On Thu, 15 Apr 2004 02:01, Jeff Coppock <[EMAIL PROTECTED]> wrote:
> I'm having trouble with getting entries here to work. I have the
> following /var/log/auth.log messages that I want to filter out of
> logcheck (version 1.2.16, sarge):
>
> CRON[15302]: (pam_unix) session opened for user root by
On Tue, 20 Apr 2004 07:50, Jan Minar <[EMAIL PROTECTED]> wrote:
> It seems like they should be 660, not 600, as I suggested (wall(1) and
> talkd(1) would break otherwise, probably).
What prevents wall from sending those escape sequences?
--
http://www.coker.com.au/selinux/ My NSA Security Enha
On Sat, 5 Jun 2004 08:52, Michael Stone <[EMAIL PROTECTED]> wrote:
> >So, adding handling for SPF RRs in one's MTA yields significant
> >advantages today, despite the technology being new, because _all_ of the
> >forgemail claiming to be from aol.com, msn.com, hotmail.com, pobox.com,
> >etc. can be
On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor <[EMAIL PROTECTED]> wrote:
> We are allowing all emails from whitelits.
Who is "we" in this context? Individual users or mailing list administrators?
> For unknown sender, automated confirmation request is send. If
For mailing lists this can be achieved
On Fri, 11 Jun 2004 06:03, Alain Tesio <[EMAIL PROTECTED]> wrote:
> On Thu, 10 Jun 2004 18:58:33 +1000
>
> Russell Coker <[EMAIL PROTECTED]> wrote:
> > For mailing lists this can be achieved by making the list
> > subscriber-only. For individual accounts such beh
On Fri, 11 Jun 2004 19:29, Dale Amon <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> > It is anti-social for every idiot on the net to think that they are
> > important enough to require a subscription from everyone who wants t
On Fri, 11 Jun 2004 21:38, Dale Amon <[EMAIL PROTECTED]> wrote:
> That said, those who can afford it will hire human
> operators to act as email gatekeepers; those who can't
> will use whatever a salesman can convince them is
> affordable and works. Whether we like it or not will
> not figure into
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote:
> It seems that most people here don't like CR systems, and I'd have to
> agree with that consensus.
>
> I'm just wondering what is the general feeling about using hashcash and
> other header signatures systems.
Currently you ca
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote:
> In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has
been seen typing:
> > Besides, with an army of Windows Zombies you could generate those
> > signatures anyway...
>
> Why both
On Sat, 12 Jun 2004 04:22, "s. keeling" <[EMAIL PROTECTED]> wrote:
> Incoming from Rick Moen:
> > Quoting Russell Coker ([EMAIL PROTECTED]):
> > > Some of the anti-spam people are very enthusiastic about their work. I
> > > wouldn't be surprised
On Mon, 14 Jun 2004 16:39, Adrian 'Dagurashibanipal' von Bidder
<[EMAIL PROTECTED]> wrote:
> Also you may want to look at the rfc-ignorant.org ones, but reading
> nanae I got the impression that they are more trouble than they're
> worth.
This thread inspired me to fiddle with my anti-spam settin
On Tue, 15 Jun 2004 04:56, andrew lattis <[EMAIL PROTECTED]> wrote:
> currently i've got an ever growing password list in a plain text file
> stored on an encrypted loopback fs, this is getting cumbersome...
>
> figaro's password manager (package fpm) looks nice and uses blowfish to
> encrypt data
On Tue, 15 Jun 2004 17:24, Rudy Gevaert <[EMAIL PROTECTED]> wrote:
> Would it be possible to run that program trough e.g. perl/php/... ?
>
> A use could ftp the executable and write a php script that execute it.
Does PHP allow executing arbitary binaries?
If the user can install CGI-BIN scripts t
On Tue, 15 Jun 2004 18:46, Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> wrote:
> Some of the applications I run use kwallet, that seems similar to what
> Russell Cooker described for OS X.
