thread, a likely reason will be that I will not see messages with your From: without putting in some extra effort. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Hello, when I read posts like @Dan's, I say to myself: Don't feed the troll. Pointless. Wish you all a nice weekend, Heinz Gesendet: Donnerstag, 28. März 2024 um 23:02 Uhr Von: "Jan Stary" An: misc@openbsd.org Betreff: Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps go away On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > compromising the integrity of the operating system. The Windows kernel is > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > separate Secure Desktop mode that takes over the entire screen and no other > programs can intercept keystrokes from or send keystrokes to. > https://security.stackexchange.com/a/34975 > https://learn.microsoft.com/windows/win32/winstation/desktops[https://learn.microsoft.com/windows/win32/winstation/desktops] > > >I don't believe that's true. > >"Dear X11, what is $user typing into his firefox textarea"? > I'm not an X11 expert, and I'm not sure if the example provided in the > following link is because the program and the desktop it's running under > have different UIDs (rather than locking the desktop, logging into a > different user with a new desktop session using a SAK like Ctrl-Alt-Delete, > and running it there), but I found this old blog post, by whom I believe is > the founder of Qubes OS, being cited somewhere: > https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html[https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html] > It is common knowledge that X11 is insecure by design, not (only) by the > ancient code, so even if the blog post isn't relevant anymore, it wouldn't > surprise me if such attacks could still be done. > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). > >find /usr/ports/ -name pledge\* > Already done: > https://openports.pl/search?file=unveil[https://openports.pl/search?file=unveil] > This only lists third-party packages that have an OpenBSD ports-originated > addition of pledge/unveil configuration files; packages that use > pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and > memories, so I believe that they shouldn't get compromised just because the > user entered the wrong website on a bad day, or opened the wrong video, or > the wrong file, etc. OpenBSD already has the excellent system calls > pledge(2) and unveil(2), and already uses them extensively in the base > system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
go away On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > compromising the integrity of the operating system. The Windows kernel is > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > separate Secure Desktop mode that takes over the entire screen and no other > programs can intercept keystrokes from or send keystrokes to. > https://security.stackexchange.com/a/34975 > https://learn.microsoft.com/windows/win32/winstation/desktops > > >I don't believe that's true. > >"Dear X11, what is $user typing into his firefox textarea"? > I'm not an X11 expert, and I'm not sure if the example provided in the > following link is because the program and the desktop it's running under > have different UIDs (rather than locking the desktop, logging into a > different user with a new desktop session using a SAK like Ctrl-Alt-Delete, > and running it there), but I found this old blog post, by whom I believe is > the founder of Qubes OS, being cited somewhere: > https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html > It is common knowledge that X11 is insecure by design, not (only) by the > ancient code, so even if the blog post isn't relevant anymore, it wouldn't > surprise me if such attacks could still be done. > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). > >find /usr/ports/ -name pledge\* > Already done: > https://openports.pl/search?file=unveil > This only lists third-party packages that have an OpenBSD ports-originated > addition of pledge/unveil configuration files; packages that use > pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and > memories, so I believe that they shouldn't get compromised just because the > user entered the wrong website on a bad day, or opened the wrong video, or > the wrong file, etc. OpenBSD already has the excellent system calls > pledge(2) and unveil(2), and already uses them extensively in the base > system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
not in the mailing list world I've been using for close to 30 years if you post to the mailing list I reply to the mailing list On March 28, 2024 3:16:45 PM MDT, Dan wrote: >You didn't "Reply All", so I didn't get your reply in my inbox. (The person >you're replying to should be in the To field, and the mailing list in the >Cc field.) >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
You didn't "Reply All", so I didn't get your reply in my inbox. (The person you're replying to should be in the To field, and the mailing list in the Cc field.) >Even on windows; this has nothing to do with intercepting ctrl-alt-del. False. Ctrl-Alt-Delete cannot be intercepted on Windows without first compromising the integrity of the operating system. The Windows kernel is hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a separate Secure Desktop mode that takes over the entire screen and no other programs can intercept keystrokes from or send keystrokes to. https://security.stackexchange.com/a/34975 https://learn.microsoft.com/windows/win32/winstation/desktops >I don't believe that's true. >"Dear X11, what is $user typing into his firefox textarea"? I'm not an X11 expert, and I'm not sure if the example provided in the following link is because the program and the desktop it's running under have different UIDs (rather than locking the desktop, logging into a different user with a new desktop session using a SAK like Ctrl-Alt-Delete, and running it there), but I found this old blog post, by whom I believe is the founder of Qubes OS, being cited somewhere: https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html It is common knowledge that X11 is insecure by design, not (only) by the ancient code, so even if the blog post isn't relevant anymore, it wouldn't surprise me if such attacks could still be done. >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when installed from the OpenBSD package manager/ports) are sandboxed with pledge(2) and unveil(2). >find /usr/ports/ -name pledge\* Already done: https://openports.pl/search?file=unveil This only lists third-party packages that have an OpenBSD ports-originated addition of pledge/unveil configuration files; packages that use pledge/unveil without configuration files, or whose pledge/unveil configuration files originate from the upstream distribution, are not listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser are sandboxed, which is excellent because Web browsing is one of the most popular desktop activity and browsers are meant to use networking and execute untrusted JavaScript/WebAssembly code, and parse untrusted data like media, CSS, etc. Contrary to servers, that if they're hacked then some business might be ruined, personal computers are used to do banking and shopping online, chat with distant friends/family members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and memories, so I believe that they shouldn't get compromised just because the user entered the wrong website on a bad day, or opened the wrong video, or the wrong file, etc. OpenBSD already has the excellent system calls pledge(2) and unveil(2), and already uses them extensively in the base system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
> (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure > Attention Key, or SAK) to prevent malware (or a website in fullscreen, for > example) from faking a logout process and/or faking a login prompt? On > Windows the kernel ensures that the operating system captures this key > combination and takes over with a real login prompt that malware can't fake > without first defeating the OS security. Any X11 program can display a screen that looks like the login screen. Even on windows; this has nothing to do with intercepting ctrl-alt-del. > (2) I've learned that X11 allows locally running malware to sniff the > keystrokes input to any other X11-using app running under any user. I don't believe that's true. Where have you "learned" that, and how does that work? "Dear X11, what is $user typing into his firefox textarea"? > (3) I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). Are there any other major apps, especially that > commonly accept untrusted input, that are also sandboxed like that on > OpenBSD? Especially email clients, media players, word processors, apps to > send/receive/sync files, etc. find /usr/ports/ -name pledge\*
Re: One more thought about security..
Awesome, blacklists are still affordable at time word of mouth! We got up too eatly today, take a nap like everyone do and care about your dears.. -Dan Mar 27, 2024 11:51:32 hahahahacker2009 : > -- Forwarded message - > From: Mihai Popescu > Date: Th 7, 24 thg 2, 2024 vào lúc 08:15 > Subject: Re: If you need to gamify... > To: > > > Captain Warez, Sir, > > This list has already its share of spam and i think it doesn't need > yours. Some of us are reading messages from web list archivers like > marc.info. I don't need your offtopic messages there and neither your > answers to your own messages. Find another list for this purpose. > > Thank you very much.
Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Hello, I have 3 security-related questions: (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure Attention Key, or SAK) to prevent malware (or a website in fullscreen, for example) from faking a logout process and/or faking a login prompt? On Windows the kernel ensures that the operating system captures this key combination and takes over with a real login prompt that malware can't fake without first defeating the OS security. (2) I've learned that X11 allows locally running malware to sniff the keystrokes input to any other X11-using app running under any user. Does Xenocara/rootless X on OpenBSD prevent or limit this? (3) I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when installed from the OpenBSD package manager/ports) are sandboxed with pledge(2) and unveil(2). Are there any other major apps, especially that commonly accept untrusted input, that are also sandboxed like that on OpenBSD? Especially email clients, media players, word processors, apps to send/receive/sync files, etc. Thank you.
Re: One more thought about security..
-- Forwarded message - From: Mihai Popescu Date: Th 7, 24 thg 2, 2024 vào lúc 08:15 Subject: Re: If you need to gamify... To: Captain Warez, Sir, This list has already its share of spam and i think it doesn't need yours. Some of us are reading messages from web list archivers like marc.info. I don't need your offtopic messages there and neither your answers to your own messages. Find another list for this purpose. Thank you very much.
One more thought about security..
Hello, Just adding a simple evidence: dark mode is difficult to print. If you are dedicating time to web browser and email client development in OpenBSD.. I suggest to point antennas on dark mode too.. -Dan
Re: Is this a security issue?
Hi, On Thu, 14 Mar 2024, at 00:25, ofthecentury wrote: >. And I was under the impression there would be no graphics > errors week 1 of me using OpenBSD due to the way OpenBSD was > centered around code auditing and only releasing something very > stable and tested, especially something so senstive as graphics. A nice but naive assumption, I think. There’s a wild variety of hardware out there and AIUI developers are mostly volunteers who probably give their paid jobs, family, etc a higher priority. John
Re: Is this a security issue?
Thanks, Ze. In all fairness, people jump at an opportunity to attack someone, but it actually takes a certain level of expertise to interpret highly technical search results. I google. I don't write intel graphics drivers. And I was under the impression there would be no graphics errors week 1 of me using OpenBSD due to the way OpenBSD was centered around code auditing and only releasing something very stable and tested, especially something so senstive as graphics. On Wed, Mar 13, 2024 at 5:42 PM Zé Loff wrote: > > On Wed, Mar 13, 2024 at 05:01:57PM +0500, ofthecentury wrote: > > Just saw this in my /var/log/messages: > > > > '/bsd: drm:pid1338:intel_pipe_update_start *ERROR* > > [drm] *ERROR* Potential atomic update failure on pipe B' > > > > Intel_pipe_update??? > > > > No, it isn't a security issue, it's an underrun on the graphics driver. > > > A quick search would have told you so. This is a mailing list, with > people that actually have to take some of their time to reply, not a > search engine. > > > > -- >
Re: Is this a security issue?
