[techtalk] installing mailman

1999-12-02 Thread Neil ''Fred'' Picciotto 

so i'm installing mailman, and everything was going fine up until i got to
the part where i first try to access the admin web page for my test list.

i get 404s for anything within http://some.domain/mailman/ .  now, i know,
this is the very first question in the faq.  but i've done what the faq
says and it still doesn't work.  

here's what i added to my /etc/httpd/conf/httpd.conf:

# stuff for mailman
ScriptAlias /mailman/ /home/mailman/cgi-bin/
Alias /mailmanlogo/ /home/mailman/logo/
Alias /pipermail/ /home/mailman/archives/public/

Options FollowSymLinks


any idea why apache might not obey the ScriptAlias directive?
incidentally, the two Aliases there don't seem to work either.

and yes, i have restarted httpd, by running "/etc/rc.d/init.d/httpd stop"
and then "... start".

oh, by the way, this is on redhat 5.2...  and in case there's any reason
it might affect anything, i have apache doing virtual hosting...

thanks for any help here!  i'm really stuck!

...derF\lieN

Neil "Fred" Picciotto -=- [EMAIL PROTECTED]
new and improved! -=- http://www.derf.net/ -=- now with actual content!




[EMAIL PROTECTED]   http://www.linuxchix.org

RE: [techtalk] KFM weirdness.

1999-12-02 Thread Ian Phillips 

> BTW, does the "K" stand for Kallisti?

Slightly dissapointingly, it actually stands for "Kool".

Hail Eris!

Ian.

#ifndef  __COMMON_SENSE__ | Ian Phillips
#include  | TIBCO Software Inc.
#endif| www.TIBCO.com


[EMAIL PROTECTED]   http://www.linuxchix.org

[techtalk] [core.lists.bugtraq@CORE-SDI.COM: Security Advisory: Buffer overflow in RSAREF2] (fwd)

1999-12-02 Thread Natalie C. Heinen 


I got this from my LUG and thought that this would be of interest for some
of you.

Natalie

-- Forwarded message --

This is a concern for anyone who has compiled SSH or one of the SSL
libraries against RSAREF.  For the SSH users, I suggest OpenSSH.

- Forwarded message from Gerardo Richarte <[EMAIL PROTECTED]> -

 CORE SDI S.A.
Buenos Aires, Argentina
   


CORE SDI Security Advisory
December 1st., 1999

Buffer overflow in RSAREF2

-

While researching the exploitability of a buffer overflow in
SSH up to version 1.2.27, we discovered a second buffer overflow
in the implmementation of the RSA algorithm in RSAREF2 from
RSA Data Security.
This advisory addresses the details of the bug discovered,
the details are somewhat focused on the ability to exploit the bug
in SSH compiled with RSAREF2, but its extensible to any software product
that uses RSAREF2


Problem description


RSAREF2 API exports 4 functions in rsa.c:

int RSAPublicEncrypt()
int RSAPrivateEncrypt()
int RSAPublicDecrypt()
int RSAPrivateDecrypt()

The 4 functions define a local variable pkcsBlock of fixed length
MAX_RSA_MODULUS_LEN (128 bytes)

In order to perform the RSA operations, the functions call the internal
functions
RSAPrivateBlock() and RSAPublicBlock().

RSAPrivateDecrypt() and RSAPublicDecrypt() pass a pointer to the local
variable pkcsBlock to be used as the output buffer for RSAPublicBlock()
and RSAPrivateBlock() respectively.  The two functions then perform the
RSA
operations and copy the results to the output buffer using the
NN_Encode()
and NN_Decode() functions.

Lack of strict bounds checking and proper validation of input parameters
in
all these functions allows an attacker to overflow the pkcsBLock
variable and
overwrite the stack, making it possible to execute arbitrary commands on
the
vulnerable system.


Technical details
~
As an axample we will describe the vulnerability focusing on the decrypt
operations performed in RSAREF2 based on the private key. Such
operations are
done with the function RSAPrivateDecrypt() defined as follows in rsa.c:

/* RSA private-key decryption, according to PKCS #1.
 */
int RSAPrivateDecrypt (output, outputLen, input, inputLen, privateKey)
unsigned char *output;  /* output
block */
unsigned int *outputLen;  /* length of output
block */
unsigned char *input;/* input
block */
unsigned int inputLen; /* length of input
block */
R_RSA_PRIVATE_KEY *privateKey;   /* RSA private
key */
{
  int status;
  unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
  unsigned int i, modulusLen, pkcsBlockLen;

  modulusLen = (privateKey->bits + 7) / 8;
  if (inputLen > modulusLen)
return (RE_LEN);

  if (status = RSAPrivateBlock
  (pkcsBlock, &pkcsBlockLen, input, inputLen, privateKey))
return (status);

 ...


  return (0);
}

Note that inputLen is checked against a transformation of privateKey's
bits
field, to satisfy this constrain an attacker must alter this field in
privateKey, but this, almost by miracle doesn't affect the final result.