No. kwallet can be ptraced, this allows a hostile program to get access to
all it's data with ease.
Of cou
On Wednesday 06 July 2005 05:05, Ian Eure <[EMAIL PROTECTED]> wrote:
> It's used by syslogd. Not 100% sure on this, but I believe it's how
> user-space apps send messages to syslog (e.g. with syslog(3)). If that's
> the case, it would need to be mode 666 for syslog(3) to work.
It doesn't have to b
On Friday 02 March 2007 21:30, Bjørn Mork <[EMAIL PROTECTED]> wrote:
> Nor did I. Does anyone have a pointer to a discussion of this? I
> assume it must have been discussed a few times already.
A few times in other places, not sure about this list.
> I think I'll stop using su now ;-)
"setsid
On Sunday 22 April 2007 01:58, Jim Popovitch <[EMAIL PROTECTED]> wrote:
> On Fri, 2007-04-20 at 20:30 -0500, George P Boutwell wrote:
> > I don't remember the exact details, but the problem I think revolved
> > around not being able to properly boot-up since the /tmp and/or the
> > /var/tmp where n
On Sunday 27 May 2007 10:49, Németh Tamás <[EMAIL PROTECTED]> wrote:
> Does Debin Etch have some extra chroot
> restrictions, /dev/mem, /dev/kmem, /dev/port, /proc//stat,
> /proc/maps, Linux privileged I/O related or other security
> enhancements beyond to the security of the vanilla Linux kernel?
On Monday 02 July 2007 11:35, Anders Breindahl <[EMAIL PROTECTED]> wrote:
> In servers, you might want to trust physical security, since
> whole-system encryption incurs a performance degradation. (However, on a
> reasonably recent system, you still will be bottlenecked by Fast
> Ethernet at 100Mb/
On Monday 09 July 2007 22:23, Anders Breindahl <[EMAIL PROTECTED]> wrote:
> > Where "reasonably fast" means faster than a 3GHz P4. A 3GHz P4 system I
> > was working on recently appeared to be limited to 4MB/s, if it wasn't for
> > the fact that the machine is about to be decommissioned then I wou
On Sun, 1 Feb 2015 11:18:43 PM Paul Wise wrote:
> chromium was already being backported to wheezy for security updates,
> the latest versions need newer compilers so we can't backport any
> more.
Why can't we backport the compilers too?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.
On Mon, 4 May 2015, Paul Wise wrote:
> On Mon, May 4, 2015 at 12:20 AM, Bart-Jan Vrielink wrote:
> > Where can I find a suitable policy? The package selinux-policy-default is
> > no longer available, and I cannot find a suitable replacement in
> > Jessie/main.
>
> The package was removed before j
My plan is to have the KDE and GNOME desktop environments working with SE Linux
enforcing mode on Stretch along with the most important apps such as Google
Chrome/Chromium.
I hope to have something ready to test in Unstable in a few weeks.
On 23 September 2016 11:21:55 pm AEST, "m.la...@t-onlin
On Sunday, 29 January 2017 8:07:09 PM AEDT Santiago Vila wrote:
> IMO, if we want reproducible builds and we don't want this to happen,
> we should probably change the way we do binNMUs (where "change" could
> well be not doing binNMUs at all and always include full and exact
> source with every up
On Fri, 31 Mar 2017 09:44:01 PM R Calleja wrote:
> can anybody help me. I have security issues and I have to reinstall
> the system every year.
> Set up a firewall with iptables as the attachment and now block
> connections as you can see in the dmesg attachment.
Debian-user is probably a better l
On Monday, 30 October 2017 8:57:00 AM AEDT Hans-Christoph Steiner wrote:
> > The one from 2016 is harder to exploit: I asked on #-apt back then and
> > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> > on a memory starved i386 system).
