On Sun, Feb 16, 2014 at 12:37:08AM +0100, Gilles Chehade wrote:
> On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote:
> > Hi,
> >
> > On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
> > > I would try using a full path.
> > >
> > > pki example ca "/etc/ssl/myca.pem"
> >
>
On Sun, Feb 16, 2014 at 10:44:39AM +0100, Remco wrote:
> Frank Brodbeck wrote:
>
> > Hi,
> >
> > On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
> >> I would try using a full path.
> >>
> >> pki example ca "/etc/ssl/myca.pem"
> >
> > I already tried it with full path. But I got it
On Thu, Feb 13, 2014 at 02:42:58PM +0100, Gilles Chehade wrote:
> On Thu, Feb 13, 2014 at 02:09:53AM -0500, Ted Unangst wrote:
> > Correct me if I'm wrong, but there's no way to find out what parts of
> > smtpd (mda, mta) are paused? I can always run smtpctl pause mta
> > again to get an error mess
On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote:
> Hi,
>
> On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
> > I would try using a full path.
> >
> > pki example ca "/etc/ssl/myca.pem"
>
> I already tried it with full path. But I got it working now by
> specifying cer
Just thought of a funny way to promote some OpenBSD merchandise sales.
This is just for followers of the bitcoin roller coaster.
Tell me to get lost if it's too dumb an idea, or something too crass and
commercial, and so unrelated to OpenBSD core values, that I shouldn't ever
clutter up the m
On 16. februar 2014 at 10:11 PM, "Daniel CegieÅka" wrote:try this:
--- cat id0.c ---
int getuid(){return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int getegid(){return 0;}
--- end cut ---
# shell (as normal user):
id -un
cc -shared id0.c -o id0
LD_PRELOAD=./id0 sh
id -un
What does th
Hi all,
I have been battling with this issue for far too long, and I am at wits
end.
I have an OpenBSD 5.4 machine, with httpd serving pages successfully
over both HTTP and HTTPS (with a CaCert-issued certificate). I want to
serve multiple sites on both protocols (the certificate has AltNames fo
2014-02-17 13:15 GMT+01:00 :
> On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka"
> wrote:
>
> try this:
>
> --- cat id0.c ---
> int getuid(){return 0;}
> int geteuid(){return 0;}
> int getgid(){return 0;}
> int getegid(){return 0;}
> --- end cut ---
>
> # shell (as normal user):
> id -un
> cc -s
Good afternoon,
Firstly, thanks for your ongoing development and good work.
I have a question that I would like to pose to you, as I have not found
any satisfactory answer despite long research.
Background:
We use ssh keys to distribute code and run commands. These are
appropriately controlle
On Sun, Feb 16, 2014 at 10:44:39AM +0100, Remco wrote:
> From smtpd.conf(5) on OpenBSD 5.4:
> (You seem to run CURRENT, which I didn't check, so things might be different
> in your case)
Yes I do. Sorry, running -current comes so naturally to me that I didn't
thought about mentioning it.
> You s
Em 17-02-2014 10:59, Daniel Cegiełka escreveu:
> 2014-02-17 13:15 GMT+01:00 :
>> On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka"
>> wrote:
>>
>> try this:
>>
>> --- cat id0.c ---
>> int getuid(){return 0;}
>> int geteuid(){return 0;}
>> int getgid(){return 0;}
>> int getegid(){return 0;}
>> --
2014-02-17 15:49 GMT+01:00 Giancarlo Razzolini :
>> Solution: static linking of critical binaries.
>>
>> I hope that my explanation was helpful.
>>
>> best regards,
>> Daniel
>>
> Static linking does solves the issue with this particular rootkit, but
> won't help with kmod rootkits. The truth is t
I am not sure what point it is you are trying to make but:
$ LD_PRELOAD=./id0 sh
\u@\h:\w\n$ id -un
root
\u@\h:\w\n$ less /etc/master.passwd
/etc/master.passwd: Permission denied
\u@\h:\w\n$ ls -l /etc/master.passwd
-rw--- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd
\u@\h:\w\n$
2014-02-16 23:36 GMT+01:00 Frank Brodbeck :
> I am not sure what point it is you are trying to make but:
>
> $ LD_PRELOAD=./id0 sh
> \u@\h:\w\n$ id -un
> root
> \u@\h:\w\n$ less /etc/master.passwd
> /etc/master.passwd: Permission denied
> \u@\h:\w\n$ ls -l /etc/master.passwd
> -rw--- 1 root w
On Mon, Feb 17, 2014 at 02:21:45PM +, Richard Heasman wrote:
> Good afternoon,
>
> Firstly, thanks for your ongoing development and good work.