On Wed, Mar 13, 2024 at 05:01:57PM +0500, ofthecentury wrote: > Just saw this in my /var/log/messages: > > '/bsd: drm:pid1338:intel_pipe_update_start *ERROR* > [drm] *ERROR* Potential atomic update failure on pipe B' > > Intel_pipe_update??? > A fairly simple web search would have provided potetially useful information such as https://marc.info/?l=openbsd-bugs=2=1=Potential+atomic+update+failure=b Try fw_update (possibly after reading its man page) and see if it makes a difference. Also, *complete* dmesg output would have told anyone trying to help diagnose the issue a lot more. As somebody (sorry, I forget who) posted earlier, https://idownvotedbecau.se/ is actually worth reading. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Is this a security issue?
On Wed, Mar 13, 2024 at 05:01:57PM +0500, ofthecentury wrote: > Just saw this in my /var/log/messages: > > '/bsd: drm:pid1338:intel_pipe_update_start *ERROR* > [drm] *ERROR* Potential atomic update failure on pipe B' > > Intel_pipe_update??? > No, it isn't a security issue, it's an underrun on the graphics driver. A quick search would have told you so. This is a mailing list, with people that actually have to take some of their time to reply, not a search engine. --
Is this a security issue?
Just saw this in my /var/log/messages: '/bsd: drm:pid1338:intel_pipe_update_start *ERROR* [drm] *ERROR* Potential atomic update failure on pipe B' Intel_pipe_update???
Re: ***UNCHECKED*** Re: Post (snap) update emails: fsck errors and (in)security output
On Thu, Dec 21, 2023 at 08:20:37AM -0300, Crystal Kolipe wrote: > > login.conf used to allow unlimited datasize for the 'daemon' class. That was > > changed to cap at 4G > > Actually the value is an architecture dependent setting. > > On amd64 it is indeed 4G, but typically 1024 Mb on the smaller archs which > until recently, (post 7.4), included i386, which has now been increased to > 1500 Mb. Shouldn't it vary according to the amount of RAM available on the system? Or is the backing store (swap) more relevant? Anyway ... > BTW, we already had this exact same discussion with Robb on the list back in > February: > > https://marc.info/?l=openbsd-misc=167561903118994 > > So when I asked why he didn't just bump the value, it was indeed a question > and not a suggestion to just do it. Oh right :-) Seems like I was fat and happy in February with "-s=4194304" in fstab and "df -h /tmp" returning 1.8G available. I don't know why or when it stopped working in the meantime. Maybe daily should report failed mounts? I mean, normally, something like that is hard to miss, but with /tmp it's not so obvious. Just a thought. I guess I tend to avoid modifying login.conf to avoid having to fix issues reported by sysmerge after an upgrade. But in reality those don't occur that often and I'm just being overly sensitive. Right now login.conf contains: > daemon:\ >:ignorenologin:\ >:datasize=4096M:\ >:maxproc=infinity:\ >:openfiles-max=1024:\ >:openfiles-cur=128:\ >:stacksize-cur=8M:\ >:tc=default: > ... I was just able to mfs_mount 2GB on the command line: > mjoelnir:robb 28.12 17:13:17 # mkdir /tmptmp > mjoelnir:robb 28.12 17:13:25 # df -h /tmptmp > Filesystem SizeUsed Avail Capacity Mounted on > /dev/sd1a 1005M250M704M27%/ > mjoelnir:robb 28.12 17:13:29 # mount_mfs -s 4194304 swap /tmptmp > mjoelnir:robb 28.12 17:13:43 # df -h /tmptmp > Filesystem SizeUsed Avail Capacity Mounted on > mfs:23190 1.9G1.0K1.8G 1%/tmptmp That was as root though, so maybe that's not such a great test. Is it possible to do something like "doas daemon ..."? I'll switch fstab back to use this size for /tmp and check after the next reboot if it gets mounted as expected ... Cheers, Robb.
Re: Post (snap) update emails: fsck errors and (in)security output
On Thu, Dec 21, 2023 at 10:54:14AM -, Stuart Henderson wrote: > On 2023-12-20, Why 42? The lists account. wrote: > > > > Just tried the mount of /tmp manually from the command line at got: > > mount_mfs: mmap: Cannot allocate memory > > > > When I halved the size (memory) allocated (-s=2097152) it mounts > > successfully: > > mjoelnir:robb 20.12 19:50:02 # df -h /tmp > > Filesystem SizeUsed Avail Capacity Mounted on > > mfs:75507 1.9G1.0K1.8G 1%/tmp > > > > Strange that it used to work. One day (!) I'll re-partition and allocate > > a partition/slice of "real" storage to /tmp instead of using mfs. > > login.conf used to allow unlimited datasize for the 'daemon' class. That was > changed to cap at 4G Actually the value is an architecture dependent setting. On amd64 it is indeed 4G, but typically 1024 Mb on the smaller archs which until recently, (post 7.4), included i386, which has now been increased to 1500 Mb. BTW, we already had this exact same discussion with Robb on the list back in February: https://marc.info/?l=openbsd-misc=167561903118994 So when I asked why he didn't just bump the value, it was indeed a question and not a suggestion to just do it.
Re: Post (snap) update emails: fsck errors and (in)security output
On 2023-12-20, Why 42? The lists account. wrote: > > Just tried the mount of /tmp manually from the command line at got: > mount_mfs: mmap: Cannot allocate memory > > When I halved the size (memory) allocated (-s=2097152) it mounts > successfully: > mjoelnir:robb 20.12 19:50:02 # df -h /tmp > Filesystem SizeUsed Avail Capacity Mounted on > mfs:75507 1.9G1.0K1.8G 1%/tmp > > Strange that it used to work. One day (!) I'll re-partition and allocate > a partition/slice of "real" storage to /tmp instead of using mfs. login.conf used to allow unlimited datasize for the 'daemon' class. That was changed to cap at 4G (IIRC that was a prerequisite before we were allowed to bump MAXDSIZ but I don't remember all the details now). This affects things started from rc - the things particularly likely to run into memory limits here are fsck, mounting mfs filesystems, maybe also running dump or restore from single user mode - also ports daemons, though in most cases we now provide a separate /etc/login.conf.d/daemonname file which raises limits where needed. If you have plenty of RAM you may want to bump that value.
Re: Post (snap) update emails: fsck errors and (in)security output
On Thu, Dec 21, 2023 at 12:16:33AM +0200, Mihai Popescu wrote: > > Why didn't you just bump the daemon datasize in /etc/login.conf to the > > required value? > > this is there for a reason and if you keep "bumping" it, maybe it should be > removed. OK, then: 1. Read the docs and source. 2. Make an educated and informed decision whether to bump it or not based on your own particular requirements and knowledge level. 3. Don't complain on the official OpenBSD lists if you break your own machine, or expect assistance with such a highly customisted configuration.
Re: Post (snap) update emails: fsck errors and (in)security output
> Why didn't you just bump the daemon datasize in /etc/login.conf to the > required value? Because The Creator said once this is there for a reason and if you keep "bumping" it, maybe it should be removed.
Re: Post (snap) update emails: fsck errors and (in)security output
On Wed, Dec 20, 2023 at 07:55:29PM +0100, Why 42? The lists account. wrote: > When I halved the size (memory) allocated (-s=2097152) it mounts > successfully Why didn't you just bump the daemon datasize in /etc/login.conf to the required value?
Re: Post (snap) update emails: fsck errors and (in)security output
On Wed, Dec 20, 2023 at 10:57:41AM -0500, Nick Holland wrote: > the ROOTBACKUP process is making an image of a live file system; fsck > grumblings ARE expected. It's just one of those things you aren't supposed > to do (but I do it regularly, because normally, you can get away with it). > > Why the files it is grumbling about are owned by you ... that is a puzzle. > Is your /tmp on a separate partition? If so, it shouldn't be being backed > up by the ROOTBACKUP process. Same for "home" or any other file system you > have access write to. Interesting ... unexpectedly /tmp _is_ part of the root filesystem. I have an entry in fstab to mount it as a seperate mfs filesystem but that has failed for some reason. Probably then this is the reason that the fsck errors are now occurring, being reported, and that I noticed them. Previously, when /tmp was transient, the root filesystem and the altroot fsck process were not affected by content in /tmp. Just tried the mount of /tmp manually from the command line at got: mount_mfs: mmap: Cannot allocate memory When I halved the size (memory) allocated (-s=2097152) it mounts successfully: mjoelnir:robb 20.12 19:50:02 # df -h /tmp Filesystem SizeUsed Avail Capacity Mounted on mfs:75507 1.9G1.0K1.8G 1%/tmp Strange that it used to work. One day (!) I'll re-partition and allocate a partition/slice of "real" storage to /tmp instead of using mfs. > I also see this: > > Backing up root=/dev/rsd1a to /dev/rsd0a: > is sd1a actually your root, and sd0a actually your altroot? > > Second question: Also after an upgrade, the "daily insecurity output" > > contains a huge amount of setuid changes e.g. > > ... > > What actually changed then? > > The files. Aha! - I see. I had in my head somehow understood "Setuid changes:" to mean "changes to the setuid flags/bits of these files ...", not "these files are suid and their content has changed". Maybe that is a better description. > (and yes, I have seen events where a major upgrade caused a lot of noise in > a "something changed" file...which unfortunately hid something we needed to > know about ALSO happened, and was dismissed as "part of the upgrade noise". > This wasn't OpenBSD nor was it a "security event", but it did delay the > detection and repair of a redundancy failure issue because one line was > missed in a sea of thousands of lines of "yeah, that's expected" noise.) It is a fair bit of noise in this case ... even more so with the following "Block device changes" and the even longer "rpki" related section. Thanks! Cheers, Robb.
