I currently spend a lot of time hardening boxes, is this discussion based on
the released doc I can get off the debian web site? or a new draft?
Steven
-Original Message-
From: Peter Cordes [mailto:[EMAIL PROTECTED]
Sent: Friday, 14 March 2003 7:41
To: [EMAIL PROTECTED]
Subject: Re: Revi
On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote:
> Does it answer your questions or did I miss a real loophole in the
> strategy that I described ?
If an attacker gets root and loads a kernel module, that module could
restore the immutable capability. You'd have to disable loadab
On Thu, Mar 13, 2003 at 05:52:48PM -0600, Jeff Hahn wrote:
> "Never underestimate the bandwidth of a station wagon full of tapes."
Or a single IBM magtape on a 707 ;-)
--
--
IN MY NAME:Dale Amon, CEO/MD
No Mushroom clouds o
On Fri, Mar 14, 2003 at 01:11:10AM +0100, Christopher Taylor wrote:
> On Thu, 2003-03-13 at 18:31, Dale Amon wrote:
> > PKGLIST2="another.deb another2.deb"
> > for $pkg in $PKGLIST1; do
> ^ <- I think the problem is right there ;)
> > dpkg --install $pkg
On Thu, 2003-03-13 at 18:31, Dale Amon wrote:
> PKGLIST2="another.deb another2.deb"
> for $pkg in $PKGLIST1; do
^ <- I think the problem is right there ;)
> dpkg --install $pkg < yes
> done
--Chris
> -Original Message-
> From: Rich Puhek [mailto:[EMAIL PROTECTED]
>
> Reminds me of a rumor I heard that someone was working on an NFS over
> SMTP gateway. Would have pretty crappy latency, but the point was to
> prove that a firewall is not a guarrantee of security.
>
> Also worth consid
On Thu, Mar 13, 2003 at 05:52:48PM -0600, Jeff Hahn wrote:
> "Never underestimate the bandwidth of a station wagon full of tapes."
Or a single IBM magtape on a 707 ;-)
--
--
IN MY NAME:Dale Amon, CEO/MD
No Mushroom clouds o
On Fri, Mar 14, 2003 at 01:11:10AM +0100, Christopher Taylor wrote:
> On Thu, 2003-03-13 at 18:31, Dale Amon wrote:
> > PKGLIST2="another.deb another2.deb"
> > for $pkg in $PKGLIST1; do
> ^ <- I think the problem is right there ;)
> > dpkg --install $pkg
On Thu, 2003-03-13 at 18:31, Dale Amon wrote:
> PKGLIST2="another.deb another2.deb"
> for $pkg in $PKGLIST1; do
^ <- I think the problem is right there ;)
> dpkg --install $pkg < yes
> done
--Chris
--
To UNSUBSCRIBE, email to [EMAIL PROT
On Thu, 13 Mar 2003 12:21:44 +0100 Alexander Reelsen wrote:
>> "Capabilities" is the next section that I plan to write/rewrite :-) The
>> interesting point about capabilities is that once one of them has been
>> removed, it can not be added back -- so lcap can only remove capabilities,
>> and not
Vassilii Khachaturov wrote:
The question is... is there any way to protect against this? I mean, how
would you differenciate on for example, a squid, the traffic of one of this
tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., i
> -Original Message-
> From: Rich Puhek [mailto:[EMAIL PROTECTED]
>
> Reminds me of a rumor I heard that someone was working on an NFS over
> SMTP gateway. Would have pretty crappy latency, but the point was to
> prove that a firewall is not a guarrantee of security.
>
> Also worth consid
> The question is... is there any way to protect against this? I mean, how
> would you differenciate on for example, a squid, the traffic of one of this
> tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if you
know that a particul
On Thu, 13 Mar 2003 12:21:44 +0100 Alexander Reelsen wrote:
>> "Capabilities" is the next section that I plan to write/rewrite :-) The
>> interesting point about capabilities is that once one of them has been
>> removed, it can not be added back -- so lcap can only remove capabilities,
>> and not
Vassilii Khachaturov wrote:
The question is... is there any way to protect against this? I mean, how
would you differenciate on for example, a squid, the traffic of one of this
tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if y
On Mar 03 2003, Martynas Domarkas wrote:
> Try this: http://www.htthost.com/ , but use it on your own risk. It is a
> real security hole. Better is to ask system administrator open some
> rules on firewall for you.
These kind of programs, if I read well we have at least corkscrew and
httptunnel th
> The question is... is there any way to protect against this? I mean, how
> would you differenciate on for example, a squid, the traffic of one of this
> tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if you
know that a particul
On Mar 03 2003, Martynas Domarkas wrote:
> Try this: http://www.htthost.com/ , but use it on your own risk. It is a
> real security hole. Better is to ask system administrator open some
> rules on firewall for you.
These kind of programs, if I read well we have at least corkscrew and
httptunnel th
On Thu, Mar 13, 2003 at 12:09:17PM -0500, Burton Windle wrote:
> dpkg?
>
> dpkg -i filename.deb
Not even close. For instance:
PKGLIST="modutils- another+ another2+"
apt-get -y install $PKGLIST
will fail. If you you do it at the lower level:
PKGLIST1="modutils"
f
I'm trying to do an automated build from a spec sheet
and am near my wits end. apt-get and dpkg are simply
too uppity. They decide what I should do. They are
disobedient programs. Bad program! Bad!