>
> That hit rate is enough to buil
On Saturday, 4 November 2017 7:36:02 PM AEDT Rebecca N. Palmer wrote:
> Background: my sponsor suggested that I apply for DM over a year ago,
> and the reason I haven't done so is that I'm not sure my security is up
> to it, given that anyone who hacks a DM can upload a Trojan. I only own
> one co
I just discovered the spectre-meltdown-checker package (thanks Sylvestre for
packaging this).
model name : Intel(R) Core(TM)2 Quad CPUQ9505 @ 2.83GHz
On a system with the above CPU running Debian/Testing I get the following
results from the spectre-meltdown-checker script. Is this a
On Tuesday, 11 June 2019 12:19:14 PM AEST Henrique de Moraes Holschuh wrote:
> On Mon, 10 Jun 2019, Russell Coker wrote:
> > model name : Intel(R) Core(TM)2 Quad CPUQ9505 @ 2.83GHz
> >
> > On a system with the above CPU running Debian/Testing I get the following
On Monday, 10 June 2019 9:16:02 PM AEST Michael Stone wrote:
> Your CPU is not supported my Intel, so you either accept the risk or buy
> a new one. (Note that the latest version of the microcode is from
> 2015--long before any of these speculative execution vulnerabilities
> were mitigated.) Yours
I think it would be good to have a package for improving system security. It
could depend on packages like spectre-meltdown-checker and also contain
scripts that look for ways of improving system security. For example
recommend SE Linux or Apparmor (if you don't have one installed), recommend
On Saturday, 7 March 2020 11:39:05 PM AEDT vi...@vheuser.com wrote:
> Isn't this what Tiger does?
>
> apt-cache search tiger
>
> tiger - Report system security vulnerabilities
> tiger-otheros - Scripts to run Tiger in other operating systems
Tiger is something that the tool I'm proposing could s
On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > A read-only /usr is not a security measure.
>
> Depends on your definition og it-security. It reduces downtime, prevents
> some admin and software failures and therefore is a security measure.
So is a
On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote:
> To stay on topic, I'm for keeping /usr and /usr/local read-only,
> because really nothing should update them except for a few
> programs under controlled circumstances (that's what makes
> the enforcment of this policy cheap). In addition, it might
On Sat, 18 Oct 2003 23:36, Goswin von Brederlow wrote:
> Michael Stone <[EMAIL PROTECTED]> writes:
> > A quiescent filesystem isn't going to be corrupted in a system crash.
> > You need to have metadata inconsistencies caused by filesystem activity
> > before you can get corruption.
>
> Which you g
On Sun, 19 Oct 2003 03:44, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > Anyway perhaps we should get a new mailing list debian-security-de for
> > the German meaning of security. Then the rest of us can discuss crypto,
> > MAC, and other things that match the English mean
On Wed, 22 Oct 2003 18:50, Tobias Reckhard wrote:
> > also su user -c command won't work, you'll need to use sudo or suid bit,
> > and that's a bit messy.
>
> This is true, when I need to su to this user's account (for
> troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first
> (and c
On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
> > 'su -s /bin/bash -c "cmd" user '
> >
> > sounds like a very bs argument
>
> Do you understand the term 'breakage' ?
Do you understand the term "testing"?
> How about the idea that changing something in the system may force to you
> to rewrit
On Wed, 22 Oct 2003 20:00, Dariush Pietrzak wrote:
> > > Do you understand the term 'breakage' ?
> >
> > Do you understand the term "testing"?
>
> Why should I?
Because some of us have already performed extensive tests on this when it was
raised previously.
The idea of giving non-login account
On Wed, 22 Oct 2003 21:37, I.R.van Dongen wrote:
> > > If the shells are changed, there are some really big consequences,
> > > but
> >
> > Such as? Please share your knowledge. :-)
>
> - manually compiled postgresql (user:postgres) expects the user it runs
> as to have a valid shell (I'm not sure
On Wed, 22 Oct 2003 20:39, Joe Moore wrote:
> Russell Coker said:
> > The idea of giving non-login accounts a shell of /bin/false is hardly
> > new.