As we can see, RSAPrivateDecrypt() calls RSAPrivateBlock() passing
pkcsBlock as
the output buffer, no length checking is performed to ensure that
pkcsBlock
will not be overrun. RSAPrivateBLock() performs the RSA private key
operations
ans is define as follows:

/* Raw RSA private-key operation. Output has same length as modulus.

   Assumes inputLen < length of modulus.
   Requires input < modulus.
 */
static int RSAPrivateBlock (output, outputLen, input, inputLen,
privateKey)
unsigned char *output;  /* output
block */
unsigned int *outputLen;  /* length of output
block */
unsigned char *input;/* input
block */
unsigned int inputLen; /* length of input
block */
R_RSA_PRIVATE_KEY *privateKey;   /* RSA private
key */
{
  NN_DIGIT c[MAX_NN_DIGITS], cP[MAX_NN_DIGITS], cQ[MAX_NN_DIGITS],
dP[MAX_NN_DIGITS], dQ[MAX_NN_DIGITS], mP[MAX_NN_DIGITS],
mQ[MAX_NN_DIGITS], n[MAX_NN_DIGITS], p[MAX_NN_DIGITS],
q[MAX_NN_DIGITS],
qInv[MAX_NN_DIGITS], t[MAX_NN_DIGITS];
  unsigned int cDigits, nDigits, pDigits;

  NN_Decode (c, MAX_NN_DIGITS, input, inputLen);
...
  cDigits = NN_Digits (c, MAX_NN_DIGITS);
  nDigits = NN_Digits (n, MAX_NN_DIGITS);
  pDigits = NN_Digits (p, MAX_NN_DIGITS);

  /* Compute mP = cP^dP mod p  and  mQ = cQ^dQ mod q. (Assumes q has
 length at most pDigits, i.e., p > q.)
   */

...
  /* Chinese Remainder Theorem:
   m = mP - mQ) mod p) * qIn

[techtalk] ADSM/AIX 4.*

1999-12-02 Thread Jennifer M. Woodard 

I was wondering if anyone knew if you can use the ADSM Version 2 client
with the ADSM Version 3 server. 

@--,-`----,-`--@
Jennifer M. Woodard Systems Engineer 
e.spire Communications   CyberGate, Inc.
954.429.8072 [EMAIL PROTECTED]
   -
"True Intelligence lies not in the quickness of 
wit but rather in persistence, if you don't hang 
in there you'll never know"
   -
@--,-`----,-`--@



[EMAIL PROTECTED]   http://www.linuxchix.org

[techtalk] Home pages for regular users

1999-12-02 Thread Subba Rao 


I have the Apache web server running on my system. Right now, I have
only global CGI and HTML files. They are in /var/lib/apache/

How can my other users on this system, have their own web pages?
I want them to have their own directories and HTML documents (in their
$HOME directories). I may allow simple CGI programs.

How can this be achieved? Any pointers appreciated.

Thank you in advance.

Subba Rao
[EMAIL PROTECTED]
http://pws.prserv.net/truemax/


[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] Home pages for regular users

1999-12-02 Thread Kathleen Weaver 

>How can my other users on this system, have their own web pages?
>I want them to have their own directories and HTML documents (in their
>$HOME directories). I may allow simple CGI programs.

Have them create a directory called public_html

Their "home page" should be in a file called index.html or index.htm

Any files should be set with 755 permission -- (use chmod 755 file.name)

Their webpages will be at server/~userid

I think they just put in a cgi_bin directory -- you may need to do something in the 
apache configuration  but I haven't gotten this far.

My webmastering students have pages setup this way.






[EMAIL PROTECTED]   http://www.linuxchix.org

[techtalk] Bugzilla and Perl modules for MySql Help!!!

1999-12-02 Thread Jennifer Tippens 

Hi!  Love the show.  Long time lurker, first time poster.

I'm checking out two packages for my company for bug tracking, namely Bugzilla
and Keystone.  I think I like Bugzilla better because it seems more intuitive
to me (I think it is prettier, also).  Sooo, I went to install Bugzilla from
source on my computer.  First it needs MySQL.  OK. Done.  Next it needs Perl
modules for MySQL. OK. Done.