>
> I have a question that I would like to pose to you, as I have not found
> any satisfactory answer despite long research.
>
> Background:
> We u
On 2014-02-16, Zoran Kolic wrote:
> Does not regard openbsd at all, but this channel sounds
> like the proper place to take an advice from, since I
> consider people on it enough safety aware.
> I plan to get android phone and go through some channel,
> with home vpn server not an option.
You say
Hi,
Does anyone have any ideas on this? How can we configure isakmpd to
only listen on certain IP addresses to avoid this limitation when it
tries to listen on *every* IP address?
I see listen-on in isakmpd.conf, but we are using ipsec.conf and I
understand these are mutually-exclusive..
C
Face-palm!!!
When I tried it before I only created /etc/isakmpd.conf
not;
/etc/isakmpd/isakmpd.conf
chmod 600 /etc/isakmpd/isakmpd.conf
isakmpd.conf
[general]
listen-on=,,
Dohh, Have to miss the obvious in a man page every now and then I guess..
Hopefully my fail-over stability tweaks help so
Because it was not supposed to compile anything at that time.
When you installed OpenBSD, did you install the comp54 set? Why not?
On Mon, Feb 17, 2014 at 10:36:29AM -0700, nvw6lxh2yt...@pyramidheadgroup.ca
wrote:
> Because it was not supposed to compile anything at that time.
> [...]
But you did install it before your first post to misc@, right? If not,
you might want to boot bsd.rd and do an upgrade from there, this time
w
On 2014-02-17 12:36, nvw6lxh2yt...@pyramidheadgroup.ca wrote:
Because it was not supposed to compile anything at that time.
When you installed OpenBSD, did you install the comp54 set? Why not?
See FAQ 4.11 for instructions to follow to add the comp54.tgz fileset to
your existing system.
Th
I installed compiler packages via pkg_add, see pkg_info output in the
original message.
See FAQ 4.11 for instructions to follow to add the comp54.tgz fileset
to your existing system.
That should enable you to compile stuff.
Ok, will do. Thank you.
On 2014-02-17 12:54, nvw6lxh2yt...@pyramidheadgroup.ca wrote:
I installed compiler packages via pkg_add, see pkg_info output in the
original message.
These require the comp*.tgz fileset. As I previously posted, FAQ 4.11
is your guide. It shows two different ways to install your missing
file
On Mon, Feb 17, 2014 at 10:36:29AM -0700, nvw6lxh2yt...@pyramidheadgroup.ca
wrote:
> Because it was not supposed to compile anything at that time.
>
> >When you installed OpenBSD, did you install the comp54 set? Why not?
And you expect the magic fairies to just like that, find the compiler when
I'm looking for recommendations on what works well for people, since
this doesn't appear to be covered by the FAQ or AOBSD2E. I know several
ways to accomplish what I'm after, but none of them seem to have any
clear advantage over the other.
1. I have about a dozen OpenBSD systems running (5.
Mailertable would be a good approach, no?
Vijay Sankar
ForeTell Technologies Limited
vsan...@foretell.ca
Sent from my iPhone
> On Feb 17, 2014, at 12:13, Adam Thompson wrote:
>
> I'm looking for recommendations on what works well for people, since this
> doesn't appear to be covered by the F
On Mon, Feb 17, 2014 at 12:13, Adam Thompson wrote:
> 1. I have about a dozen OpenBSD systems running (5.4-RELEASE), all of
> which share a common list of users, all of which generate email
> automatically.
> 2. Only one of those systems is the designated mail server. I would
> like all the ot
On Mon 17 Feb 2014 12:54:23 PM CST, mx1.foretell.ca wrote:
Mailertable would be a good approach, no?
Hm. Not quite what I was looking for, unless you can use wildcards in
the mailertable. I literally want all local mail "proxied", if you
will, to the mailhost.