Re: Post (snap) update emails: fsck errors and (in)security output
On 12/20/23 06:02, Why 42? The lists account. wrote: ... Reply-To: Hi All, A couple of questions ... I have "ROOTBACKUP=1" in /etc/daily.local to replicate my root partition as described in the FAQ (https://www.openbsd.org/faq/faq14.html#altroot) I noticed after an update to a new snapshot via sysupgrade that the next daily output email contains many many fsck "UNREF FILE" errors (See the output included below). Is this expected, or is there some problem? Most or all of the files seem to be owned by me (robb) so I'm thinking that these errors may be related to files in /tmp ... Not sure why this occurs though? the ROOTBACKUP process is making an image of a live file system; fsck grumblings ARE expected. It's just one of those things you aren't supposed to do (but I do it regularly, because normally, you can get away with it). Why the files it is grumbling about are owned by you ... that is a puzzle. Is your /tmp on a separate partition? If so, it shouldn't be being backed up by the ROOTBACKUP process. Same for "home" or any other file system you have access write to. I also see this: Backing up root=/dev/rsd1a to /dev/rsd0a: is sd1a actually your root, and sd0a actually your altroot? Second question: Also after an upgrade, the "daily insecurity output" contains a huge amount of setuid changes e.g. ... -r-xr-sr-x 1 root auth 21144 Nov 30 15:36:52 2023 /usr/bin/skeyinit -r-xr-sr-x 1 root auth 21144 Dec 19 08:35:26 2023 /usr/bin/skeyinit -r-xr-sr-x 1 root _sshagnt 440496 Nov 30 15:36:53 2023 /usr/bin/ssh-agent -r-xr-sr-x 1 root _sshagnt 443856 Dec 19 08:35:26 2023 /usr/bin/ssh-agent -r-sr-xr-x 1 root bin19608 Nov 30 15:36:53 2023 /usr/bin/su -r-sr-xr-x 1 root bin19608 Dec 19 08:35:27 2023 /usr/bin/su -r-xr-sr-x 1 root tty17936 Nov 30 15:36:54 2023 /usr/bin/wall -r-xr-sr-x 1 root tty17936 Dec 19 08:35:28 2023 /usr/bin/wall -r-xr-sr-x 1 root tty14184 Nov 30 15:36:55 2023 /usr/bin/write -r-xr-sr-x 1 root tty14184 Dec 19 08:35:28 2023 /usr/bin/write -r-xr-sr-x 4 root _token 21248 Nov 30 15:36:44 2023 /usr/libexec/auth/login_activ -r-xr-sr-x 4 root _token 21248 Dec 19 08:35:18 2023 /usr/libexec/auth/login_activ ... What actually changed then? The files. Surely many or all of these files had the same permission bits before the upgrade? Maybe these files now have diffent inode numbers, after the upgrade? Why is each filename reported twice? Are these "old" and "new" values? This isn't complaining about the EXISTENCE of setuid programs, it is advising that setuid programs CHANGED from their last recorded version. After all, if I manage to drop a new setuid program on your system, perhaps naming it "ping" or "su", that would be bad, you might want to know about it. Sure, dropping a setuid program that wasn't setuid before could be bad, but replacing an existing one would be more sneaky. You upgraded your machine, so you replaced a lot of setuid programs. And yes, it shows date stamp and size of the old file and the new file. Seeing something bump up or down a few bytes and matching the same date and time stamp of other binaries after an upgrade is expected. Seeing that "su" went from 20k to 70k might warrant investigation. (and yes, I have seen events where a major upgrade caused a lot of noise in a "something changed" file...which unfortunately hid something we needed to know about ALSO happened, and was dismissed as "part of the upgrade noise". This wasn't OpenBSD nor was it a "security event", but it did delay the detection and repair of a redundancy failure issue because one line was missed in a sea of thousands of lines of "yeah, that's expected" noise.) Nick. Thanks in advance for any feedback! Cheers, Robb. Subject: mjoelnir daily output ... OpenBSD 7.4-current (GENERIC.MP) #1535: Tue Dec 19 00:55:53 MST 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP 1:30AM up 7:20, 7 users, load averages: 0.62, 0.44, 0.40 Backing up root=/dev/rsd1a to /dev/rsd0a: 131071+0 records in 131071+0 records out 1073733632 bytes transferred in 10.509 secs (102169077 bytes/sec) ** /dev/rsd0a ** Last Mounted on / ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=26656 (64 should be 32) CORRECT? yes INCORRECT BLOCK COUNT I=26688 (4128 should be 0) CORRECT? yes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=26064 OWNER=robb MODE=100600 SIZE=4 MTIME=Dec 20 01:30 2023 CLEAR? yes UNREF FILE I=26069 OWNER=robb MODE=10640 SIZE=0 MTIME=Dec 19 19:02 2023 CLEAR? yes UNREF FILE I=26070 OWNER=robb MODE=10640 SIZE=0 MTIME=Dec 20 01:02 2023 CLEAR? yes UNREF FILE I=26073 OWNER=robb MODE=100600 SIZE=28672 MTIME=Dec 20 01:30 2023 CLEAR? yes ... ** Phase 5 - Check Cyl groups FRE
Post (snap) update emails: fsck errors and (in)security output
... Reply-To: Hi All, A couple of questions ... I have "ROOTBACKUP=1" in /etc/daily.local to replicate my root partition as described in the FAQ (https://www.openbsd.org/faq/faq14.html#altroot) I noticed after an update to a new snapshot via sysupgrade that the next daily output email contains many many fsck "UNREF FILE" errors (See the output included below). Is this expected, or is there some problem? Most or all of the files seem to be owned by me (robb) so I'm thinking that these errors may be related to files in /tmp ... Not sure why this occurs though? Second question: Also after an upgrade, the "daily insecurity output" contains a huge amount of setuid changes e.g. ... -r-xr-sr-x 1 root auth 21144 Nov 30 15:36:52 2023 /usr/bin/skeyinit -r-xr-sr-x 1 root auth 21144 Dec 19 08:35:26 2023 /usr/bin/skeyinit -r-xr-sr-x 1 root _sshagnt 440496 Nov 30 15:36:53 2023 /usr/bin/ssh-agent -r-xr-sr-x 1 root _sshagnt 443856 Dec 19 08:35:26 2023 /usr/bin/ssh-agent -r-sr-xr-x 1 root bin19608 Nov 30 15:36:53 2023 /usr/bin/su -r-sr-xr-x 1 root bin19608 Dec 19 08:35:27 2023 /usr/bin/su -r-xr-sr-x 1 root tty17936 Nov 30 15:36:54 2023 /usr/bin/wall -r-xr-sr-x 1 root tty17936 Dec 19 08:35:28 2023 /usr/bin/wall -r-xr-sr-x 1 root tty14184 Nov 30 15:36:55 2023 /usr/bin/write -r-xr-sr-x 1 root tty14184 Dec 19 08:35:28 2023 /usr/bin/write -r-xr-sr-x 4 root _token 21248 Nov 30 15:36:44 2023 /usr/libexec/auth/login_activ -r-xr-sr-x 4 root _token 21248 Dec 19 08:35:18 2023 /usr/libexec/auth/login_activ ... What actually changed then? Surely many or all of these files had the same permission bits before the upgrade? Maybe these files now have diffent inode numbers, after the upgrade? Why is each filename reported twice? Are these "old" and "new" values? Thanks in advance for any feedback! Cheers, Robb. Subject: mjoelnir daily output ... OpenBSD 7.4-current (GENERIC.MP) #1535: Tue Dec 19 00:55:53 MST 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP 1:30AM up 7:20, 7 users, load averages: 0.62, 0.44, 0.40 Backing up root=/dev/rsd1a to /dev/rsd0a: 131071+0 records in 131071+0 records out 1073733632 bytes transferred in 10.509 secs (102169077 bytes/sec) ** /dev/rsd0a ** Last Mounted on / ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=26656 (64 should be 32) CORRECT? yes INCORRECT BLOCK COUNT I=26688 (4128 should be 0) CORRECT? yes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=26064 OWNER=robb MODE=100600 SIZE=4 MTIME=Dec 20 01:30 2023 CLEAR? yes UNREF FILE I=26069 OWNER=robb MODE=10640 SIZE=0 MTIME=Dec 19 19:02 2023 CLEAR? yes UNREF FILE I=26070 OWNER=robb MODE=10640 SIZE=0 MTIME=Dec 20 01:02 2023 CLEAR? yes UNREF FILE I=26073 OWNER=robb MODE=100600 SIZE=28672 MTIME=Dec 20 01:30 2023 CLEAR? yes ... ** Phase 5 - Check Cyl groups FREE BLK COUNT(S) WRONG IN SUPERBLK SALVAGE? yes SUMMARY INFORMATION BAD SALVAGE? yes BLK(S) MISSING IN BIT MAPS SALVAGE? yes 6103 files, 101471 used, 412968 free (656 frags, 51539 blocks, 0.1% fragmentation) MARK FILE SYSTEM CLEAN? yes * FILE SYSTEM WAS MODIFIED *
Re: Open-source security processor
On 9/8/23 00:24, Richard Thornton wrote: Say you had the guts of an x86_64 desktop running Windows on the bench and another computer running OpenBSD right next to it, is there some mechanism available that could allow you to integrity scan the NVMe drive (and also the firmware but that's probably an easier problem solved with something like SPI) of the powered-off x86_64 with the OpenBSD box, like a hardware device that allows both OpenBSD and the laptop physical hardware level access to the same NVMe, or would you have the NVMe in OpenBSD, scan it and then somehow "hand over" the NVMe to Windows? The NVMe drive can't be physically touched, not just swapped from board to board, I'm thinking of this from a more "embedded" viewpoint. If you think about a forensic analysis and/or integrity check of the *contents* of the NVMe, you should draw a binary image of the disk and analyze that. If you cannot remove the disk, but boot the system from an external device (into whatever OS you prefer), you could create such a copy from there (dd is your friend). You could also analyze the disk directly from there, but there's a high probability that you will modify it by doing so (in case you have to mount the filesystems). If you cannot boot the system from an external device (because it is eg. in a hibernated state that you need to preserve), I don't think there is much you can do without removing the disk from the computer. /m
Open-source security processor
Apologies, this might be a little bit OT but I was thinking of this and I thought about the wonderful folks at OpenBSD. Say you had the guts of an x86_64 desktop running Windows on the bench and another computer running OpenBSD right next to it, is there some mechanism available that could allow you to integrity scan the NVMe drive (and also the firmware but that's probably an easier problem solved with something like SPI) of the powered-off x86_64 with the OpenBSD box, like a hardware device that allows both OpenBSD and the laptop physical hardware level access to the same NVMe, or would you have the NVMe in OpenBSD, scan it and then somehow "hand over" the NVMe to Windows? The NVMe drive can't be physically touched, not just swapped from board to board, I'm thinking of this from a more "embedded" viewpoint. Or am I thinking about an external CPU validating an OS install in completely the wrong way? Thanks Richard
Re: RSS or Atom syndication for security advisories?
