Ran into a weird problem, and this seemed a good forum to toss it out into
-- if I've gaffed, please let me know.
Just upgraded my RH5.0 box to RH5.2. Went well, worked nearly seamlessly.
When running 5.0, though, I'd installed the opie-fied ftpd that comes with
the most recent opie package (ftp://ftp.inner.net/pub/opie/opie-2.32.tar.gz)
and had it work without a hitch. I'd also changed /bin/login and /bin/su
to their opie counterparts.
Once I'd finished the upgrade, login and su still worked exactly as before,
but attempting to ftp in failed. User gets prompted for name, receives the
correct opie prompt, gives the one-time-password, and gets unceremoniously
told "Login incorrect."
Interestingly, the next time the user tries, the opie sequence *has*
decremented by one -- clearly, the user is satisfying the challenge
somewhere. (and it doesn't decrement if the one-time-password is
incorrect.)
The error that gets logged is of this form:
# Dec 3 11:36:41 foo ftpd[23527]: connection from localhost at Thu Dec 3
11:36:41 1998
# Dec 3 11:36:42 foo ftpd[23527]: Invalid FTP user name adam attempted from
localhost.
Naturally, the username "adam" is a valid one, and I can successfully
ftp
in using that userid and a static password via the stock wuftpd that RedHat
sees fit to ship.
Anonymous ftp via the opie-ftpd works just fine.
# Dec 3 11:41:06 foo ftpd[23536]: Anonymous FTP connection made from host
localhost.
# Dec 3 11:41:09 foo ftpd[23536]: ANONYMOUS FTP login from localhost with ID
foo@bar.org
So my question is this: since the opie ftpd shouldn't (in my limited
understanding) be making calls to pam, an upgraded pam shouldn't be causing
this, especially given the fact that opie-login and opie-su work just
fine... Is there some other obvious breaking-point that I'm missing here?
A
[mod: Readers, please reply to Adam. Adam, please summarize in a week
or so. -- REW]
--
Nostalgia is a product of dissatisfaction and rage. It's a settling of
grievances between the present and the past. The more powerful the
nostalgia, the closer you come to violence. War is the form nostalgia takes
when men are hard-pressed to say something good about their country.
<adam@baz.org> - Don DeLillo, in _White
Noise_
From mail@mail.redhat.com Fri Dec 4 18:12:56 1998
Received: (qmail 28880 invoked from network); 4 Dec 1998 23:17:17 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 4 Dec 1998 23:17:17 -0000
Received: from rosie.BitWizard.nl (root@7dyn20.delft.casema.net [195.96.122.20])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA30686
for <linux-security@redhat.com>; Fri, 4 Dec 1998 18:12:56 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id AAA07194
for <linux-security@redhat.com>; Sat, 5 Dec 1998 00:12:48 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id AAA06403
for linux-security@redhat.com; Sat, 5 Dec 1998 00:12:46 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Fri Dec 4 15:18:20 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Dec 4 15:18:16 1998)
X-From_: linux-security-request@redhat.com Fri Dec 4 15:16:19 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id PAA16181
for <bitwiz@haarlem-2.vuurwerk.nl>; Fri, 4 Dec 1998 15:16:18 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id PAA29558
for <r.e.wolff@BitWizard.nl>; Fri, 4 Dec 1998 15:16:20 +0100
Received: (qmail 1360 invoked by uid 501); 4 Dec 1998 14:20:17 -0000
Received: (qmail 1346 invoked from network); 4 Dec 1998 14:20:17 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 4 Dec 1998 14:20:17 -0000
Received: from impei.baz.org (adam@impei.baz.org [139.167.64.229])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id JAA12532
for <linux-security@redhat.com>; Fri, 4 Dec 1998 09:16:20 -0500
Received: (from adam@localhost)
by impei.baz.org (8.9.1a/8.9.1) id JAA26432;
Fri, 4 Dec 1998 09:16:19 -0500
Message-ID: <19981204091619.A26417@baz.org>
Date: Fri, 4 Dec 1998 09:16:19 -0500
From: Truckstop Psychic <adam@baz.org>
To: linux-security@redhat.com
Cc: Guan Sin Ong <guansin@inet-one.com>
Subject: [linux-security] Re: interactions between OPIE-ftpd and RH5.2
References: <19981203115031.B23491@baz.org>
<3667B167.519FD6AA@inet-one.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <3667B167.519FD6AA@inet-one.com>; from Guan Sin Ong
<guansin@inet-one.com> on Dec 04, 1998 at 09:54:47AM
X-moderate: yes
Quoting Guan Sin Ong (guansin@inet-one.com):
> Any change to /etc/shells after the upgrade?