But wait!  Lo, what's this??  Eegads.  I read a little further.  I answered a
question in the MakeMakefile wrong and now I can't get it to ask me the
question again.  I re-un-tarred the module and ran perl Makefile.PL again, but
it just said writing makefile, done.  No chance to change my mind

Any pointers??  Bugzilla will not work with backward compatability disabled.
Grrr.

-Jennifer



[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] Home pages for regular users

1999-12-02 Thread Kelly Lynn Martin 

On Thu, 2 Dec 1999 11:07:10 -0500, Subba Rao <[EMAIL PROTECTED]> said:

>How can my other users on this system, have their own web pages?  I
>want them to have their own directories and HTML documents (in their
>$HOME directories). I may allow simple CGI programs.

To srm.conf (or really any of the other Apache configuration files,
it's just that it's usually put in srm.conf), add "UserDir
public_html" if it's not already there.  This tells Apache to map a
HTTP request for "/~user" to the local file "~user/public_html".  

For CGI, you will want to add "AddHandler cgi-script .cgi" or
something similar.  (Don't do this unless you trust your users.)

The Apache website has quite a bit of good documentation on how to
configure Apache, although it can be a bit confusing at time.  They do 
have a decent set of FAQs, though.  See http://www.apache.org.

Kelly


[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] Bugzilla and Perl modules for MySql Help!!!

1999-12-02 Thread coder 

look for any type of config.cache / Configure.cache / *.cache / etc. in
the directory.  Usually this file(s) stores the configuration
information from previous configures.

Jennifer Tippens wrote:
> I answered a
> question in the MakeMakefile wrong and now I can't get it to ask me the
> question again.  I re-un-tarred the module and ran perl Makefile.PL again, but
> it just said writing makefile, done.  No chance to change my mind

-- 
.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.oO()Oo.
 [EMAIL PROTECTED] | http://CubicMeterCrystal.com/
 "You are the product of a mutational union 
  of ~640Mbytes of genetic information."


[EMAIL PROTECTED]   http://www.linuxchix.org

[techtalk] Using Linux to backup Windows 98

1999-12-02 Thread faber 

Hi,

  I have a dual-PII server with a Sony SDT-9000 DAT drive.  I have been
happily backing up about 40 Windows 98 machines (yuck) with smbtar.
However, I am not totally pleased with this setup.
  First, I am not happy about the way the smbtar script handles passwords.
Second, I am not running a firewall, so I am a little nervous about the
security implications of sharing complete hard drives, and backing them up
over an insecure network.
  Finally, and most importantly, I have several problems with the backup
procedure itself.  Although backing up the hard drives is very quick (less
than 1/2 hour on the average), restoring these files takes FOREVER.  It
took over six hours to restore 800 MB of files.  Additionally, I was not
able to restore the system to the original state.  I instead had to
restore all of the files to an alternate directory, reinstall all of my
applications, and restore the settings.  This was after resintalling
Windows 98 from scratch.
   There has to be a better way!  I have been toying with creating a Linux
boot floppy with network drivers, etc., and using 'dd' to store the hard
drive image on the tape drive.  I am wondering if there is any way to
pipe the dd output through gzip before storing it to the tape?
   While experimenting, I have been able to do the following:
   
 Use dd to write a floppy image directly to tape, and successfully
restore the image back to the floppy.

 I have not, however, been able to gzip the image in any way and
store it to the tape drive.  What am I doing wrong?
 A few hard drives are over 12 GB in size and will not fit on one
tape.  I am also on a limited budget, so I would like to be able to fit as
many images on one tape as possible.

Allison



[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] Bugzilla and Perl modules for MySql Help!!!

1999-12-02 Thread Sean McAfee 

Jennifer Tippens <[EMAIL PROTECTED]> wrote:
>Sooo, I went to install Bugzilla from
>source on my computer.  First it needs MySQL.  OK. Done.  Next it needs Perl
>modules for MySQL. OK. Done.

>But wait!  Lo, what's this??  Eegads.  I read a little further.  I answered a
>question in the MakeMakefile wrong and now I can't get it to ask me the
>question again.  I re-un-tarred the module and ran perl Makefile.PL again, but
>it just said writing makefile, done.  No chance to change my mind

>Any pointers??  Bugzilla will not work with backward compatability
>disabled.

I just tried this myself, and it seems the culprit is the file
lib/DBD/mysql/Install/Config.pm.  Remove it and rerun "perl Makefile.PL",
and you should get asked the important questions again.

If anyone is interested, the way I found this out was:

cd Msql-Mysql-modules-1.2210
perl Makefile.PL
find . -mmin -1
#  look for files with likely-looking names

Usually, if I get impatient looking for the right file to delete, I'll just
rm -rf the source distribution and then re-untar it.  That always does the
trick.