I use https://undeadly.org/errata/errata.rss Seems to work for the last 2 years G On 23/05/2023 13:13, Stuart Henderson wrote: > On 2023/05/23 09:35, Xavier wrote: >> I did not say that. I did not see that you in particular, or anyone in this >> mailing list, make this work. >> As a user, I simply suggest creating an RSS channel for security advisories >> and *even* I offer myself to help. >> >> The intention behind was to improve OpenBSD web. Simply. > The number of people who work on errata, for obvious reasons, needs > to be a small set of people that we know+trust. Sometimes (though > fortunately not all that often) that work is very delicate and needs to > be done quickly but carefully. High stress situation already. > > Adding extra steps to the errata process, to merely provide the same > information which is _already provided_ but just not in the format you > prefer (in the case of pages on www.openbsd.org) and not on the website > you prefer (in the case of the rss feed on undeadly.org), can't be of > more than minor benefit to you, and no benefit to most people who > already receive that information via other methods, yet it adds extra > steps (= work) for every erratum that is produced. > >> Perhaps it's me but I perceived some kind or rudeness in some responses. > After being given a workable answer (the rss feed on undeadly), you didn't > like it and asked volunteers to do even more work than they already do, to > mostly benefit you. Which I think some will consider a bit rude itself. > >> Oh! Come on! Why don't we concentrate in teach reasons and not in "I don't >> want to move my position". Do you think this kind of answer would benefit >> the project? > There's no need to concentrate on tech reasons because it's not a technical > problem. >
Re: RSS or Atom syndication for security advisories?
On 2023/05/23 09:35, Xavier wrote: > I did not say that. I did not see that you in particular, or anyone in this > mailing list, make this work. > As a user, I simply suggest creating an RSS channel for security advisories > and *even* I offer myself to help. > > The intention behind was to improve OpenBSD web. Simply. The number of people who work on errata, for obvious reasons, needs to be a small set of people that we know+trust. Sometimes (though fortunately not all that often) that work is very delicate and needs to be done quickly but carefully. High stress situation already. Adding extra steps to the errata process, to merely provide the same information which is _already provided_ but just not in the format you prefer (in the case of pages on www.openbsd.org) and not on the website you prefer (in the case of the rss feed on undeadly.org), can't be of more than minor benefit to you, and no benefit to most people who already receive that information via other methods, yet it adds extra steps (= work) for every erratum that is produced. > Perhaps it's me but I perceived some kind or rudeness in some responses. After being given a workable answer (the rss feed on undeadly), you didn't like it and asked volunteers to do even more work than they already do, to mostly benefit you. Which I think some will consider a bit rude itself. > Oh! Come on! Why don't we concentrate in teach reasons and not in "I don't > want to move my position". Do you think this kind of answer would benefit > the project? There's no need to concentrate on tech reasons because it's not a technical problem.
Re: RSS or Atom syndication for security advisories?
I did not say that. I did not see that you in particular, or anyone in this mailing list, make this work. As a user, I simply suggest creating an RSS channel for security advisories and *even* I offer myself to help. The intention behind was to improve OpenBSD web. Simply. I want to thank Brian and Hiltjo who gave me positives answers with resolutive comments. I missed some guide or collaboration in order to incorporate this change or at least talk about technical pros and cons. Perhaps it's me but I perceived some kind or rudeness in some responses. Oh! Come on! Why don't we concentrate in teach reasons and not in "I don't want to move my position". Do you think this kind of answer would benefit the project? Do you treat people in reality like in the web? Xavier A 22.05.2023 15:11, Theo de Raadt escrigué: I am not going to do any of this work you want. Good bye. Xavier wrote: "Theo de Raadt" said: > I'd be thrilled to do less work on errata! > How about we do RSS, and stop making errata? > We can do static RSS. > Configure and forget. I don't know if you say it seriously. If you do, I think it's the best. Perhaps you could write some semantic file and convert them to desired format (html, RSS, etc.). I saw the www repo (https://github.com/openbsd/www/blob/38884496ed89e3041dcaaeadaf21e20a918581ee/errata73.html) and it seems you make things manually. Don't you think an static site generator or some kind of tool to make things more automatic (I'm thinking in mandoc conversion because all the web is really a big documentation project)? Regards, Xavier
Re: RSS or Atom syndication for security advisories?
Thanks a lot, Brian. Very appreciated. So now the only work is to merge to www A 22.05.2023 15:50, Brian Conway escrigué: On Mon, May 22, 2023, at 9:59 AM, Xavier wrote: I don't know if you say it seriously. If you do, I think it's the best. Perhaps you could write some semantic file and convert them to desired format (html, RSS, etc.). I saw the www repo (https://github.com/openbsd/www/blob/38884496ed89e3041dcaaeadaf21e20a918581ee/errata73.html) and it seems you make things manually. Don't you think an static site generator or some kind of tool to make things more automatic (I'm thinking in mandoc conversion because all the web is really a big documentation project)? Regards, Xavier Done. https://www.mail-archive.com/announce@openbsd.org/maillist.xml Enjoy. Bye. -b
Re: RSS or Atom syndication for security advisories?
On Mon, May 22, 2023, at 9:59 AM, Xavier wrote: > I don't know if you say it seriously. If you do, I think it's the best. > Perhaps you could write some semantic file and convert them to desired > format (html, RSS, etc.). > I saw the www repo > (https://github.com/openbsd/www/blob/38884496ed89e3041dcaaeadaf21e20a918581ee/errata73.html) > > and it seems you make things manually. Don't you think an static site > generator or some kind of tool to make things more automatic (I'm > thinking in mandoc conversion because all the web is really a big > documentation project)? > > Regards, > Xavier Done. https://www.mail-archive.com/announce@openbsd.org/maillist.xml Enjoy. Bye. -b
Re: RSS or Atom syndication for security advisories?
I am not going to do any of this work you want. Good bye. Xavier wrote: > "Theo de Raadt" said: > > > I'd be thrilled to do less work on errata! > > How about we do RSS, and stop making errata? > > We can do static RSS. > > Configure and forget. > > I don't know if you say it seriously. If you do, I think it's the > best. Perhaps you could write some semantic file and convert them to > desired format (html, RSS, etc.). > I saw the www repo > (https://github.com/openbsd/www/blob/38884496ed89e3041dcaaeadaf21e20a918581ee/errata73.html) > and it seems you make things manually. Don't you think an static site > generator or some kind of tool to make things more automatic (I'm > thinking in mandoc conversion because all the web is really a big > documentation project)? > > Regards, > Xavier
Re: RSS or Atom syndication for security advisories?
"Theo de Raadt" said: I'd be thrilled to do less work on errata! How about we do RSS, and stop making errata? We can do static RSS. Configure and forget. I don't know if you say it seriously. If you do, I think it's the best. Perhaps you could write some semantic file and convert them to desired format (html, RSS, etc.). I saw the www repo (https://github.com/openbsd/www/blob/38884496ed89e3041dcaaeadaf21e20a918581ee/errata73.html) and it seems you make things manually. Don't you think an static site generator or some kind of tool to make things more automatic (I'm thinking in mandoc conversion because all the web is really a big documentation project)? Regards, Xavier
Re: RSS or Atom syndication for security advisories?
Stuart Henderson wrote: > On 2023-05-22, Xavier B. wrote: > > Why? > > If you make too much extra work for people who are handling errata, > they won't want to handle errata any more. I'd be thrilled to do less work on errata! How about we do RSS, and stop making errata? We can do static RSS. Configure and forget.
Re: RSS or Atom syndication for security advisories?
On 2023-05-22, Xavier B. wrote: > Why? If you make too much extra work for people who are handling errata, they won't want to handle errata any more. The simplest way to check for new updates for on an OpenBSD system is to run syspatch -c, or subscribe to the "announce" mailing list. If you want more than is already offered, you are free to scrape the errata webpages, parse the "www" repository (via anoncvs or the git conversion) errata files, etc.
Re: RSS or Atom syndication for security advisories?
Not only you can subscribe to the list for the announcement for these patches, but you already have it on the front page of the OpenBSD Journal site as well. https://undeadly.org/cgi?action=front Look right column under: OpenBSD Errata So all you asked for is already there. Not sure how quickly the site is updated, but you may get it faster via the announcement. Either way, you have two sources for what you want. It was already there, just needed to look for it. Hope this answer your question. No need to add anything. Daniel On 5/21/23 3:27 PM, Hiltjo Posthuma wrote: On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: Thanks, Hiltjo, for your help. I very appreciate that. Perhaps it could be useful to place it in official site. What do you think? What kind of software do you use to generate the web page? Perhaps I could help you to add RSS security advisories. Hi, You're welcome, but to be clear: I only posted the link. http://undeadly.org/cgi?action=about Thanks, Xavier On Sun, 21 May 2023 16:03:54 +0200 Hiltjo Posthuma ha escrit: On Sun, May 21, 2023 at 11:34:57AM +, Xavier B. wrote: Hi, I just want to know if there is an RSS or Atom syndication advisories. I have several machines with several operaring system in them: GNU/Linux (alpine and arch), FreeBSD and OpenBSD. I have a news reader and I'm subscribed to many operating systems security advisories so ocassionally I know there are some security bugs and then I need to update one of my machine system. Regarding to OpenBSD I just saw this errata page [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's version specific. Is it anywhere else? If not, please consider to provide it from an user point of view. Thanks in advance, Hi, http://undeadly.org/errata/errata.rss -- Kind regards, Hiltjo
Re: RSS or Atom syndication for security advisories?