As it turns out... Yes.
Discovered this last night, and should have caught it sooner -- it's a
pretty distinct error condition.
Now, why a package upgrade would change /etc/shells and *not* leave a
distinct .rpmsave file behind it, I'm not certain -- but that's more a
problem/misunderstanding with rpm than an honest to pete security issue,
I'm guessing.
*sigh* Thanks for the indulgence, everyone. I'll try and find something
meatier next time. :)
A
--
Cooking is a sacred activity. It is an act of lovemaking. Our society
is spiritually malnourished because we have abandoned the kitchen.
- novelist Laura Esquivel, author of _Like Water for Chocolate_
<adam@baz.org> <adam
hirsch>
From mail@mail.redhat.com Sat Dec 5 03:20:41 1998
Received: (qmail 30741 invoked from network); 5 Dec 1998 08:25:02 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 08:25:02 -0000
Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA00160
for <linux-security@redhat.com>; Sat, 5 Dec 1998 03:20:41 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA10287
for <linux-security@redhat.com>; Sat, 5 Dec 1998 09:20:38 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id JAA00397
for linux-security@redhat.com; Sat, 5 Dec 1998 09:20:36 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Dec 5 08:48:44 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 08:48:38 1998)
X-From_: linux-security-request@redhat.com Sat Dec 5 01:42:24 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id BAA12870
for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 01:42:24 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id BAA29200
for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 01:42:26 +0100
Received: (qmail 27411 invoked by uid 501); 5 Dec 1998 00:46:35 -0000
Received: (qmail 27399 invoked from network); 5 Dec 1998 00:46:35 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 00:46:35 -0000
Received: from hilfy.ece.cmu.edu (HILFY.ECE.CMU.EDU [128.2.253.106])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id TAA05370
for <linux-security@redhat.com>; Fri, 4 Dec 1998 19:42:26 -0500
Received: from rushlight.kf8nh.apk.net (allbery@ANNEX-7.SLIP.ECE.CMU.EDU
[128.2.236.7])
by hilfy.ece.cmu.edu (8.8.8/8.8.8) with ESMTP id TAA19863;
Fri, 4 Dec 1998 19:42:23 -0500 (EST)
Message-Id: <199812050042.TAA19863@hilfy.ece.cmu.edu>
X-Mailer: exmh version 2.0.2 2/24/98
To: linux-security@redhat.com
cc: linux-afs@mit.edu
Subject: Red Hat 5.2's login doesn't do PAM session management correctly
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 04 Dec 1998 19:42:23 -0500
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
X-moderate: yes
This is a "heads up" for anyone who relies on PAM session management
in
order to clean up after a login session. Red Hat 5.2's login does not
perform PAM session management correctly, potentially resulting in sessions
which lose their authentication before the login shell starts.
login.c in Red Hat 5.2's util-linux package was modified so that it no
longer forks a separate process for the user's shell; instead, it
immediately closes the session and execs the user's shell. This means that
a PAM module which expects to be able to do post-session cleanup in its
pam_close_session hook will do the cleanup *before* the user's shell is
invoked. This breaks the pam_linux_afs module (which invokes AFS's unlog)
and KTH Kerberos's pam_krb4 module (which destroys the ticket cache), among
others, so the session is effectively unauthenticated (contrary to both PAM
documentation and users' and administrators' expectations).
The workaround for pam_linux_afs is to remove the session entry for
pam_linux_afs from /etc/pam.d/login and add "no_unlog" to the auth
entry. I
haven't tried to produce a workaround for KTH pam_krb4 yet because it has
several other bugs which make it unusable in our environment and I haven't
had the time to sit down and fix it.
I have a temporary patch to util-login which restores the original behavior,
and I have submitted a bug report to Red Hat (which was acknowledged today).
(If anyone needs the patch, send mail to me at allbery@ece.cmu.edu and I'll
send you the patch and spec file.)