>
> Out of curiosity, what security benefit does a shell of /bin/false grant,
> that say, an encrypted password of &q
On Thu, 23 Oct 2003 04:02, Joe Moore wrote:
> > There was a case of a buggy pam some time ago which let people login to
> > accounts such as "man" and "bin". Changing the shell would have
> > prevented that problem (or limited the number of accounts that were
> > vulnerable)
>
> So there was a b
On Fri, 24 Oct 2003 10:50, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I discovered I could 'su -' to root in the excluded ttys. Do you think
> > this is normal behaviour or does my system need re-configuration ?
>
> This is the intended normal behaviour. Idea behind it
On Sat, 25 Oct 2003 02:40, Joe Moore wrote:
> >> So there was a bug in the PAM code so that it ignored an invalid
> >> /etc/passwd field. Why would the next bug not ignore some other
> >> /etc/passwd field (like the user's chosen shell)?
> >
> > You are correct, the next time a problem is discover
On Sat, 25 Oct 2003 02:46, Joe Moore wrote:
> > To create a file in /bin you need root access. Therefore to create
> > /bin/.rhosts you need more access than such a file will grant. There
> > is no point in such an attack. Why would someone create /bin/.rhosts
> > when they can create /root/.r
On Tue, 28 Oct 2003 18:12, Tom Goulet (UID0) wrote:
> I'm curious what a malicious user could do with access to the
> framebuffer device via the device file. Could a malicious
> user see anything other than what's on his or her virtual console or X
> session?
A malicious user who logs in via ssh
On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]> wrote:
> Making /usr read-only is not for that kind of security. It will keep your
> data safe from corruption (soft one, anyway: a disk crash will take
> anything with it ;-). Besides, you can get a better performance formating
> it with ext2,
On Wed, 26 Nov 2003 07:45, Chema <[EMAIL PROTECTED]> wrote:
> RC> Why would you get better performance? If you mount noatime then
> RC> there's no writes to a file system that is accessed in a read-only
> RC> fashion and there should not be any performance issue.
>
> Hum, ¿are you talking only abo
On Thu, 27 Nov 2003 04:51, Matt Zimmerman <[EMAIL PROTECTED]> wrote:
> Big money does not imply big security. Large corporations with lots of
> money to spend on security are compromised all the time. Obviously, they
> aren't as forthcoming about it as Debian due to monetary concerns, but even
>
On Wed, 26 Nov 2003 14:24, Bernd Eckenfels
<[EMAIL PROTECTED]> wrote:
> > I am talking about any file system. When only reading from a file system
> > there should not be any performance difference when comparing a RO mount
> > vs a NOATIME mount. If there is a difference then it's a bug in the
hat can
be found on http://www.coker.com.au/uml/ .
Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
[EMAIL PROTECTED]
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.
Adamantix is not Debian. The people subscribed to this list are here fo
On Sat, 29 Nov 2003 11:46, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> > > un libselinux-dev(no description
> > > available) ii libselinux1 1.2-1.1 SELinux
> > > shared libraries un libselinux1-dev (no
> > > description ava
On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > Conflicts with almost every other kernel patch, including the patches in
> > the default kernel source. No-one has the skill and interest necessary
> > to make it work with a default Debian kernel.