On 2023-05-21, Xavier B. wrote: > What kind of software do you use to generate the web page? Depends on the developer who is updating it at the time, but I think probably for most it will one of vi, vim, emacs or mg.
Re: RSS or Atom syndication for security advisories?
Why? I can help you if you want to code it On Mon, 22 May 2023 04:37:06 -0600 "Theo de Raadt" ha escrit: > Not going to happen. > > Xavier B. wrote: > > > Yeah!, I understand you. But I think it should be included in official > > resources. To whom is concerned about. > > > > On Sun, 21 May 2023 21:27:19 +0200 > > Hiltjo Posthuma ha escrit: > > > > > On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: > > > > Thanks, Hiltjo, for your help. I very appreciate that. > > > > > > > > Perhaps it could be useful to place it in official site. > > > > What do you think? What kind of software do you use to generate the web > > > > page? Perhaps I could help you to add RSS security advisories. > > > > > > > > > > Hi, > > > > > > You're welcome, but to be clear: I only posted the link. > > > > > > http://undeadly.org/cgi?action=about > > > > >
Re: RSS or Atom syndication for security advisories?
Not going to happen. Xavier B. wrote: > Yeah!, I understand you. But I think it should be included in official > resources. To whom is concerned about. > > On Sun, 21 May 2023 21:27:19 +0200 > Hiltjo Posthuma ha escrit: > > > On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: > > > Thanks, Hiltjo, for your help. I very appreciate that. > > > > > > Perhaps it could be useful to place it in official site. > > > What do you think? What kind of software do you use to generate the web > > > page? Perhaps I could help you to add RSS security advisories. > > > > > > > Hi, > > > > You're welcome, but to be clear: I only posted the link. > > > > http://undeadly.org/cgi?action=about > > >
Re: RSS or Atom syndication for security advisories?
Yeah!, I understand you. But I think it should be included in official resources. To whom is concerned about. On Sun, 21 May 2023 21:27:19 +0200 Hiltjo Posthuma ha escrit: > On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: > > Thanks, Hiltjo, for your help. I very appreciate that. > > > > Perhaps it could be useful to place it in official site. > > What do you think? What kind of software do you use to generate the web > > page? Perhaps I could help you to add RSS security advisories. > > > > Hi, > > You're welcome, but to be clear: I only posted the link. > > http://undeadly.org/cgi?action=about >
Re: RSS or Atom syndication for security advisories?
On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: > Thanks, Hiltjo, for your help. I very appreciate that. > > Perhaps it could be useful to place it in official site. > What do you think? What kind of software do you use to generate the web page? > Perhaps I could help you to add RSS security advisories. > Hi, You're welcome, but to be clear: I only posted the link. http://undeadly.org/cgi?action=about > Thanks, > Xavier > > On Sun, 21 May 2023 16:03:54 +0200 > Hiltjo Posthuma ha escrit: > > > On Sun, May 21, 2023 at 11:34:57AM +, Xavier B. wrote: > > > Hi, > > > > > > I just want to know if there is an RSS or Atom syndication advisories. > > > > > > I have several machines with several operaring system in them: GNU/Linux > > > (alpine and arch), FreeBSD and OpenBSD. > > > I have a news reader and I'm subscribed to many operating systems > > > security advisories so ocassionally I know there are some security bugs > > > and then I need to update one of my machine system. > > > > > > > > > Regarding to OpenBSD I just saw this errata page > > > [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's > > > version specific. Is it anywhere else? > > > > > > If not, please consider to provide it from an user point of view. > > > > > > Thanks in advance, > > > > > > > Hi, > > > > http://undeadly.org/errata/errata.rss > > > > -- > > Kind regards, > > Hiltjo > -- Kind regards, Hiltjo
Re: RSS or Atom syndication for security advisories?
Thanks, Hiltjo, for your help. I very appreciate that. Perhaps it could be useful to place it in official site. What do you think? What kind of software do you use to generate the web page? Perhaps I could help you to add RSS security advisories. Thanks, Xavier On Sun, 21 May 2023 16:03:54 +0200 Hiltjo Posthuma ha escrit: > On Sun, May 21, 2023 at 11:34:57AM +, Xavier B. wrote: > > Hi, > > > > I just want to know if there is an RSS or Atom syndication advisories. > > > > I have several machines with several operaring system in them: GNU/Linux > > (alpine and arch), FreeBSD and OpenBSD. > > I have a news reader and I'm subscribed to many operating systems security > > advisories so ocassionally I know there are some security bugs and then I > > need to update one of my machine system. > > > > > > Regarding to OpenBSD I just saw this errata page > > [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's > > version specific. Is it anywhere else? > > > > If not, please consider to provide it from an user point of view. > > > > Thanks in advance, > > > > Hi, > > http://undeadly.org/errata/errata.rss > > -- > Kind regards, > Hiltjo
Re: RSS or Atom syndication for security advisories?
https://www.openbsd.org/faq/faq10.html#Patches Subscribe to the list and you will know it. On 5/21/23 7:34 AM, Xavier B. wrote: Hi, I just want to know if there is an RSS or Atom syndication advisories. I have several machines with several operaring system in them: GNU/Linux (alpine and arch), FreeBSD and OpenBSD. I have a news reader and I'm subscribed to many operating systems security advisories so ocassionally I know there are some security bugs and then I need to update one of my machine system. Regarding to OpenBSD I just saw this errata page [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's version specific. Is it anywhere else? If not, please consider to provide it from an user point of view. Thanks in advance,
Re: RSS or Atom syndication for security advisories?
Sorry for the half joke, but while you are searching for your feed I really hope that anyone comes with the great idea to erase any log of bugs here and there or better the dark side of the story. -- Daniele Bonini May 21, 2023 15:48:02 Xavier B. : > Hi, > > I just want to know if there is an RSS or Atom syndication advisories. > > I have several machines with several operaring system in them: GNU/Linux > (alpine and arch), FreeBSD and OpenBSD. > I have a news reader and I'm subscribed to many operating systems security > advisories so ocassionally I know there are some security bugs and then I > need to update one of my machine system. > > > Regarding to OpenBSD I just saw this errata page > [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's > version specific. Is it anywhere else? > > If not, please consider to provide it from an user point of view. > > Thanks in advance,
Re: RSS or Atom syndication for security advisories?
On Sun, May 21, 2023 at 11:34:57AM +, Xavier B. wrote: > Hi, > > I just want to know if there is an RSS or Atom syndication advisories. > > I have several machines with several operaring system in them: GNU/Linux > (alpine and arch), FreeBSD and OpenBSD. > I have a news reader and I'm subscribed to many operating systems security > advisories so ocassionally I know there are some security bugs and then I > need to update one of my machine system. > > > Regarding to OpenBSD I just saw this errata page > [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's > version specific. Is it anywhere else? > > If not, please consider to provide it from an user point of view. > > Thanks in advance, > Hi, http://undeadly.org/errata/errata.rss -- Kind regards, Hiltjo
RSS or Atom syndication for security advisories?
Hi, I just want to know if there is an RSS or Atom syndication advisories. I have several machines with several operaring system in them: GNU/Linux (alpine and arch), FreeBSD and OpenBSD. I have a news reader and I'm subscribed to many operating systems security advisories so ocassionally I know there are some security bugs and then I need to update one of my machine system. Regarding to OpenBSD I just saw this errata page [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's version specific. Is it anywhere else? If not, please consider to provide it from an user point of view. Thanks in advance,
Re: Multiuser security on OpenBSD
On 2022-08-09 12:52:28-0400, Dave Levine wrote:
> I currently use OpenBSD on my laptop for a number of reasons, mainly
> performance and hardware support. However, I have been considering
> setting up a multiuser POWER9 box for some Discord friends and I to
> work on in a hobbyist setting (these things are expensive and I'm the
> one who currently has the machine we want to work on), but need to
> know if OpenBSD is a good option for that. As it apparently lacks
> mitigations for multiple medium-risk hardware side channel attacks, I
> think it is important to ask: What does OpenBSD do to stop an
> unprivileged user with access to a compiler or shell from copy-pasting
> a proof-of-concept exploit to siphon e.g. SSH private keys, root
> passwords and the like, or are these more difficult to exploit than I
> give them credit for with things like (K)ASLR enabled?
I know at least for Intel and AMD there are mitigations against
Spectre/Meltdown-type exploits by disabling speculative execution by
default, but I don't know about POWER9 (or if that is even an issue
there). You might have to do some mail list and other searching to see.
But in general, OpenBSD seems to be the least-likely OS to allow
privilege escalation (see www.openbsd.org under the security link, LH
side near top, only 2 remotely exploitable holes in the default install
since ~1996, etc).
Due to recent reports of a bug allowing key detection based on cpu usage
variations ("turbo boost" etc), I have my system set to keep a steady
cpu frequency.
I'm not an expert; that may or may not help. Best of luck to you.