So far, it looks like an smt
>2014-02-16 23:36 GMT+01:00 Frank Brodbeck :
>> I am not sure what point it is you are trying to make but:
>>
>> $ LD_PRELOAD=./id0 sh
>> \u@\h:\w\n$ id -un
>> root
>> \u@\h:\w\n$ less /etc/master.passwd
>> /etc/master.passwd: Permission denied
>> \u@\h:\w\n$ ls -l /etc/master.passwd
>> -rw---
> Attacks with LD_PRELOAD are very old and can
> be performed on any OS where you have dynamic linking (Linux, *BSD
> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
You forgot to mention that the value of LD_PRELOAD is ignored for set*id
executables, in orde
And it never was a threat?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
http://www.cvedetails.com/cve/CVE-2006-6164/
Daniel
>And it never was a threat?
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
>http://www.cvedetails.com/cve/CVE-2006-6164/
Please state your case very carefully and clearly. Right now, you
are not talking facts.
2014-02-17 20:48 GMT+01:00 Miod Vallat :
>> Attacks with LD_PRELOAD are very old and can
>> be performed on any OS where you have dynamic linking (Linux, *BSD
>> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>
> You forgot to mention that the value of LD_PRE
>2014-02-17 20:48 GMT+01:00 Miod Vallat :
>>> Attacks with LD_PRELOAD are very old and can
>>> be performed on any OS where you have dynamic linking (Linux, *BSD
>>> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>>
>> You forgot to mention that the value of
> It actually should reduce the risk for set*id(), but this in the past
> related to CVE-2006-6164 (_dl_unsetenv())?
Yes, and this has been fixed since.
2014-02-17 21:25 GMT+01:00 Theo de Raadt :
>>2014-02-17 20:48 GMT+01:00 Miod Vallat :
Attacks with LD_PRELOAD are very old and can
be performed on any OS where you have dynamic linking (Linux, *BSD
etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
> > Attacks with LD_PRELOAD are very old and can
> > be performed on any OS where you have dynamic linking (Linux, *BSD
> > etc.), so yes, OpenBSD is "vulnerable" to this type of stuff.
>
> You forgot to mention
2014-02-17 21:49 GMT+01:00 Marc Espie :
> On Mon, Feb 17, 2014 at 07:48:44PM +, Miod Vallat wrote:
>> > Attacks with LD_PRELOAD are very old and can
>> > be performed on any OS where you have dynamic linking (Linux, *BSD
>> > etc.), so yes, OpenBSD is "vulnerable" to th
> and of course PAM:
>
> http://blackhatlibrary.net/Hooking_PAM
Well, there's a reason why OpenBSD does not embed PAM. It has to do with
software giving people enough rope to hang themselves.
On Mon, Feb 17, 2014 at 10:02:18PM +0100, Daniel Cegie?ka wrote:
[...]
> At least on linux this type of abuse seem to be still (very) effective:
>
> http://blackhatlibrary.net/LD_PRELOAD
> http://blackhatlibrary.net/Azazel
>
> and of course PAM:
>
> http://blackhatlibrary.net/Hooking_PAM
Here's
On Mon, Feb 17, 2014 at 09:12:53PM +, Miod Vallat wrote:
| > and of course PAM:
| >
| > http://blackhatlibrary.net/Hooking_PAM
|
| Well, there's a reason why OpenBSD does not embed PAM. It has to do with
| software giving people enough rope to hang themselves.
Giving people enough rope to ha
Hm, funny. I wasn't able to reproduce it on my side neither:
# touch /etc/ssl/foo{pem,key}
# chmod 0600 /etc/ssl/foo{pem,key}
# grep foo /etc/mail/smtpd.conf
pki foo certificate "/etc/ssl/foo.pem"
pki foo key "/etc/ssl/foo.key"
pki foo ca "/etc/ssl/sbde-ca.pem"
# smtpd -nf /etc/mail/smtpd.conf
fat
On Mon, Feb 17, 2014 at 11:43:50PM +0100, Frank Brodbeck wrote:
> Hm, funny. I wasn't able to reproduce it on my side neither:
>
> # touch /etc/ssl/foo{pem,key}
> # chmod 0600 /etc/ssl/foo{pem,key}
> # grep foo /etc/mail/smtpd.conf
> pki foo certificate "/etc/ssl/foo.pem"
> pki foo key "/etc/ssl/f
44 matches
Mail list logo