Is anyone aware of an utterly stupid and *obedient*
installer? One that simply takes a package name
On Thu, Mar 13, 2003 at 12:09:17PM -0500, Burton Windle wrote:
> dpkg?
>
> dpkg -i filename.deb
Not even close. For instance:
PKGLIST="modutils- another+ another2+"
apt-get -y install $PKGLIST
will fail. If you you do it at the lower level:
PKGLIST1="modutils"
f
I'm trying to do an automated build from a spec sheet
and am near my wits end. apt-get and dpkg are simply
too uppity. They decide what I should do. They are
disobedient programs. Bad program! Bad!
Is anyone aware of an utterly stupid and *obedient*
installer? One that simply takes a package name
Sorry, this thread was not intended for debsec!
--
--
IN MY NAME:Dale Amon, CEO/MD
No Mushroom clouds over Islandone Society
London and New York. www.islandone.org
---
mourne:/# umount /proc
umount: /proc: device is busy
mourne:/# umount /proc
mourne:/# exit
exit
umount: /proc: device is busy
umount: /var/cache/pbuilder/build/13579/proc: not mounted
Could not unmount /proc, there might be some program
still using files in /proc (klogd?).
Please check
Hi
On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote:
> On Thu, 13 Mar 2003, Alexander Reelsen wrote:
> > Are you sure on this one?
> >
> > # sysctl -A | grep cap-bound
> > kernel.cap-bound = -257
> >
> > Being it a sysctl parameter makes me wonder whether you can set things
> > runt
mourne:/# umount /proc
umount: /proc: device is busy
mourne:/# umount /proc
mourne:/# exit
exit
umount: /proc: device is busy
umount: /var/cache/pbuilder/build/13579/proc: not mounted
Could not unmount /proc, there might be some program
still using files in /proc (klogd?).
Please check
Sorry, this thread was not intended for debsec!
--
--
IN MY NAME:Dale Amon, CEO/MD
No Mushroom clouds over Islandone Society
London and New York. www.islandone.org
---
On Thu, 13 Mar 2003, Alexander Reelsen wrote:
> > attribute on your system anymore, even by the superuser ! A complete
> > strategy could be as follows:
> >
> >
> >Set the attributes 'a' and 'i' on any file you want;
> >Add the command lcap CAP_LINUX_IMMUTABLE to one of
> > the s
Hi
On Thu, Mar 13, 2003 at 09:02:47PM +1100, Frederic Schutz wrote:
> A better solution is to use the capabilities, as described in id="proactive">. The capability of interest is called
> CAP_LINUX_IMMUTABLE: if you remove it from the capabilities
> bounding set (using for example the command lc
Title: unsubscribe
unsubscribe
[EMAIL PROTECTED]
Mit freundlichen Grüssen
SEEBURGER AG
EDV-Abteilung/Rechenzentrum
Jochen Schötterl
--
SEEBURGER AG, Edisonstrasse 1, D-75015 Bretten, Germany
Fax:+49(0)7252 96- Fon:+49(0)7252 96-
[please cc: me on replies]
Hi everyone,
I'm currently rewriting the section of the Securing Debian manual
concerned with the extended attributes of ext2/ext3. Before sending the
patch to Javier Fernández-Sanguino Peña I thought it may be worth asking
for comments here. It's far from being perfect
Hi
On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote:
> On Thu, 13 Mar 2003, Alexander Reelsen wrote:
> > Are you sure on this one?
> >
> > # sysctl -A | grep cap-bound
> > kernel.cap-bound = -257
> >
> > Being it a sysctl parameter makes me wonder whether you can set things
> > runt
On Thu, 13 Mar 2003, Alexander Reelsen wrote:
> > attribute on your system anymore, even by the superuser ! A complete
> > strategy could be as follows:
> >
> >
> >Set the attributes 'a' and 'i' on any file you want;
> >Add the command lcap CAP_LINUX_IMMUTABLE to one of
> > the s
Hi
On Thu, Mar 13, 2003 at 09:02:47PM +1100, Frederic Schutz wrote:
> A better solution is to use the capabilities, as described in id="proactive">. The capability of interest is called
> CAP_LINUX_IMMUTABLE: if you remove it from the capabilities
> bounding set (using for example the command lc
Title: unsubscribe
unsubscribe
[EMAIL PROTECTED]
Mit freundlichen Grüssen
SEEBURGER AG
EDV-Abteilung/Rechenzentrum
Jochen Schötterl
--
SEEBURGER AG, Edisonstrasse 1, D-75015 Bretten, Germany
Fax:+49(0)7252 96- Fon:+49(0)7252 96-
[please cc: me on replies]
Hi everyone,
I'm currently rewriting the section of the Securing Debian manual
concerned with the extended attributes of ext2/ext3. Before sending the
patch to Javier Fernández-Sanguino Peña I thought it may be worth asking
for comments here. It's far from being perfect
On Thu, Mar 13, 2003 at 06:48:58AM +, Aurelio Turco wrote:
> I have looked around for a screen lock
> for the text mode virtual terminal
> that activates automatically after
> a certain amount of idle time
> but could not find even one.
>
> Does anyone know of any?
vlock does the locking part
I have looked around for a screen lock
for the text mode virtual terminal
that activates automatically after
a certain amount of idle time
but could not find even one.
Does anyone know of any?
38 matches
Mail list logo