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering KF8NH
Kiss my bits, Billy-boy.
From mail@mail.redhat.com Sat Dec 5 03:21:39 1998
Received: (qmail 184 invoked from network); 5 Dec 1998 08:26:03 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 08:26:03 -0000
Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA00204
for <linux-security@redhat.com>; Sat, 5 Dec 1998 03:21:39 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA10293
for <linux-security@redhat.com>; Sat, 5 Dec 1998 09:21:37 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id JAA00408
for linux-security@redhat.com; Sat, 5 Dec 1998 09:21:36 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Dec 5 08:48:59 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 08:48:53 1998)
X-From_: linux-security-request@redhat.com Sat Dec 5 02:56:41 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id CAA18691
for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 02:56:40 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id CAA31194
for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 02:56:43 +0100
Received: (qmail 20316 invoked by uid 501); 5 Dec 1998 02:00:53 -0000
Received: (qmail 20304 invoked from network); 5 Dec 1998 02:00:53 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 02:00:53 -0000
Received: from tashi.sci.usq.edu.au (tony@tashi.sci.usq.edu.au [139.86.144.116])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id UAA10660
for <linux-security@redhat.com>; Fri, 4 Dec 1998 20:56:41 -0500
Received: (from tony@localhost)
by tashi.sci.usq.edu.au (8.8.7/8.8.7) id MAA21570;
Sat, 5 Dec 1998 12:10:52 +1000
Message-Id: <199812050210.MAA21570@tashi.sci.usq.edu.au>
To: linux-security@redhat.com
X-URL: http://www.sci.usq.edu.au/staff/nugent
Organization: Faculty of Science, University of Southern Queensland
X-Face:
]IrGs{LrofDtGfsrG!As5=G'2HRr2zt:H>djXb5@v|Dr!jOelxzAZ`!}("]}]
Q!)1w#X;)nLlb'XhSu,QL>;)L/l06wsI?rv-xy6%Y1e"BUiV%)mU;]f-5<#U6
UthZ0QrF7\_p#q}*Cn}jd|XT~7P7ik]Q!2u%aTtvc;)zfH\:3f<[a:)M
X-Mailer: nmh-0.27 exmh-2.0.2
X-Linux-Version: 2.0.36
Subject: [linux-security] Re: interactions between OPIE-ftpd and RH5.2
In-Reply-To: message-id <19981204091619.A26417@baz.org>
of Fri, Dec 04 09:16:19 1998
Date: Sat, 05 Dec 1998 12:10:52 +1000
From: Tony Nugent <Tony.Nugent@usq.edu.au>
X-moderate: yes
On Fri Dec 04 1998 at 09:16, Truckstop Psychic wrote:
> > Any change to /etc/shells after the upgrade?
> As it turns out... Yes.
> Discovered this last night, and should have caught it sooner -- it's a
> pretty distinct error condition.
> Now, why a package upgrade would change /etc/shells and *not* leave a
> distinct .rpmsave file behind it, I'm not certain -- but that's
more a
> problem/misunderstanding with rpm than an honest to pete security issue,
> I'm guessing.
/etc/shells can be very tricky as so many "unlikely" programs use it -
ftpd
is a classic example... we were having all sort of hassles with it until,
of all things, /etc/shells was tweaked to reflect the "non-standard"
location of the login shells of users on a box yp'ing and nfs'ing off a
server.
If this is happening with the OPIE-ftpd package (I don't know it myself),
then it is an rpm package problem and the person who maintains this package
should be told about this.
There is a way in the %files section of the .spec file to specify files
that should be .rpmsave'd -- from (my rusty) memory, I think they should
be specified as %config files - I don't have my copy of MaximumRPM with me
at the moment.