Multiuser security on OpenBSD
Hello all, I'm new to the mailing list so feel free to yell at me if I messed something up here. I currently use OpenBSD on my laptop for a number of reasons, mainly performance and hardware support. However, I have been considering setting up a multiuser POWER9 box for some Discord friends and I to work on in a hobbyist setting (these things are expensive and I'm the one who currently has the machine we want to work on), but need to know if OpenBSD is a good option for that. As it apparently lacks mitigations for multiple medium-risk hardware side channel attacks, I think it is important to ask: What does OpenBSD do to stop an unprivileged user with access to a compiler or shell from copy-pasting a proof-of-concept exploit to siphon e.g. SSH private keys, root passwords and the like, or are these more difficult to exploit than I give them credit for with things like (K)ASLR enabled? Thanks, - Dave
Re: rpcbind security
On Fri, Jun 17, 2022 at 8:42 PM Gustavo Rios wrote: > Excuse me, but how does rpcbind know that a incoming request, for > set/unset, comes from the root user ? > Theo has already told you how the *portmap* program decides that: by looking at the host and port the request is coming from. (There is no rpcbind program in OpenBSD and that word doesn't appear in the manuals. If you see an rpcbind process then you're not on OpenBSD and need to check with a different mailing list.) Philip Guenther
rpcbind security
Excuse me, but how does rpcbind know that a incoming request, for set/unset, comes from the root user ? Thanks. -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus
Re: rpcbind security
I am certain you can find it yourself. Gustavo Rios wrote: > may some here points me where rpcbind is implemented ? I would like to see > the C code > of it. > Thanks. > > Em sex., 17 de jun. de 2022 às 00:20, Theo de Raadt > escreveu: > > Gustavo Rios wrote: > > > Hi folks! > > > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > > mapping registered by, for instance, the root user ? > > Poorly. > > It will only allow local root (who request upon a reserved port) to touch > ports which are reserved (< 1024), and 2049 is treated the same way. > > If root wants safe RPC, it needs to use reserved ports. > > Please don't bring up the argument that reserved ports are an outdated > concept, it is obvious right here they aren't. > > It is difficult to improve the RPC ecosystem, it kind of is what it is, > and noone new services use it. > > -- > The lion and the tiger may be more powerful, but the wolves do not perform in > the > circus >
Re: rpcbind security
may some here points me where rpcbind is implemented ? I would like to see the C code of it. Thanks. Em sex., 17 de jun. de 2022 às 00:20, Theo de Raadt escreveu: > Gustavo Rios wrote: > > > Hi folks! > > > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > > mapping registered by, for instance, the root user ? > > Poorly. > > It will only allow local root (who request upon a reserved port) to touch > ports which are reserved (< 1024), and 2049 is treated the same way. > > If root wants safe RPC, it needs to use reserved ports. > > Please don't bring up the argument that reserved ports are an outdated > concept, it is obvious right here they aren't. > > It is difficult to improve the RPC ecosystem, it kind of is what it is, > and noone new services use it. > > -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus
Re: rpcbind security
Gustavo Rios wrote: > Hi folks! > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > mapping registered by, for instance, the root user ? Poorly. It will only allow local root (who request upon a reserved port) to touch ports which are reserved (< 1024), and 2049 is treated the same way. If root wants safe RPC, it needs to use reserved ports. Please don't bring up the argument that reserved ports are an outdated concept, it is obvious right here they aren't. It is difficult to improve the RPC ecosystem, it kind of is what it is, and noone new services use it.
rpcbind security
Hi folks! How does openbsd rpcbind prevent ordinary users to unset a given rpc port mapping registered by, for instance, the root user ? Thanks. -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus
Re: mount(8) security and symlink(7)
errata: > Date: Sat, 26 Jun 2021 02:03:18 +1000 (+1000) > From: Reuben ua Bríġ > after learning that OpenSTMP had used sytem(3) rather than execv(3) > resulting in a bug reminiscent of the morris-worm i had guessed it was system(3), but having now seen the advisory: https://lwn.net/Articles/810882/ apparently it was really exec sh -c; kinky! people, people, people, is it so hard to write a shell script to exec? do you really need that disgusting shell syntax everywhere? p.s. are the any plans to ports antiwank to openbsd?
Re: mount(8) security and symlink(7)
> And i am going to suggest you show a diff, and go through the process > Ingo just described as i said, i am new to this, and wanted to discuss something in words before providing a C diff that would doubtless be rejected given that i have only just begun to learn C. i would have been happy to try to contribute a diff, but i felt it better to first bring it up on misc seeing as i am new to OpenBSD and C programming, and (a) my idea might be rejected; (b) my programming skills might not be up to scratch and my patch therefore worthless. my own solution was to use another shell program in the unix fashion, but certainly i will try to diff the source, but it will take a while given that it is new to me and no ones first priority. > or alternative you realize you are lazy ... or a novice. > not allowed to tell others what to do, and you can then shut up. ... or make suggestions... > Really making friends. i am not trying to make friends with someone who will insult me for making a suggestion and giving my honest opinion. i am trying to learn programming and improve the system that runs all my machines. and i didnt mean that facetiously. it really was a bug that i would have had not knowledge of were it not for the patch; it really did remind me of the morris worm which i had just learnt about; and it really did make me think i could do something to help with OpenBSD, seeing as i was disgusted when i first came across system(3), and only satisfied when i learnt about execv(3), which was the first system call i used, and only a short while ago. and even though i persist because i am more interested in BSD than theo, you still have some paranoia that i have some agenda against you.
Re: mount(8) security and symlink(7)
Reuben ua Bríġ wrote: > hi ingo, thanks for your reply. > > > I can't talk about the internals of the mount(2) syscall, > > so i pass on that one to people who know better. > > !!! i feel i should emphasize, > i am *not* presently suggesting any change to the mount(2) *system call* > i *am* suggesting a change to the mount(8) *command* And i am going to suggest you show a diff, and go through the process Ingo just described or alternative you realize you are lazy, not allowed to tell others what to do, and you can then shut up. > of the morris-worm, i felt maybe it was within my grasp to help improve > OpenBSD, but obviously theo has other ideas. Really making friends.
Re: mount(8) security and symlink(7)
hi ingo, thanks for your reply. > I can't talk about the internals of the mount(2) syscall, > so i pass on that one to people who know better. !!! i feel i should emphasize, i am *not* presently suggesting any change to the mount(2) *system call* i *am* suggesting a change to the mount(8) *command* i would expect C programmers to know what they are doing, but not some Charlie root who wants to make hotplugd(8) mount(8) an sd(4). i feel i should also emphasize, i am new to this, and did not expect anything out of it. i use OpenBSD, and after learning that OpenSTMP had used sytem(3) rather than execv(3) resulting in a bug reminiscent of the morris-worm, i felt maybe it was within my grasp to help improve OpenBSD, but obviously theo has other ideas. keep up the good work, reuben.
Re: mount(8) security and symlink(7)
Hi, Reuben ua Brig wrote: > when OpenBSD is happy to change even man.conf We change things when all of the following hold: 1. There is a significant problem to be solved, or a significant profit to be gained. Regarding man.conf: the old format was over-engineered, wordy, hard to use, too closely tied to implementation details of the old man(1) and apropos(1) programs, and ill-suited to work with the then-new mandoc.db(5). 2. Someone does the complete design and the complete implementation. In the case of man.conf(5), that was me. 3. There is broad agreement among developers, *after* step 2 is complete, that downsides are acceptable, that benefits suffienctly outweigh the downsides, and that the design and implementation meet our quality standards. In the case of man.conf(5), most users weren't affected at all. A few had to replace one big configuration file with a small one that would be easier to maintain going forward. A tiny number of people might no longer have been able to use idiosyncratic configurations that didn't work all that well even before the change and certainly weren't advisable in the first place; but frankly, i don't recall a single report to that effect. I can't talk about the internals of the mount(2) syscall, so i pass on that one to people who know better. That one thing is changed in a significant way does not imply that something else is easy to improve as well. Yours, Ingo
Re: mount(8) security and symlink(7)
> If your proposal is to error when the check fails, it will break > hundreds of user machines. > > If your proposal is to emit a warning, it will emit multiple > additional lines of output at boot for correct existing > configurations. > > But you didn't implement a prototype, you didn't test it, yet you > expect to be taken seriously. it works fine on my system, where the mounts are default + source + various external storage. i think most systems this breaks are probably insecure and should use instead use a symlink as i described in my original post. for the few custom setups where some user is trusted not to overwrite a mount point (or where they should be able to), it would not be hard to add a line permit group trusty /usr/trusty to a mount.conf file. > You really don't seem to read. is this because i did not reply to some of your point? i felt doing so would have strayed beyond usefulness. > Your comment about man.conf suggests we changed something which you > hate and you want to wield it against us. my point is that my impression of OpenBSD and your own policy has been that it is acceptable to break a configuration to better security, and that new users are not expected to become unix security gurus overnight. > Your approach is hostile. i am not the one insulting your ability with language.
Re: mount(8) security and symlink(7)
Reuben ua Bríġ wrote: > > I wonder why noone implimented such checks like that in the last 30 > > years. Might be because it breaks more than it fixes. > > i cant tell if you are being sarcastic or what it could possibly break > or why that would matter when OpenBSD is happy to change even man.conf I am not being sarcastic. If your proposal is to error when the check fails, it will break hundreds of user machines. If your proposal is to emit a warning, it will emit multiple additional lines of output at boot for correct existing configurations. But you didn't implement a prototype, you didn't test it, yet you expect to be taken seriously. I cannot tell if that is laziness or if you are used to bossing people around with hand-wavy ideas and expecting them to follow your wishes. Get used to dissapointment. You really don't seem to read. Your comment about man.conf suggests we changed something which you hate and you want to wield it against us. Your approach is hostile. I don't have time for you.
Re: mount(8) security and symlink(7)
> I wonder why noone implimented such checks like that in the last 30 > years. Might be because it breaks more than it fixes. i cant tell if you are being sarcastic or what it could possibly break or why that would matter when OpenBSD is happy to change even man.conf
Re: mount(8) security and symlink(7)
Reuben ua Bríġ wrote: > > Probably because testing for the situation would be an unreliable > > race. BTW, you explain the ssh behaviour incorrectly. It does not > > warn. It fails, and refuses to continue. Failure is not permitted > > for the mount system call in this circumstance, and the entire path > > upwards cannot be verified atomically. A racy warning also requires > > warning to stderr. There are lots of complex considereations to your > > handwavy propose. > > i would think the mount(8) command could examine each node of the path > before the actual mount point and check that they are owned root:wheel > and o-w. only root and wheel could run the race then. I wonder why noone implimented such checks like that in the last 30 years. Might be because it breaks more than it fixes.
