Ran into a weird problem, and this seemed a good forum to toss it out into -- if I've gaffed, please let me know. Just upgraded my RH5.0 box to RH5.2. Went well, worked nearly seamlessly. When running 5.0, though, I'd installed the opie-fied ftpd that comes with the most recent opie package (ftp://ftp.inner.net/pub/opie/opie-2.32.tar.gz) and had it work without a hitch. I'd also changed /bin/login and /bin/su to their opie counterparts. Once I'd finished the upgrade, login and su still worked exactly as before, but attempting to ftp in failed. User gets prompted for name, receives the correct opie prompt, gives the one-time-password, and gets unceremoniously told "Login incorrect." Interestingly, the next time the user tries, the opie sequence *has* decremented by one -- clearly, the user is satisfying the challenge somewhere. (and it doesn't decrement if the one-time-password is incorrect.) The error that gets logged is of this form: # Dec 3 11:36:41 foo ftpd[23527]: connection from localhost at Thu Dec 3 11:36:41 1998 # Dec 3 11:36:42 foo ftpd[23527]: Invalid FTP user name adam attempted from localhost. Naturally, the username "adam" is a valid one, and I can successfully ftp in using that userid and a static password via the stock wuftpd that RedHat sees fit to ship. Anonymous ftp via the opie-ftpd works just fine. # Dec 3 11:41:06 foo ftpd[23536]: Anonymous FTP connection made from host localhost. # Dec 3 11:41:09 foo ftpd[23536]: ANONYMOUS FTP login from localhost with ID foo@bar.org So my question is this: since the opie ftpd shouldn't (in my limited understanding) be making calls to pam, an upgraded pam shouldn't be causing this, especially given the fact that opie-login and opie-su work just fine... Is there some other obvious breaking-point that I'm missing here? A [mod: Readers, please reply to Adam. Adam, please summarize in a week or so. -- REW] -- Nostalgia is a product of dissatisfaction and rage. It's a settling of grievances between the present and the past. The more powerful the nostalgia, the closer you come to violence. War is the form nostalgia takes when men are hard-pressed to say something good about their country. <adam@baz.org> - Don DeLillo, in _White Noise_ From mail@mail.redhat.com Fri Dec 4 18:12:56 1998 Received: (qmail 28880 invoked from network); 4 Dec 1998 23:17:17 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 4 Dec 1998 23:17:17 -0000 Received: from rosie.BitWizard.nl (root@7dyn20.delft.casema.net [195.96.122.20]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA30686 for <linux-security@redhat.com>; Fri, 4 Dec 1998 18:12:56 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id AAA07194 for <linux-security@redhat.com>; Sat, 5 Dec 1998 00:12:48 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id AAA06403 for linux-security@redhat.com; Sat, 5 Dec 1998 00:12:46 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Fri Dec 4 15:18:20 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Dec 4 15:18:16 1998) X-From_: linux-security-request@redhat.com Fri Dec 4 15:16:19 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id PAA16181 for <bitwiz@haarlem-2.vuurwerk.nl>; Fri, 4 Dec 1998 15:16:18 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id PAA29558 for <r.e.wolff@BitWizard.nl>; Fri, 4 Dec 1998 15:16:20 +0100 Received: (qmail 1360 invoked by uid 501); 4 Dec 1998 14:20:17 -0000 Received: (qmail 1346 invoked from network); 4 Dec 1998 14:20:17 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 4 Dec 1998 14:20:17 -0000 Received: from impei.baz.org (adam@impei.baz.org [139.167.64.229]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id JAA12532 for <linux-security@redhat.com>; Fri, 4 Dec 1998 09:16:20 -0500 Received: (from adam@localhost) by impei.baz.org (8.9.1a/8.9.1) id JAA26432; Fri, 4 Dec 1998 09:16:19 -0500 Message-ID: <19981204091619.A26417@baz.org> Date: Fri, 4 Dec 1998 09:16:19 -0500 From: Truckstop Psychic <adam@baz.org> To: linux-security@redhat.com Cc: Guan Sin Ong <guansin@inet-one.com> Subject: [linux-security] Re: interactions between OPIE-ftpd and RH5.2 References: <19981203115031.B23491@baz.org> <3667B167.519FD6AA@inet-one.