Cheers
Tony
From mail@mail.redhat.com Sat Dec 5 07:56:33 1998
Received: (qmail 16571 invoked from network); 5 Dec 1998 13:01:05 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 13:01:05 -0000
Received: from rosie.BitWizard.nl (root@8dyn76.delft.casema.net [195.96.123.76])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA21512
for <linux-security@redhat.com>; Sat, 5 Dec 1998 07:56:33 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA11236
for <linux-security@redhat.com>; Sat, 5 Dec 1998 13:56:24 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id NAA00774
for linux-security@redhat.com; Sat, 5 Dec 1998 13:56:24 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Dec 5 11:47:42 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sat Dec 5 11:47:35 1998)
X-From_: linux-security-request@redhat.com Sat Dec 5 11:47:23 1998
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id LAA26226
for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 5 Dec 1998 11:47:23 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id LAA14275
for <r.e.wolff@BitWizard.nl>; Sat, 5 Dec 1998 11:47:26 +0100
Received: (qmail 31492 invoked by uid 501); 5 Dec 1998 10:51:46 -0000
Received: (qmail 31480 invoked from network); 5 Dec 1998 10:51:46 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 10:51:46 -0000
Received: from hera.cwi.nl (hera.cwi.nl [192.16.191.1])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id FAA12801
for <linux-security@redhat.com>; Sat, 5 Dec 1998 05:47:25 -0500
Received: from texel.cwi.nl (texel.cwi.nl [192.16.201.185]) by hera.cwi.nl with
ESMTP
id LAA13535 for ; Sat, 5 Dec 1998 11:47:24 +0100 (MET)
Received: by texel.cwi.nl
id LAA103995; Sat, 5 Dec 1998 11:47:24 +0100 (MET)
Date: Sat, 5 Dec 1998 11:47:24 +0100 (MET)
From: Andries.Brouwer@cwi.nl
Message-Id: <UTC199812051047.LAA103995.aeb@texel.cwi.nl>
To: allbery@kf8nh.apk.net, linux-security@redhat.com
Subject: [linux-security] Re: Red Hat 5.2's login doesn't do PAM session
management correctly
Cc: linux-afs@mit.edu
X-moderate: yes
> I have a temporary patch to util-login which restores the original behavior
This was corrected a few weeks ago when the problem was recognized.
See util-linux-2.9e.tar.gz from ftp.win.tue.nl:/pub/linux/util .
Andries
From mail@mail.redhat.com Sun Dec 6 05:09:40 1998
Received: (qmail 7451 invoked from network); 6 Dec 1998 10:14:44 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 10:14:44 -0000
Received: from rosie.BitWizard.nl (root@3dyn10.delft.casema.net [195.96.104.10])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id FAA16590
for <linux-security@redhat.com>; Sun, 6 Dec 1998 05:09:40 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id LAA17359
for <linux-security@redhat.com>; Sun, 6 Dec 1998 11:09:34 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id LAA00439
for linux-security@redhat.com; Sun, 6 Dec 1998 11:09:31 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sun Dec 6 00:51:57 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 00:51:50 1998)
X-From_: linux-security-request@redhat.com Sun Dec 6 00:50:38 1998
Received: from groningen.vuurwerk.nl (groningen.vuurwerk.nl [194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id AAA10072
for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 00:50:37 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id AAA14434
for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 00:50:42 +0100
Received: (qmail 14681 invoked by uid 501); 5 Dec 1998 23:55:17 -0000
Received: (qmail 14669 invoked from network); 5 Dec 1998 23:55:16 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 5 Dec 1998 23:55:16 -0000
Received: from alexandria.cs.uchicago.edu (alexandria.cs.uchicago.edu
[128.135.11.87])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA05130
for <linux-security@redhat.com>; Sat, 5 Dec 1998 18:50:41 -0500
Received: from yeenoghu.cs.uchicago.edu (yeenoghu.cs.uchicago.edu
[128.135.20.107])
by alexandria.cs.uchicago.edu (8.9.1/8.9.1) with ESMTP id RAA15550;
Sat, 5 Dec 1998 17:50:39 -0600 (CST)
Received: (from osquigle@localhost)
by yeenoghu.cs.uchicago.edu (8.9.1/8.8.5) id RAA13233;
Sat, 5 Dec 1998 17:50:39 -0600 (CST)
To: linux-security@redhat.com
cc: BUGTRAQ@netspace.org
Subject: portmap vulnerability?
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Sam Quigley <osquigle@cs.uchicago.edu>
Date: 05 Dec 1998 17:50:38 -0600
Message-ID: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu>
Lines: 19
X-Mailer: Gnus v5.6.9/XEmacs 20.4 - "Emerald"
X-moderate: yes
Are there any known vulnerabilities in portmap (redhat's
portmap-4.0-7b)? I've been receiving a lot of attempts to access the
portmap port on some linuxppc machines I administer by various
machines which clearly have no business with mine, and I wonder if
this is an attempt to break in to my machines.