>
> It may be the hardest thin
On Sun, 30 Nov 2003 14:53, Colin Walters <[EMAIL PROTECTED]> wrote:
> On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> > of their programs. the system could use a db of installed-package
> > resources. Therefore we would need to create a common language that
> > could be translated to any acl-for
On Sun, 30 Nov 2003 15:32, Colin Walters <[EMAIL PROTECTED]> wrote:
> However, this is not such a bad idea, if you don't try to be too formal
> about it. If maintainers shipped English descriptions (say,
> README.Security) of what the security implications of their programs
> were, it could be ver
On Sun, 30 Nov 2003 22:33, Martin Pitt <[EMAIL PROTECTED]> wrote:
> On 2003-11-29 21:08 +1100, Russell Coker wrote:
> > It's not a question of how difficult it is to get the grsec patch to
> > apply and work correctly on a Debian kernel. It's a question of whether
On Mon, 1 Dec 2003 04:27, Andreas Barth <[EMAIL PROTECTED]> wrote:
> Is it possible for me as a package maintainer to specifiy the needed
> rights for "my" programms in a way that as much systems as possible
> can use these without the need for a sysadmin to change anything? Or
> would each LSM-bas
On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > It's a pity that the developers of other security systems didn't get
> > involved, it would be good to have a choice
On Mon, 1 Dec 2003 07:43, Andreas Barth <[EMAIL PROTECTED]> wrote:
> > There will be support in RPM for packages that contain SE Linux policy.
> > For Debian such support will come later (if at all) as the plan is to
> > centrally manage all policy for free software, and it's not difficult to
> >
On Mon, 1 Dec 2003 07:46, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> > On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell C
On Tue, 2 Dec 2003 08:48, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031201 05:10]:
> > On Mon, 1 Dec 2003 07:43, Andreas Barth <[EMAIL PROTECTED]> wrote:
> > > What about the gettys? I'm asking this because I wrote the init
On Tue, 2 Dec 2003 18:32, Peter Palfrader <[EMAIL PROTECTED]> wrote:
> > There is currently no uucp policy (it seems that no SE Linux users are
> > using it).
>
> I have one, but it does only allow what I need for uucp, which is
> certainly just a small subset of possible uucp uses.
I've attached
On Wed, 3 Dec 2003 00:56, Peter Palfrader <[EMAIL PROTECTED]> wrote:
> > I've attached a modified version, please check it out. I've changed some
> > of the things to do it in the recommended manner (eg the
> > system_crond_entry() macro), and removed some things.
> >
> > The part for running ssh
On Mon, 8 Dec 2003 19:16, "Domonkos Czinke" <[EMAIL PROTECTED]>
wrote:
> I recommend using the chattr program. You should set them immutable
> chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr.
In a stock Linux kernel the permissions required to "chattr -i" a file are
exactly
On Fri, 19 Dec 2003 08:02, martin f krafft <[EMAIL PROTECTED]> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent
On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
wrote:
> On Fri, 19 Dec 2003, Russell Coker wrote:
> > In terms of LSM protection against this, if you use SE Linux then all
> > aspects of file access and module loading are controlled by the polic
On Mon, 22 Dec 2003 19:45, Marcel Weber <[EMAIL PROTECTED]> wrote:
> s. keeling wrote:
> > gpg: Signature made Sun Dec 21 17:14:28 2003 MST using DSA key ID
> > 946886AE gpg: Good signature from "Trey Sizemore <[EMAIL PROTECTED]>"
> > gpg: WARNING: This key is not certified with a trusted signature
On Mon, 22 Dec 2003 20:02, Marcel Weber <[EMAIL PROTECTED]> wrote:
> Russell Coker wrote:
> > Signing a key you don't know is not a good idea, it's easy to
> > accidentally upload a key...
> >
> > There is a gpg option "lsign" which can be us
This discussion has some minor relevance to debian-isp, but nothing to do with
debian-security. Let's move the discussion to debian-isp.
On Wed, 24 Dec 2003 00:25, Dale Amon <[EMAIL PROTECTED]> wrote:
> I've been noticing loads of mails like this lately:
>
> emery atrocious larval drippy elate
On Sun, 4 Jan 2004 07:53, martin f krafft <[EMAIL PROTECTED]> wrote:
> also sprach Russell Coker <[EMAIL PROTECTED]> [2003.12.19.0229 +0100]:
> > In terms of LSM protection against this, if you use SE Linux then
> > all aspects of file access and module loading are contr
On Wed, 21 Jan 2004 11:28, Markus Schabel <[EMAIL PROTECTED]> wrote:
> hello folks!