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <3667B167.519FD6AA@inet-one.com>; from Guan Sin Ong <guansin@inet-one.com> on Dec 04, 1998 at 09:54:47AM X-moderate: yes Quoting Guan Sin Ong (guansin@inet-one.com):> Any change to /etc/shells after the upgrade?As it turns out... Yes. Discovered this last night, and should have caught it sooner -- it's a pretty distinct error condition. Now, why a package upgrade would change /etc/shells and *not* leave a distinct .rpmsave file behind it, I'm not certain -- but that's more a problem/misunderstanding with rpm than an honest to pete security issue, I'm guessing. *sigh* Thanks for the indulgence, everyone. I'll try and find something meatier next time. :) A -- Cooking is a sacred activity. It is an act of lovemaking. Our society is spiritually malnourished because we have abandoned the kitchen. - novelist Laura Esquivel, author of _Like Water for Chocolate_ <adam@baz.org> <adam hirsch> From mail@mail.redhat.com Sat Dec 5 03:20:41 1998 Received: (qmail 30741 invoked from network); 5 Dec 1998 08:25:02 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 08:25:02 -0000 Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA00160 for <linux-security@redhat.com>; Sat, 5 Dec 1998 03:20:41 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA10287 for <linux-security@redhat.com>; Sat, 5 Dec 1998 09:20:38 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id JAA00397 for linux-security@redhat.com; Sat, 5 Dec 1998 09:20:36 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sat Dec 5 08:48:44 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 08:48:38 1998) X-From_: linux-security-request@redhat.com Sat Dec 5 01:42:24 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id BAA12870 for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 01:42:24 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id BAA29200 for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 01:42:26 +0100 Received: (qmail 27411 invoked by uid 501); 5 Dec 1998 00:46:35 -0000 Received: (qmail 27399 invoked from network); 5 Dec 1998 00:46:35 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 00:46:35 -0000 Received: from hilfy.ece.cmu.edu (HILFY.ECE.CMU.EDU [128.2.253.106]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id TAA05370 for <linux-security@redhat.com>; Fri, 4 Dec 1998 19:42:26 -0500 Received: from rushlight.kf8nh.apk.net (allbery@ANNEX-7.SLIP.ECE.CMU.EDU [128.2.236.7]) by hilfy.ece.cmu.edu (8.8.8/8.8.8) with ESMTP id TAA19863; Fri, 4 Dec 1998 19:42:23 -0500 (EST) Message-Id: <199812050042.TAA19863@hilfy.ece.cmu.edu> X-Mailer: exmh version 2.0.2 2/24/98 To: linux-security@redhat.com cc: linux-afs@mit.edu Subject: Red Hat 5.2's login doesn't do PAM session management correctly Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 04 Dec 1998 19:42:23 -0500 From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net> X-moderate: yes This is a "heads up" for anyone who relies on PAM session management in order to clean up after a login session. Red Hat 5.2's login does not perform PAM session management correctly, potentially resulting in sessions which lose their authentication before the login shell starts. login.c in Red Hat 5.2's util-linux package was modified so that it no longer forks a separate process for the user's shell; instead, it immediately closes the session and execs the user's shell. This means that a PAM module which expects to be able to do post-session cleanup in its pam_close_session hook will do the cleanup *before* the user's shell is invoked. This breaks the pam_linux_afs module (which invokes AFS's unlog) and KTH Kerberos's pam_krb4 module (which destroys the ticket cache), among others, so the session is effectively unauthenticated (contrary to both PAM documentation and users' and administrators' expectations). The workaround for pam_linux_afs is to remove the session entry for pam_linux_afs from /etc/pam.d/login and add "no_unlog" to the auth entry. I haven't tried to produce a workaround for KTH pam_krb4 yet because it has several other bugs which make it unusable in our environment and I haven't had the time to sit down and fix it. I have a temporary patch to util-login which restores the original behavior, and I have submitted a bug report to Red Hat (which was acknowledged today). (If anyone needs the patch, send mail to me at allbery@ece.cmu.edu and I'll send you the patch and spec file.) -- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu carnegie mellon / electrical and computer engineering KF8NH Kiss my bits, Billy-boy. From mail@mail.redhat.com Sat Dec 5 03:21:39 1998 Received: (qmail 184 invoked from network); 5 Dec 1998 08:26:03 