Re: mount(8) security and symlink(7)
> Probably because testing for the situation would be an unreliable > race. BTW, you explain the ssh behaviour incorrectly. It does not > warn. It fails, and refuses to continue. Failure is not permitted > for the mount system call in this circumstance, and the entire path > upwards cannot be verified atomically. A racy warning also requires > warning to stderr. There are lots of complex considereations to your > handwavy propose. i would think the mount(8) command could examine each node of the path before the actual mount point and check that they are owned root:wheel and o-w. only root and wheel could run the race then. as for the mount(2) system call, no one makes a boo boo in C, right?
Re: mount(8) security and symlink(7)
Reuben ua Bríġ wrote: > mount(8) will follow a symlink(7), so obviously it is *very* stupid to > mount under a directory a user other than root has write permission for, > as they could, for example > > rm -rf path > ln -s /etc path > > ? so why doesnt the man page for mount(8) mention anything. Over decades, manual page authors have put in their best effort documenting the most important details. As a result, sometimes manual pages won't document the 1 specific detail you want to complain is missing. No manual page can document absolutely everything. They would turn into books, and as the total volume of text increases which needs to be handled by the same number of people, maintainance would become more difficult and overall quality would suffer. This symbolic link concern does not just apply to mounting, it is a fundamental aspect of unix resolution. There is also risk of over-documenting. An explanation or warning would probably take 2 sentences. Using space to focus on this problem might detract readers from absorbing other documentation details. The risk you describe is simply the outcome of a part of unix, and it applies to everything that uses a path. So why document it just in one manual page? I notice you didn't propose a clean change to the manual page. Maybe you recognize the effort involved to add text to the manual page in a clean way. > ? why doesnt mount(8) warn when a mount is unsafe, > like ssh(1) does with ~/.ssh Probably because testing for the situation would be an unreliable race. BTW, you explain the ssh behaviour incorrectly. It does not warn. It fails, and refuses to continue. Failure is not permitted for the mount system call in this circumstance, and the entire path upwards cannot be verified atomically. A racy warning also requires warning to stderr. There are lots of complex considereations to your handwavy propose.
mount(8) security and symlink(7)
mount(8) will follow a symlink(7), so obviously it is *very* stupid to mount under a directory a user other than root has write permission for, as they could, for example rm -rf path ln -s /etc path ? so why doesnt the man page for mount(8) mention anything. ? why doesnt mount(8) warn when a mount is unsafe, like ssh(1) does with ~/.ssh it can be quite tempting to make hotplugd mount thumb drives under the home directory of whoever is at a workstation... obviously the safe way to do it is use symlink(7) *for* security, and make a link to /mnt under the users home directory, rather than the other way round! cheers, reuben. --- thanks for all the fsck!
Re: web server security
On 2021-06-10, Gustavo Rios wrote: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? > > thanks a lot. > The PHP scripts don't need to run as the same user and group. Use different application pools in php-fpm.conf listening on different sockets, and have the web server use the relevant socket for the website. You can even chroot them separately if you think that will help. e.g. --- [global] error_log = syslog syslog.facility = daemon log_level = notice [user1] user = user1 group = user1 listen = /var/www/run/php-fpm.user1.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www [user2] user = user2 group = user2 listen = /var/www/run/php-fpm.user2.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www --- Quick warning to head off a possible problem you might run into in the future though; you will need to make sure that the web server (not the PHP interpreter) has read access to those files which _it_ needs (e.g. static content). One way to do that is to add the www user to the group for each user account (e.g. user1:*:1001:www, user2:*:1002:www, in /etc/group). That works nicely for small setups but you will run into a wall after a while because on OpenBSD a user account can only be a member of up to 16 supplemental groups. (There are other ways to handle this e.g. running multiple web server processes, but with a bunch more complication).
Re: web server security
Am 10.06.21 01:16 schrieb Gustavo Rios: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? If your requirements are really to run everything as the same user then it's not possible to forbid this user from reading files created by someone else that has same uid. Same uid means "same person". This means your webserver expects person A to be the owner of files created by person B. If you want to separate ownership of files then you have to create different users and restrict php from reading directories that it shouldn't. Another advice for 'web server security' is to don't give untrusted users shell access or any write access to your system so you won't have to deal with someone "implementing a script that will read someone else files"... ;-)
web server security
Hi folks! I am planning a web serve using openbsd as the os and using php. My question is: how to avoid any given user from implement an php script that will read some else file, since everything will run as the web server user and group ? thanks a lot. -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus
Re: Fwd: rethinking terminal login with security in mind
On Wed, May 05, 2021 at 01:44:24AM +0200, Alessandro Pistocchi wrote: > Sorry, my keyboard went crazy and the message was sent incomplete. > > Continuing: normally the entry of username is immediately followed by the > password entry. > However, if the OS is busy for any reason between the two entries, > character echo is still on. > If I don't notice that, I may start typing the password before the OS stops > echoing and so I show it > to anybody around who cares to look. > > Wouldn't it be better to have a way to turn off echoing of characters as > soon as I entered my username, > regardless of whether the OS is busy or not? Not really. it's your job to pay attention. Specifically, if your OS is busy or whatever, you just need to wait until the Password: prompt gets displayed, because echo gets turned off *before* that prompt happens. and the actual standard interface used won't change. See readpassphrase(3), which does already protect you against many many problems.
Fwd: rethinking terminal login with security in mind
Sorry, my keyboard went crazy and the message was sent incomplete. Continuing: normally the entry of username is immediately followed by the password entry. However, if the OS is busy for any reason between the two entries, character echo is still on. If I don't notice that, I may start typing the password before the OS stops echoing and so I show it to anybody around who cares to look. Wouldn't it be better to have a way to turn off echoing of characters as soon as I entered my username, regardless of whether the OS is busy or not? Sorry again for the double message. Best, A -- Forwarded message - From: Alessandro Pistocchi Date: Wed, May 5, 2021 at 1:39 AM Subject: rethinking terminal login with security in mind To: OpenBSD misc Hi all, I am a new user. I have been using openbsd for the last few weeks on a raspberry pi 4. I have used other unix flavours in the past. I was wondering, what about changing how echoing of characters work when logging in from the terminal? Every unix I tried, including openbsd, asks for the username and then for the password. There is an opportunity for password sniffing there. What happens is that if I entern
rethinking terminal login with security in mind
Hi all, I am a new user. I have been using openbsd for the last few weeks on a raspberry pi 4. I have used other unix flavours in the past. I was wondering, what about changing how echoing of characters work when logging in from the terminal? Every unix I tried, including openbsd, asks for the username and then for the password. There is an opportunity for password sniffing there. What happens is that if I entern
Re: Content-Security-Policy makes page render differently
Paul Pace writes: > When I load a page from OpenBSD served with relayd and httpd with > Content-Security-Policy set to default-src self, I can see that a basic > HTML page that normally renders with all of the text in the center is > now rendered on the left. When you enable content security policy, it will block inline styles. You would need to look at the headers to see what the ubuntu/nginx setup is adding to allow them. https://content-security-policy.com/examples/allow-inline-style/ Allan
Re: Content-Security-Policy makes page render differently
Paul Pace writes: > When I load a page from OpenBSD served with relayd and httpd with > Content-Security-Policy set to default-src self, I can see that a basic > HTML page that normally renders with all of the text in the center is > now rendered on the left. > > I have this currently configured with http://mostlybsd.com not loading > the header and https://mostlybsd.com loading the header. > > [...] > > Is there something I am missing? You are missing that "style-src 'self'" does not allow
Content-Security-Policy makes page render differently
When I load a page from OpenBSD served with relayd and httpd with
Content-Security-Policy set to default-src self, I can see that a basic
HTML page that normally renders with all of the text in the center is
now rendered on the left.
I have this currently configured with http://mostlybsd.com not loading
the header and https://mostlybsd.com loading the header.
I have also served the same HTML file in an Ubuntu server with nginx and
with the header enabled the page still renders in the center.
Is there something I am missing?
I have configured relayd with the following:
log state changes
log connection
prefork 10
list="ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
ipv4="45.32.193.189"
table { 127.0.0.1 }
http protocol "https" {
tls ciphers $list
tls keypair mostlybsd.com
return error
match request header set "X-Forwarded-For" value "$REOTE_ADDR"
match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
match response header set "Content-Security-Policy" value \
"default-src 'self'"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Strict-Transport-Security" value \
"max-age=15552000; includeSubDomains; preload"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-XSS-Protection" value "1; mode=block"
match method GET tag ok
match method HEAD tag ok
block
pass tagged ok forward to
}
relay "https" {
listen on $ipv4 port https tls
protocol "https"
forward to port 8080
}
relay "http" {
listen on $ipv4 port http
forward to port 8080
}
Thank you,
Paul
Re: Security & Compliance - A/V
Gack, what a way to screw up my day off. :-) I never thought anyone would refer to DISA STIGs in this mailing list. On Fri, Nov 27, 2020 at 8:12 AM Ed Ahlsen-Girard wrote: > SNIP > I can verify that there is no US Defense Information Systems Agency > (DISA) Security Technical Implementation Guide (STIG) for OpenBSD. There > is a generic Unix hardening guide.