>
> can you tell me what the following means in an apache error.log and
> where it comes from? I've searched through all other apache log files
> but didn't find something that could generate this.
> (sure, the serv
On Sun, 25 Jan 2004 20:49, "Raffaele D'Elia" <[EMAIL PROTECTED]>
wrote:
> checks for new mail in a maibox via pop3;
If you use IMAP it should be possible for you to ask the server to notify you
when new mail is received. This should give you a faster response if the
server correctly implements
On Sun, 15 Feb 2004 05:31, Wade Richards <[EMAIL PROTECTED]> wrote:
> Every once in a while I get a bunch of errors because some process tried
> to access my CDROM, triggering automount when there's no disk in the
> drive.
SE Linux can audit all interesting actions, exec, read, write, create,
sig
On Wed, 18 Feb 2004 23:30, Kristopher Matthews <[EMAIL PROTECTED]> wrote:
> > This is a security nightmare. I would *not* recommend doing any such
> > thing in a user filesystem.
>
> You're making the assumption that he LIKES his users. :)
It's not a matter of whether the admin likes his users, it
On Wed, 18 Feb 2004 23:59, Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
wrote:
> On Wed, Feb 18, 2004 at 11:05:30AM +0100, Richard Atterer wrote:
> > Waah, SCARY!
> >
> > Users can create hard links to arbitrary files in that directory, e.g.
> > links to other users' private files or to
On Thu, 19 Feb 2004 00:23, Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
wrote:
> On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
> > If you are going to change such things then you need to use the -uid or
> > -gid options to find (depending on whether you
On Thu, 19 Feb 2004 09:12, Michael Stone <[EMAIL PROTECTED]> wrote:
> On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
> >The other way of doing it properly is to write a program that open's each
> >file, calls fstat() to check the UID/GID, then uses fchow
On Wed, 10 Mar 2004 08:58, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> [ Sorry, I'm not sure if this list is right place to ask this, but
> I can't remember better one ]
The NSA mailing list is another option, but this one is OK.
> I'm trying to backport SELinux tools and libraries from unst
On Wed, 10 Mar 2004 21:26, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > There have been some changes to the way libxattr works. From memory I
> > think that you needed an extra -l option on the link command line when
> > compiling with old libc6. I can't remember whether it was linking the
>
On Thu, 11 Mar 2004 08:22, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote:
> > That is. I just rebuilt policycoreutils and pam with libselinux1
> > which is linked with libattr and it was smooth.
> > Now I have to backport coreutils an
On Thu, 11 Mar 2004 20:40, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
> > > If someone needs them I can put it on the net or post somewhere, or
> > > maybe help if the help is needed.
On Thu, 11 Mar 2004 22:14, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
> > If you copy all files related to a package intact then you don't have to
> > make such changes.
> >
> > I
On Fri, 12 Mar 2004 06:25, Norbert Tretkowski <[EMAIL PROTECTED]> wrote:
> * Milan P. Stanic wrote:
> > Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
> > instead of libselinux1_1.6-0.1_i386.deb?
>
> Well, if 1.6-0.1 will be in our next stable release, your backport
> will
On Sat, 20 Mar 2004 05:14, Phillip Hofmeister <[EMAIL PROTECTED]> wrote:
> On another note, The GRSecurity/SELinux patches mitigate a lot of kernel
> vulnerabilities and userland vulnerabilities. If you are running your
> own kernel you may wish to look at them.
Nothing protects you against kerne
On Tue, 23 Mar 2004 08:19, Florian Weimer <[EMAIL PROTECTED]> wrote:
> No, it's another example for a package which heavily deviates from
> upstream (AFAIK, upstream is defunct) and is now developed by the
> GNU/Linux distributions (and each variant has a slightly different
> features). Despite th
On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote:
> The best you could do would be to attach different certificates to
> different ports, but that would be extremely cumbersome and probably
> would lead to confusion.