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 08:26:03 -0000 Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA00204 for <linux-security@redhat.com>; Sat, 5 Dec 1998 03:21:39 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA10293 for <linux-security@redhat.com>; Sat, 5 Dec 1998 09:21:37 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id JAA00408 for linux-security@redhat.com; Sat, 5 Dec 1998 09:21:36 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sat Dec 5 08:48:59 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 08:48:53 1998) X-From_: linux-security-request@redhat.com Sat Dec 5 02:56:41 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id CAA18691 for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 02:56:40 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id CAA31194 for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 02:56:43 +0100 Received: (qmail 20316 invoked by uid 501); 5 Dec 1998 02:00:53 -0000 Received: (qmail 20304 invoked from network); 5 Dec 1998 02:00:53 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 02:00:53 -0000 Received: from tashi.sci.usq.edu.au (tony@tashi.sci.usq.edu.au [139.86.144.116]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id UAA10660 for <linux-security@redhat.com>; Fri, 4 Dec 1998 20:56:41 -0500 Received: (from tony@localhost) by tashi.sci.usq.edu.au (8.8.7/8.8.7) id MAA21570; Sat, 5 Dec 1998 12:10:52 +1000 Message-Id: <199812050210.MAA21570@tashi.sci.usq.edu.au> To: linux-security@redhat.com X-URL: http://www.sci.usq.edu.au/staff/nugent Organization: Faculty of Science, University of Southern Queensland X-Face: ]IrGs{LrofDtGfsrG!As5=G'2HRr2zt:H>djXb5@v|Dr!jOelxzAZ`!}("]}] Q!)1w#X;)nLlb'XhSu,QL>;)L/l06wsI?rv-xy6%Y1e"BUiV%)mU;]f-5<#U6 UthZ0QrF7\_p#q}*Cn}jd|XT~7P7ik]Q!2u%aTtvc;)zfH\:3f<[a:)M X-Mailer: nmh-0.27 exmh-2.0.2 X-Linux-Version: 2.0.36 Subject: [linux-security] Re: interactions between OPIE-ftpd and RH5.2 In-Reply-To: message-id <19981204091619.A26417@baz.org> of Fri, Dec 04 09:16:19 1998 Date: Sat, 05 Dec 1998 12:10:52 +1000 From: Tony Nugent <Tony.Nugent@usq.edu.au> X-moderate: yes On Fri Dec 04 1998 at 09:16, Truckstop Psychic wrote:> > Any change to /etc/shells after the upgrade? > As it turns out... Yes. > Discovered this last night, and should have caught it sooner -- it's a > pretty distinct error condition. > Now, why a package upgrade would change /etc/shells and *not* leave a > distinct .rpmsave file behind it, I'm not certain -- but that's more a > problem/misunderstanding with rpm than an honest to pete security issue, > I'm guessing./etc/shells can be very tricky as so many "unlikely" programs use it - ftpd is a classic example... we were having all sort of hassles with it until, of all things, /etc/shells was tweaked to reflect the "non-standard" location of the login shells of users on a box yp'ing and nfs'ing off a server. If this is happening with the OPIE-ftpd package (I don't know it myself), then it is an rpm package problem and the person who maintains this package should be told about this. There is a way in the %files section of the .spec file to specify files that should be .rpmsave'd -- from (my rusty) memory, I think they should be specified as %config files - I don't have my copy of MaximumRPM with me at the moment. Cheers Tony From mail@mail.redhat.com Sat Dec 5 07:56:33 1998 Received: (qmail 16571 invoked from network); 5 Dec 1998 13:01:05 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 13:01:05 -0000 Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA21512 for <linux-security@redhat.com>; Sat, 5 Dec 1998 07:56:33 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA11236 for <linux-security@redhat.com>; Sat, 5 Dec 1998 13:56:24 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id NAA00774 for linux-security@redhat.com; Sat, 5 Dec 1998 13:56:24 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sat Dec 5 11:47:42 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 11:47:35 1998) X-From_: linux-security-request@redhat.com Sat Dec 5 11:47:23 1998 Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl [194.178.232.16]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id LAA26226 for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 11:47:23 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id LAA14275 for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 11:47:26 +0100 Received: (qmail 31492 invoked by uid 501); 5 Dec 1998 10:51:46 -0000 Received: (qmail 31480 invoked from network); 5 Dec 1998 10:51:46 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 10:51:46 -0000 Received: from hera.cwi.nl (hera.cwi.nl [192.16.191.1]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id FAA12801 for <linux-security@redhat.com>; Sat, 5 Dec 1998 05:47:25 -0500 Received: from texel.cwi.nl (texel.cwi.nl [192.16.201.185]) by hera.cwi.nl with ESMTP id LAA13535 for ; Sat, 5 Dec 1998 11:47:24 +0100 (MET) Received: by texel.cwi.nl id LAA103995; Sat, 5 Dec 1998 11:47:24 +0100 (MET) Date: Sat, 5 Dec 1998 11:47:24 +0100 (MET) From: Andries.Brouwer@cwi.nl Message-Id: <UTC199812051047.LAA103995.aeb@texel.cwi.nl> To: allbery@kf8nh.apk.net, linux-security@redhat.com Subject: [linux-security] Re: Red Hat 5.2's login doesn't do PAM session management correctly Cc: linux-afs@mit.edu X-moderate: yes> I have a temporary patch to util-login which restores the original behaviorThis was corrected a few weeks ago when the problem was recognized. See util-linux-2.9e.tar.gz from ftp.win.tue.nl:/pub/linux/util . Andries From mail@mail.redhat.com Sun Dec 6 05:09:40 1998 Received: (qmail 7451 invoked from network); 6 Dec 1998 10:14:44 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 10:14:44 -0000 Received: from rosie.BitWizard.nl (root@3dyn10.delft.casema.net [195.96.104.10]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id FAA16590 for <linux-security@redhat.com>; Sun, 6 Dec 1998 05:09:40 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id LAA17359 for <linux-security@redhat.com>; Sun, 6 Dec 1998 11:09:34 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id LAA00439 for linux-security@redhat.com; Sun, 6 Dec 1998 11:09:31 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sun Dec 6 00:51:57 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 00:51:50 1998) X-From_: linux-security-request@redhat.com Sun Dec 6 00:50:38 1998 Received: from groningen.vuurwerk.nl (groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id AAA10072 for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 00:50:37 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id AAA14434 for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 00:50:42 +0100 Received: (qmail 14681 invoked by uid 501); 5 Dec 1998 23:55:17 -0000 Received: (qmail 14669 invoked from network); 5 Dec 1998 23:55:16 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 5 Dec 1998 23:55:16 -0000 Received: from alexandria.cs.uchicago.edu (alexandria.cs.uchicago.edu [128.135.11.87]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA05130 for <linux-security@redhat.com>; Sat, 5 Dec 1998 18:50:41 -0500 Received: from yeenoghu.cs.uchicago.edu (yeenoghu.cs.uchicago.edu [128.135.20.107]) by alexandria.cs.uchicago.edu (8.9.1/8.9.1) with ESMTP id RAA15550; Sat, 5 Dec 1998 17:50:39 -0600 (CST) Received: (from osquigle@localhost) by yeenoghu.cs.uchicago.edu (8.9.1/8.8.5) id RAA13233; Sat, 5 Dec 1998 17:50:39 -0600 (CST) To: linux-security@redhat.com cc: BUGTRAQ@netspace.org Subject: portmap vulnerability? Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Sam Quigley <osquigle@cs.uchicago.edu> Date: 05 Dec 1998 17:50:38 -0600 Message-ID: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu> Lines: 19 X-Mailer: Gnus v5.6.9/XEmacs 20.4 - "Emerald" X-moderate: yes Are there any known vulnerabilities in portmap (redhat's portmap-4.0-7b)? I've been receiving a lot of attempts to access the portmap port on some linuxppc machines I administer by various machines which clearly have no business with mine, and I wonder if this is an attempt to break in to my machines. I've searched some archives, but I haven't yet found any known vulnerabilities in portmap that are likely to lead to any compromise of system security. If this is indeed a hack attempt (I believe it is), then this suggests that (a) there's some well-known vulnerability that I have been unable to find out about, or (b) this is a new exploit. I haven't yet looked at the source to see if there are any obvious problems with portmap (buffer overflows, etc.), but I suspect that there may be. -sq From mail@mail.redhat.com Sun Dec 6 07:43:38 1998 Received: (qmail 18193 invoked from network); 6 Dec 1998 12:48:44 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 12:48:44 -0000 Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net [195.96.122.221]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA18761 for <linux-security@redhat.com>; Sun, 6 Dec 1998 07:43:38 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA17772 for <linux-security@redhat.com>; Sun, 6 Dec 1998 13:43:25 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id NAA00850 for linux-security@redhat.com; Sun, 6 Dec 1998 13:43:22 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sun Dec 6 13:42:59 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 13:42:50 1998) X-From_: linux-security-request@redhat.com Sun Dec 6 12:51:10 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id MAA29327 for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 12:51:10 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id MAA32295 for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 12:51:15 +0100 Received: (qmail 14442 invoked by uid 501); 6 Dec 1998 11:56:05 -0000 Received: (qmail 14430 invoked from network); 6 Dec 1998 11:56:05 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 11:56:05 -0000 Received: from sl-175-44.rh.uchicago.edu (soonu@sl-175-044.rh.uchicago.edu [128.135.175.44]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA18340 for <linux-security@redhat.com>; Sun, 6 Dec 1998 06:51:12 -0500 Received: from localhost (soonu@localhost) by sl-175-44.rh.uchicago.edu (8.8.7/8.8.7) with ESMTP id FAA02091; Sun, 6 Dec 1998 05:57:34 -0600 Date: Sun, 6 Dec 1998 05:57:31 -0600 (EST) From: Suchandra Thapa <soonu@sl-175-44.rh.uchicago.edu> To: Sam Quigley <osquigle@cs.uchicago.edu> cc: linux-security@redhat.com, BUGTRAQ@netspace.org Subject: [linux-security] Re: portmap vulnerability? In-Reply-To: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu> Message-ID: <Pine.LNX.4.04.9812060550340.2075-100000@sl-175-44.rh.uchicago.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-moderate: yes Some versions of portmap would allow users to read/modify their table or would forward requests as the local system. You might just be getting attempts to try to exploit these holes. I would probably disable the portmap daemon if you don't need it. Reading the readme that comes with the package also gives more info on the vulnerabilities that may be present. On 5 Dec 1998, Sam Quigley wrote:> > Are there any known vulnerabilities in portmap (redhat's > portmap-4.0-7b)? I've been receiving a lot of attempts to access the > portmap port on some linuxppc machines I administer by various > machines which clearly have no business with mine, and I wonder if > this is an attempt to break in to my machines.From mail@mail.redhat.com Sun Dec 6 08:29:04 1998 Received: (qmail 14341 invoked from network); 6 Dec 1998 13:34:07 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 13:34:07 -0000 Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net [195.96.122.221]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id IAA19775 for <linux-security@redhat.com>; Sun, 6 Dec 1998 08:29:04 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id OAA18082 for <linux-security@redhat.com>; Sun, 6 Dec 1998 14:28:57 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id OAA01053 for linux-security@redhat.com; Sun, 6 Dec 1998 14:28:52 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sun Dec 6 13:58:36 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 13:58:26 1998) X-From_: linux-security-request@redhat.com Sun Dec 6 13:57:29 1998 Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl [194.178.232.16]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id NAA03651 for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 13:57:28 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id NAA04353 for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 13:57:35 +0100 Received: (qmail 6055 invoked by uid 501); 6 Dec 1998 13:02:24 -0000 Received: (qmail 6043 invoked from network); 6 Dec 1998 13:02:24 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 13:02:24 -0000 Received: from spike.porcupine.org (umbilical.porcupine.org [168.100.189.1]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA19271 for <linux-security@redhat.com>; Sun, 6 Dec 1998 07:57:33 -0500 Received: by spike.porcupine.org (Postfix, from userid 100) id 9EF66458A5; Sun, 6 Dec 1998 07:57:31 -0500 (EST) Subject: [linux-security] Re: portmap vulnerability? To: osquigle@cs.uchicago.edu (Sam Quigley) Date: Sun, 6 Dec 1998 07:57:31 -0500 (EST) Cc: linux-security@redhat.com, BUGTRAQ@netspace.org In-Reply-To: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu> from Sam Quigley at "Dec 5, 98 05:50:38 pm" X-Time-Zone: USA EST, 6 hours behind central European time X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <19981206125731.9EF66458A5@spike.porcupine.org> From: wietse@porcupine.org (Wietse Venema) X-moderate: yes Sam Quigley:> > Are there any known vulnerabilities in portmap (redhat's > portmap-4.0-7b)? I've been receiving a lot of attempts to access the > portmap port on some linuxppc machines I administer by various > machines which clearly have no business with mine, and I wonder if > this is an attempt to break in to my machines.Reportedly, there's an automated tool that looks for vulnerable RPC daemons. The portmapper is a dictionary service. RPC daemons register with the portmapper. That's how the attacker finds them. Wietse From mail@mail.redhat.com Sun Dec 6 19:20:17 1998 Received: (qmail 25570 invoked from network); 7 Dec 1998 00:25:24 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 7 Dec 1998 00:25:24 -0000 Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net [195.96.122.221]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id TAA03004 for <linux-security@redhat.com>; Sun, 6 Dec 1998 19:20:17 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id BAA20558 for <linux-security@redhat.com>; Mon, 7 Dec 1998 01:20:09 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id BAA03032 for linux-security@redhat.com; Mon, 7 Dec 1998 01:20:04 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Sun Dec 6 21:54:48 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 21:54:36 1998) X-From_: linux-security-request@redhat.com Sun Dec 6 21:46:28 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id VAA23837 for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 21:46:28 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id VAA22044 for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 21:46:34 +0100 Received: (qmail 24999 invoked by uid 501); 6 Dec 1998 20:51:33 -0000 Received: (qmail 24987 invoked from network); 6 Dec 1998 20:51:33 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 6 Dec 1998 20:51:33 -0000 Received: from alexandria.cs.uchicago.edu (alexandria.cs.uchicago.edu [128.135.11.87]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id PAA28924 for <linux-security@redhat.com>; Sun, 6 Dec 1998 15:46:34 -0500 Received: from yeenoghu.cs.uchicago.edu (yeenoghu.cs.uchicago.edu [128.135.20.107]) by alexandria.cs.uchicago.edu (8.9.1/8.9.1) with ESMTP id OAA02852 for <linux-security@redhat.com>; Sun, 6 Dec 1998 14:46:33 -0600 (CST) Received: (from osquigle@localhost) by yeenoghu.cs.uchicago.edu (8.9.1/8.8.5) id OAA18681; Sun, 6 Dec 1998 14:46:32 -0600 (CST) To: linux-security@redhat.com Subject: [linux-security] Re: portmap vulnerability? References: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Sam Quigley <osquigle@cs.uchicago.edu> Date: 06 Dec 1998 14:46:32 -0600 In-Reply-To: Sam Quigley's message of "05 Dec 1998 17:50:38 -0600" Message-ID: <o9ud85xdmmv.fsf@yeenoghu.cs.uchicago.edu> Lines: 27 X-Mailer: Gnus v5.6.9/XEmacs 20.4 - "Emerald" X-moderate: yes Sam Quigley <osquigle@cs.uchicago.edu> writes:> Are there any known vulnerabilities in portmap (redhat's > portmap-4.0-7b)? I've been receiving a lot of attempts to access the > portmap port on some linuxppc machines I administer by various > machines which clearly have no business with mine, and I wonder if > this is an attempt to break in to my machines....> I haven't yet looked at the source to see if there are any obvious > problems with portmap (buffer overflows, etc.), but I suspect that > there may be. > > -sqI actually now have reason to believe that these probes were part of a search to find machines running mountd, in an attempt to exploit the recently-publicized bugs in that code. portmap itself doesn't seem to have been the target of the attack, although on my machines that was how the attack manifested itself. So this note becomes, rather, a warning to others that people are actively attempting to exploit the mountd vulnerabilities: be careful. -sq From mail@mail.redhat.com Wed Dec 9 06:42:17 1998 Received: (qmail 14878 invoked from network); 9 Dec 1998 11:48:37 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 9 Dec 1998 11:48:37 -0000 Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA22719 for <linux-security@redhat.com>; Wed, 9 Dec 1998 06:42:17 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id MAA05112 for <linux-security@redhat.com>; Wed, 9 Dec 1998 12:42:10 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id MAA01204 for linux-security@redhat.com; Wed, 9 Dec 1998 12:42:09 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Wed Dec 9 09:13:27 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Dec 9 09:13:27 1998) X-From_: linux-security-request@redhat.com Wed Dec 9 08:57:48 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id IAA26724 for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 9 Dec 1998 08:57:48 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id IAA10680 for <r.e.wolff@BitWizard.nl>; Wed, 9 Dec 1998 08:57:46 +0100 Received: (qmail 4184 invoked by uid 501); 9 Dec 1998 08:03:52 -0000 Received: (qmail 4172 invoked from network); 9 Dec 1998 08:03:51 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 9 Dec 1998 08:03:51 -0000 Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA17794 for <linux-security@redhat.com>; Wed, 9 Dec 1998 02:57:43 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id IAA03068; Wed, 9 Dec 1998 08:57:31 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id IAA00430; Wed, 9 Dec 1998 08:57:29 +0100 Message-Id: <199812090757.IAA00430@cave.bitwizard.nl> Subject: [linux-security] Re: portmap vulnerability? In-Reply-To: <199812081857.MAA23959@ferret.ncsa.uiuc.edu> from Christopher Lindsey at "Dec 8, 98 12:57:00 pm" To: lindsey@ncsa.uiuc.edu (Christopher Lindsey) Date: Wed, 9 Dec 1998 08:57:29 +0100 (MET) Cc: soonu@sl-175-44.rh.uchicago.edu, linux-security@redhat.com From: R.E.Wolff@BitWizard.nl (Rogier Wolff) X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-moderate: yes Christopher Lindsey wrote:> > Some versions of portmap would allow users to read/modify > > their table or would forward requests as the local system. You > > might just be getting attempts to try to exploit these holes. I > > would probably disable the portmap daemon if you don't need it. Reading > > the readme that comes with the package also gives more info on the > > vulnerabilities that may be present. > > And of course if you must run portmap, use TCP wrappers to limit > it to a certain range of hosts. Assuming that hosts.deny hasActually, portmapper cannot run "behind" tcp wrappers. It opens its port and waits for connections. However, it seems that modern portmappers are linked with the library from tcpwrappers, so that it takes the same config files as the tcpwrappers do. Nifty!> ALL:ALL > > You can add an entry like > > portmap:199.198.24.0/255.255.255.0 > > (assuming you're at redhat.com and want to limit RPC services to that > IP block)... > > rpc.mountd can also be limited, but I don't know if that support > is in the default RedHat binaries. You can always grab the source > from > > ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/ > > Chris >Roger. -- My pet light bulb is a year old today. \_________ R.E.Wolff@BitWizard.nl That's 5.9*10^12 miles. Your mileage will NOT vary.\__Phone: +31-15-2137555 --(time <-> distance can be converted: lightspeed)-- \____ fax: ..-2138217 We write Linux device drivers for any device you may have! \_______________ From mail@mail.redhat.com Wed Dec 9 10:24:39 1998 Received: (qmail 18836 invoked from network); 9 Dec 1998 15:31:07 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 9 Dec 1998 15:31:07 -0000 Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id KAA30368 for <linux-security@redhat.com>; Wed, 9 Dec 1998 10:24:39 -0500 Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1]) by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id QAA06088 for <linux-security@redhat.com>; Wed, 9 Dec 1998 16:24:30 +0100 Received: (from wolff@localhost) by cave.bitwizard.nl (8.8.8/8.8.8) id QAA04189 for linux-security@redhat.com; Wed, 9 Dec 1998 16:24:27 +0100 Received: from pop.vuurwerk.nl by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz) Approved: R.E.Wolff@BitWizard.nl for <wolff@localhost> (single-drop); Wed Dec 9 15:04:10 1998 Received: by haarlem-2.vuurwerk.nl (mbox bitwiz) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Dec 9 15:04:10 1998) X-From_: linux-security-request@redhat.com Wed Dec 9 15:01:51 1998 Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl [194.178.232.19]) by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id PAA01506 for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 9 Dec 1998 15:01:51 +0100 Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id PAA04525 