Re: Security & Compliance - A/V
On Wed, 25 Nov 2020 23:33:34 +0100 Peter Nicolai Mathias Hansteen wrote: (snip) > I am not aware of any publicly available set of documents that > provide the direct checkoffs for OpenBSD with respect to specific > compliance regimes, but I’m fairly certain that you will find useful > answers by reading OpenBSD documentation with your lists of > requirements in hand, checking off on your list (if any) as you go > along. I can verify that there is no US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for OpenBSD. There is a generic Unix hardening guide. STIGs are developed to implement National Institute of Standards and Technology standards for IT systems, usually with deep involvement by the vendor/developer. It is not always possible to implement all the applicable STIGs for a given server, at least if you want it to work. > > I would recommend browsing the official OpenBSD docs at > https://www.openbsd.org/ <https://www.openbsd.org/>, with special > attention to https://www.openbsd.org/events.html > <https://www.openbsd.org/events.html> and searching > https://man.openbsd.org/ <https://man.openbsd.org/> using relevant > keywords. FWIW, perhaps even my recent presentation («OpenBSD and > you, the 6.8 update»), linked from > https://undeadly.org/cgi?action=article;sid=20201109055713 > <https://undeadly.org/cgi?action=article;sid=20201109055713> could > provide some useful pointers. > > All the best, > Peter > > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 > seconds. > > > > -- Edward Ahlsen-Girard Ft Walton Beach, FL
Re: Security & Compliance - A/V
On Thu, 26 Nov 2020 11:35:45 -0500 Nick Holland wrote: > On 2020-11-25 17:10, Brogan Beard wrote: > [...] > > Something to consider: run the AV against your boxes -- elsewhere! > > I have a similar situation at $DAYJOB. Not OpenBSD, but an OS that > similarly has little malware written for it (and an environment with > lots of softer targets than the OS anyway). For LOTS of reasons, we > didn't want to put AV on the "important" systems, but we needed to > hit that checkbox that says, "AV scans!" > > Our compliance people work with me pretty well, and what we came up > was to run the AV against our BACKUPS of those boxes. We rsync > the data from the systems to a central backup, and we run the AV on > that box against the data. Increased the backup by a few GB/box and > grabbed the binaries, too, and ta-da, we got a pretty good AV scan > taking place with /zero/ additional impact on the systems. > > Yes, perhaps not as "real time" as a system which hooks into the OS > and watches every disk read and write, but I don't think you even > want that on a Unix-like OS (even if it was possible on many Unix- > like OSs). > > Nick. > You can, but it's not really easy. I'm not the one who does it at $JOB, so don't ask me how. -- Edward Ahlsen-Girard Ft Walton Beach, FL
Re: Security & Compliance - A/V
On Nov 26 11:35, Nick Holland wrote: > I have a similar situation at $DAYJOB. Not OpenBSD, but an OS that > similarly has little malware written for it (and an environment with > lots of softer targets than the OS anyway). For LOTS of reasons, we > didn't want to put AV on the "important" systems, but we needed to > hit that checkbox that says, "AV scans!" > > Our compliance people work with me pretty well, and what we came up > was to run the AV against our BACKUPS of those boxes. We rsync > the data from the systems to a central backup, and we run the AV on > that box against the data. Increased the backup by a few GB/box and > grabbed the binaries, too, and ta-da, we got a pretty good AV scan > taking place with /zero/ additional impact on the systems. This is a great idea. For realtime, we can protect critical content with something like mtree(8) output verified with signify(1), running in security(8) daily.
Re: Security & Compliance - A/V
On 2020-11-25 17:10, Brogan Beard wrote: > In the enterprise context, there are often extensive security compliance > rules, which include but are not limited to anti-virus software > requirements. There are, of course, exceptions to these rules but generally > policies drive the technology in use or allow it to be used. I am not aware > of any anti-virus software that supports openbsd or any bsd for that matter > (not saying it needs it ;) ). > > How does OpenBSD handle the compliance aspects of security in regards to > A/V? Is there an, "it's already under the hood," response based on modern > security standards? > > I would like to use OpenBSD in future projects, beyond just personal > interest. And with that, I am sure these types of questions will arise. > > Thanks in advance for thoughtful comments! Something to consider: run the AV against your boxes -- elsewhere! I have a similar situation at $DAYJOB. Not OpenBSD, but an OS that similarly has little malware written for it (and an environment with lots of softer targets than the OS anyway). For LOTS of reasons, we didn't want to put AV on the "important" systems, but we needed to hit that checkbox that says, "AV scans!" Our compliance people work with me pretty well, and what we came up was to run the AV against our BACKUPS of those boxes. We rsync the data from the systems to a central backup, and we run the AV on that box against the data. Increased the backup by a few GB/box and grabbed the binaries, too, and ta-da, we got a pretty good AV scan taking place with /zero/ additional impact on the systems. Yes, perhaps not as "real time" as a system which hooks into the OS and watches every disk read and write, but I don't think you even want that on a Unix-like OS (even if it was possible on many Unix- like OSs). Nick.
Re: Security & Compliance - A/V
Thanks, John. I am going to look into ClamAV in detail as some homework for myself. I appreciate the helpful pointers! On Wed, Nov 25, 2020 at 5:46 PM John McGuigan wrote: > I've seen people install ClamAV on an OpenBSD box and have it do a > filesystem scan on a cron job just to meet audit requirements... > > On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard > wrote: > > > > In the enterprise context, there are often extensive security compliance > > rules, which include but are not limited to anti-virus software > > requirements. There are, of course, exceptions to these rules but > generally > > policies drive the technology in use or allow it to be used. I am not > aware > > of any anti-virus software that supports openbsd or any bsd for that > matter > > (not saying it needs it ;) ). > > > > How does OpenBSD handle the compliance aspects of security in regards to > > A/V? Is there an, "it's already under the hood," response based on modern > > security standards? > > > > I would like to use OpenBSD in future projects, beyond just personal > > interest. And with that, I am sure these types of questions will arise. > > > > Thanks in advance for thoughtful comments! >
Re: Security & Compliance - A/V
Peter, Thank you. I was unaware of clamav support and will certainly look into your linked documentation to better understand it's use case and qualifications. I did know about clamav in name alone but never set out to learn how to implement it. I will certainly read through documentation based on the need to check off boxes for the compliance regimes - I like how you put that. I will also watch your presentation - thanks so much!! Unrelated - I have one of your books, The Book of PF, 3rd edition. Thank you for your contributions to bettering computing. I will admit that I never finished reading it. I picked it up when I needed some help managing a pure OpenBSD firewall running PF. Now when I begin my OpenBSD related personal projects, it is by my side. I am familiar with commercial firewall software but I like the joy of being in the *pilot's seat. *I think you understand that. I appreciate you taking the time to respond to my questions. Take care, Brogan On Wed, Nov 25, 2020 at 5:33 PM Peter Nicolai Mathias Hansteen < pe...@bsdly.net> wrote: > > > 25. nov. 2020 kl. 23:10 skrev Brogan Beard : > > In the enterprise context, there are often extensive security compliance > rules, which include but are not limited to anti-virus software > requirements. There are, of course, exceptions to these rules but generally > policies drive the technology in use or allow it to be used. I am not aware > of any anti-virus software that supports openbsd or any bsd for that matter > (not saying it needs it ;) ). > > > You will find functional antivirus in packages, such as clamav (which I > use in my spameater appliance), see eg > https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html (a > longish piece, but for reasons) > > > How does OpenBSD handle the compliance aspects of security in regards to > A/V? Is there an, "it's already under the hood," response based on modern > security standards? > > > I am not aware of any publicly available set of documents that provide the > direct checkoffs for OpenBSD with respect to specific compliance regimes, > but I’m fairly certain that you will find useful answers by reading OpenBSD > documentation with your lists of requirements in hand, checking off on your > list (if any) as you go along. > > I would recommend browsing the official OpenBSD docs at > https://www.openbsd.org/, with special attention to > https://www.openbsd.org/events.html and searching https://man.openbsd.org/ > using > relevant keywords. FWIW, perhaps even my recent presentation («OpenBSD and > you, the 6.8 update»), linked from > https://undeadly.org/cgi?action=article;sid=20201109055713 could provide > some useful pointers. > > All the best, > Peter > > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > >
Re: Security & Compliance - A/V
I've seen people install ClamAV on an OpenBSD box and have it do a filesystem scan on a cron job just to meet audit requirements... On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard wrote: > > In the enterprise context, there are often extensive security compliance > rules, which include but are not limited to anti-virus software > requirements. There are, of course, exceptions to these rules but generally > policies drive the technology in use or allow it to be used. I am not aware > of any anti-virus software that supports openbsd or any bsd for that matter > (not saying it needs it ;) ). > > How does OpenBSD handle the compliance aspects of security in regards to > A/V? Is there an, "it's already under the hood," response based on modern > security standards? > > I would like to use OpenBSD in future projects, beyond just personal > interest. And with that, I am sure these types of questions will arise. > > Thanks in advance for thoughtful comments!
Re: Security & Compliance - A/V
> 25. nov. 2020 kl. 23:10 skrev Brogan Beard : > > In the enterprise context, there are often extensive security compliance > rules, which include but are not limited to anti-virus software > requirements. There are, of course, exceptions to these rules but generally > policies drive the technology in use or allow it to be used. I am not aware > of any anti-virus software that supports openbsd or any bsd for that matter > (not saying it needs it ;) ). You will find functional antivirus in packages, such as clamav (which I use in my spameater appliance), see eg https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html <https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html> (a longish piece, but for reasons) > > How does OpenBSD handle the compliance aspects of security in regards to > A/V? Is there an, "it's already under the hood," response based on modern > security standards? I am not aware of any publicly available set of documents that provide the direct checkoffs for OpenBSD with respect to specific compliance regimes, but I’m fairly certain that you will find useful answers by reading OpenBSD documentation with your lists of requirements in hand, checking off on your list (if any) as you go along. I would recommend browsing the official OpenBSD docs at https://www.openbsd.org/ <https://www.openbsd.org/>, with special attention to https://www.openbsd.org/events.html <https://www.openbsd.org/events.html> and searching https://man.openbsd.org/ <https://man.openbsd.org/> using relevant keywords. FWIW, perhaps even my recent presentation («OpenBSD and you, the 6.8 update»), linked from https://undeadly.org/cgi?action=article;sid=20201109055713 <https://undeadly.org/cgi?action=article;sid=20201109055713> could provide some useful pointers. All the best, Peter — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