-- 
Sean McAfee | GCS d->-- s+++: a27 C++ US+++ P+++$ L++ E- W+ N++ |
| K w--- O? M- V-- PS+ PE Y+ PGP?>++ t+() 5++ X R+  | mcafee@
| tv+ b++ DI++ D+ G e++ h r---* y+>++   | umich.edu


[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] HTML (and CDROM question)

1999-12-02 Thread Steve Kudlak 



Conrad Golightly wrote:

> > things are hard to trace in old old mailers. NO one has yet told me where
> ae is?
> > and is there a map of countries saying which abbreviation is which. I know
> > Australia is formally au but Aussies informally will often use "oz"
> thought this
> > is not official. Same as NYC is not official but so recognized that no one
> > worries about it and demands New York, New York or NY,NY. If threre were a
> > pointer to these country abbreviations used on the net I'd really love to
> see it.
>
> See RFC 1394 (www.faqs.org)
> .ae is the united arab emirates, IIRC, and is in the middle east on the
> north border of kuwait, again, IIRC.
>
> 
> [EMAIL PROTECTED]   http://www.linuxchix.org

Thanks! that tells me a bunch oh things. Is there a map or listing somwhere.
SOmetimes I guess by time zone but it only works for longitude.

Have Fun,
Sends STeve



[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] HTML (and CDROM question)

1999-12-02 Thread Steve Kudlak 



Conrad Golightly wrote:

> > things are hard to trace in old old mailers. NO one has yet told me where
> ae is?
> > and is there a map of countries saying which abbreviation is which. I know
> > Australia is formally au but Aussies informally will often use "oz"
> thought this
> > is not official. Same as NYC is not official but so recognized that no one
> > worries about it and demands New York, New York or NY,NY. If threre were a
> > pointer to these country abbreviations used on the net I'd really love to
> see it.
>
> See RFC 1394 (www.faqs.org)
> .ae is the united arab emirates, IIRC, and is in the middle east on the
> north border of kuwait, again, IIRC.
>
> 
> [EMAIL PROTECTED]   http://www.linuxchix.org

Thanks! Now I can sit in Gimp and draw a map and have refs. Really have to start
reading the RFCs again. Yet another thing to do. :)

Have Fun,
Sends Steve



[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] KFM weirdness.

1999-12-02 Thread Steve Kudlak 



Ian Phillips wrote:

> > BTW, does the "K" stand for Kallisti?
>
> Slightly dissapointingly, it actually stands for "Kool".
>
> Hail Eris!
>
> Ian.
>
> #ifndef  __COMMON_SENSE__ | Ian Phillips
> #include  | TIBCO Software Inc.
> #endif| www.TIBCO.com
>
> 
> [EMAIL PROTECTED]   http://www.linuxchix.org

Well vaguely ... Also variant of strange Hindu Gooddess, who would
appear under weird guises if you were nasty, she was nasty. Wilson and
Shea bent things a bit. Onl;y techtalk context is some operating systems
behave like Kallisti (Kali) and others are best programmed under
Kallisti Gold. :)

Have Fun,
Sends Steve





[EMAIL PROTECTED]   http://www.linuxchix.org

Re: [techtalk] Home pages for regular users

1999-12-02 Thread Adriana Gonzalez 

Kathleen Weaver wrote:

> >How can my other users on this system, have their own web pages?
> >I want them to have their own directories and HTML documents (in their
> >$HOME directories). I may allow simple CGI programs.
>
> Have them create a directory called public_html
>
> Their "home page" should be in a file called index.html or index.htm
>
> Any files should be set with 755 permission -- (use chmod 755 file.name)
>
> Their webpages will be at server/~userid
>
> I think they just put in a cgi_bin directory -- you may need to do something in the 
>apache configuration  but I haven't gotten this far.
>

You need to have something like this in your httpd.conf

UserDir public_html   #This will tell apache which are 
the user's web dirs

  #These are the "permissions" for the 
directories.
AllowOverride None
Options Indexes FollowSymLinks
Order deny,allow
   Allow from All



AllowOverride None
Options ExecCGI
Order deny,allow
Allow from all



The way that is set, it will allow everybody to see the public_html dirs, but only the 
things in the cgi_bin
will be executable.

The apache's documentation is pretty good.  Mine is installed in:
/usr/local/apache/htdocs/manual.
You should check yours for details.

-adriana

--
   Adriana Gonzalez
   Programmer/Analyst
   Mycity.com





[EMAIL PROTECTED]   http://www.linuxchix.org