for <r.e.wolff@BitWizard.nl>; Wed, 9 Dec 1998 15:01:49 +0100 Received: (qmail 22934 invoked by uid 501); 9 Dec 1998 14:07:12 -0000 Received: (qmail 22892 invoked from network); 9 Dec 1998 14:07:12 -0000 Received: from mail.redhat.com (199.183.24.239) by lists.redhat.com with SMTP; 9 Dec 1998 14:07:12 -0000 Received: from greene.custom.net (greene.custom.net [206.97.73.7]) by mail.redhat.com (8.8.7/8.8.7) with ESMTP id JAA27101 for <linux-security@redhat.com>; Wed, 9 Dec 1998 09:00:58 -0500 Received: from k9ps.ampr.org (root@modem85.custom.net [206.97.73.85]) by greene.custom.net (8.9.0/8.9.0) with ESMTP id JAA09056 for <linux-security@redhat.com>; Wed, 9 Dec 1998 09:00:56 -0500 Received: (from pschmidt@localhost) by k9ps.ampr.org (8.7/8.6.9) id IAA26714; Wed, 9 Dec 1998 08:39:24 -0500 Date: Wed, 9 Dec 1998 08:39:22 -0500 (EST) From: "Paul L. Schmidt" <pschmidt@custom.net> X-Sender: pschmidt@k9ps.ampr.org To: linux-security@redhat.com Subject: [linux-security] Re: portmap vulnerability? In-Reply-To: <tcppop3.2146931@Viaduct.CUSTOM.NET> Message-ID: <Pine.LNX.3.91.981209081742.26510B-100000@k9ps.ampr.org> Errors-To: pschmidt@custom.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-moderate: yes On 9 Dec 1998 R.E.Wolff@BitWizard.nl wrote:> Christopher Lindsey wrote: > > And of course if you must run portmap, use TCP wrappers to limit > > it to a certain range of hosts. Assuming that hosts.deny has > > Actually, portmapper cannot run "behind" tcp wrappers. It opens > its port and waits for connections. However, it seems that modern > portmappers are linked with the library from tcpwrappers, so that > it takes the same config files as the tcpwrappers do. Nifty! ><-snip->> > rpc.mountd can also be limited, but I don't know if that support > > is in the default RedHat binaries. You can always grab the source > > from > > > > ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/Another solution is to compile the kernel with IP firewalling and do the filtering at the kernel level. This solution will be port- specific rather than application-specific, but it will work with anything - whether or not it's wrapper-aware. -ps Paul Schmidt < >< PSchmidt at Custom dot Net Bloomfield, IN USA Linux 2.0.36 web: viaduct.custom.net/pschmidt
Truckstop Psychic
1998-Dec-04 06:16 UTC
[linux-security] Re: interactions between OPIE-ftpd and RH5.2
Quoting Guan Sin Ong (guansin@inet-one.com):> Any change to /etc/shells after the upgrade?As it turns out... Yes. Discovered this last night, and should have caught it sooner -- it''s a pretty distinct error condition. Now, why a package upgrade would change /etc/shells and *not* leave a distinct .rpmsave file behind it, I''m not certain -- but that''s more a problem/misunderstanding with rpm than an honest to pete security issue, I''m guessing. *sigh* Thanks for the indulgence, everyone. I''ll try and find something meatier next time. :) A -- Cooking is a sacred activity. It is an act of lovemaking. Our society is spiritually malnourished because we have abandoned the kitchen. - novelist Laura Esquivel, author of _Like Water for Chocolate_ <adam@baz.org> <adam hirsch>
Tony Nugent
1998-Dec-04 18:10 UTC
[linux-security] Re: interactions between OPIE-ftpd and RH5.2
On Fri Dec 04 1998 at 09:16, Truckstop Psychic wrote:> > Any change to /etc/shells after the upgrade? > As it turns out... Yes. > Discovered this last night, and should have caught it sooner -- it''s a > pretty distinct error condition. > Now, why a package upgrade would change /etc/shells and *not* leave a > distinct .rpmsave file behind it, I''m not certain -- but that''s more a > problem/misunderstanding with rpm than an honest to pete security issue, > I''m guessing./etc/shells can be very tricky as so many "unlikely" programs use it - ftpd is a classic example... we were having all sort of hassles with it until, of all things, /etc/shells was tweaked to reflect the "non-standard" location of the login shells of users on a box yp''ing and nfs''ing off a server. If this is happening with the OPIE-ftpd package (I don''t know it myself), then it is an rpm package problem and the person who maintains this package should be told about this. There is a way in the %files section of the .spec file to specify files that should be .rpmsave''d -- from (my rusty) memory, I think they should be specified as %config files - I don''t have my copy of MaximumRPM with me at the moment. Cheers Tony