What if you had http://www.company1.com/ redirect to
https://w
On Thu, 1 Apr 2004 17:59, [EMAIL PROTECTED] (Michael Becker) wrote:
> If you just want a kernel, with almost everything in there belonging
> to security, have a look at WOLK (Working OverLoaded Kernel)
> at http://sourceforge.net/projects/wolk
It appears that WOLK is not in Debian. I would guess
On Sat, 10 Apr 2004 04:22, [EMAIL PROTECTED] wrote:
> Is there anything ordinary that can cause passwords to be changed? I tried
> to log in last night and sshd wouldn't accept either my user's password or
> my root password. When I got physical access this morning, I couldn't log
> into the consol
On Mon, 12 Apr 2004 10:00, Joe Bouchard <[EMAIL PROTECTED]> wrote:
> In a meeting at work (I'm part of the IT group at a large corporation)
> someone mentioned a particular kind of network hardware which would stop
> working correctly after a while.
Here are some ways that network issues can slow
On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > A read-only /usr is not a security measure.
>
> Depends on your definition og it-security. It reduces downtime, prevents
> some admin and software failures and therefore is a security measure.
So is a
On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote:
> To stay on topic, I'm for keeping /usr and /usr/local read-only,
> because really nothing should update them except for a few
> programs under controlled circumstances (that's what makes
> the enforcment of this policy cheap). In addition, it might
On Sat, 18 Oct 2003 23:36, Goswin von Brederlow wrote:
> Michael Stone <[EMAIL PROTECTED]> writes:
> > A quiescent filesystem isn't going to be corrupted in a system crash.
> > You need to have metadata inconsistencies caused by filesystem activity
> > before you can get corruption.
>
> Which you g
On Sun, 19 Oct 2003 03:44, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > Anyway perhaps we should get a new mailing list debian-security-de for
> > the German meaning of security. Then the rest of us can discuss crypto,
> > MAC, and other things that match the English mean
On Wed, 22 Oct 2003 18:50, Tobias Reckhard wrote:
> > also su user -c command won't work, you'll need to use sudo or suid bit,
> > and that's a bit messy.
>
> This is true, when I need to su to this user's account (for
> troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first
> (and c
On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
> > 'su -s /bin/bash -c "cmd" user '
> >
> > sounds like a very bs argument
>
> Do you understand the term 'breakage' ?
Do you understand the term "testing"?
> How about the idea that changing something in the system may force to you
> to rewrit
On Wed, 22 Oct 2003 20:00, Dariush Pietrzak wrote:
> > > Do you understand the term 'breakage' ?
> >
> > Do you understand the term "testing"?
>
> Why should I?
Because some of us have already performed extensive tests on this when it was
raised previously.
The idea of giving non-login account
On Wed, 22 Oct 2003 21:37, I.R.van Dongen wrote:
> > > If the shells are changed, there are some really big consequences,
> > > but
> >
> > Such as? Please share your knowledge. :-)
>
> - manually compiled postgresql (user:postgres) expects the user it runs
> as to have a valid shell (I'm not sure
On Wed, 22 Oct 2003 20:39, Joe Moore wrote:
> Russell Coker said:
> > The idea of giving non-login accounts a shell of /bin/false is hardly
> > new.
>
> Out of curiosity, what security benefit does a shell of /bin/false grant,
> that say, an encrypted password of &q
On Thu, 23 Oct 2003 04:02, Joe Moore wrote:
> > There was a case of a buggy pam some time ago which let people login to
> > accounts such as "man" and "bin". Changing the shell would have
> > prevented that problem (or limited the number of accounts that were
> > vulnerable)
>
> So there was a b
1 - 100 of 221 matches
Mail list logo