I've searched some archives, but I haven't yet found any known
vulnerabilities in portmap that are likely to lead to any compromise
of system security. If this is indeed a hack attempt (I believe it
is), then this suggests that (a) there's some well-known vulnerability
that I have been unable to find out about, or (b) this is a new
exploit.
I haven't yet looked at the source to see if there are any obvious
problems with portmap (buffer overflows, etc.), but I suspect that
there may be.
-sq
From mail@mail.redhat.com Sun Dec 6 07:43:38 1998
Received: (qmail 18193 invoked from network); 6 Dec 1998 12:48:44 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 12:48:44 -0000
Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net
[195.96.122.221])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA18761
for <linux-security@redhat.com>; Sun, 6 Dec 1998 07:43:38 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA17772
for <linux-security@redhat.com>; Sun, 6 Dec 1998 13:43:25 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id NAA00850
for linux-security@redhat.com; Sun, 6 Dec 1998 13:43:22 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sun Dec 6 13:42:59 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 13:42:50 1998)
X-From_: linux-security-request@redhat.com Sun Dec 6 12:51:10 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id MAA29327
for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 12:51:10 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id MAA32295
for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 12:51:15 +0100
Received: (qmail 14442 invoked by uid 501); 6 Dec 1998 11:56:05 -0000
Received: (qmail 14430 invoked from network); 6 Dec 1998 11:56:05 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 11:56:05 -0000
Received: from sl-175-44.rh.uchicago.edu (soonu@sl-175-044.rh.uchicago.edu
[128.135.175.44])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA18340
for <linux-security@redhat.com>; Sun, 6 Dec 1998 06:51:12 -0500
Received: from localhost (soonu@localhost)
by sl-175-44.rh.uchicago.edu (8.8.7/8.8.7) with ESMTP id FAA02091;
Sun, 6 Dec 1998 05:57:34 -0600
Date: Sun, 6 Dec 1998 05:57:31 -0600 (EST)
From: Suchandra Thapa <soonu@sl-175-44.rh.uchicago.edu>
To: Sam Quigley <osquigle@cs.uchicago.edu>
cc: linux-security@redhat.com, BUGTRAQ@netspace.org
Subject: [linux-security] Re: portmap vulnerability?
In-Reply-To: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu>
Message-ID:
<Pine.LNX.4.04.9812060550340.2075-100000@sl-175-44.rh.uchicago.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Some versions of portmap would allow users to read/modify
their table or would forward requests as the local system. You
might just be getting attempts to try to exploit these holes. I
would probably disable the portmap daemon if you don't need it. Reading
the readme that comes with the package also gives more info on the
vulnerabilities that may be present.
On 5 Dec 1998, Sam Quigley wrote:
>
> Are there any known vulnerabilities in portmap (redhat's
> portmap-4.0-7b)? I've been receiving a lot of attempts to access the
> portmap port on some linuxppc machines I administer by various
> machines which clearly have no business with mine, and I wonder if
> this is an attempt to break in to my machines.
From mail@mail.redhat.com Sun Dec 6 08:29:04 1998
Received: (qmail 14341 invoked from network); 6 Dec 1998 13:34:07 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 13:34:07 -0000
Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net
[195.96.122.221])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id IAA19775
for <linux-security@redhat.com>; Sun, 6 Dec 1998 08:29:04 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id OAA18082
for <linux-security@redhat.com>; Sun, 6 Dec 1998 14:28:57 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id OAA01053
for linux-security@redhat.com; Sun, 6 Dec 1998 14:28:52 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sun Dec 6 13:58:36 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 13:58:26 1998)
X-From_: linux-security-request@redhat.com Sun Dec 6 13:57:29 1998
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id NAA03651
for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 13:57:28 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id NAA04353
for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 13:57:35 +0100
Received: (qmail 6055 invoked by uid 501); 6 Dec 1998 13:02:24 -0000
Received: (qmail 6043 invoked from network); 6 Dec 1998 13:02:24 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 13:02:24 -0000
Received: from spike.porcupine.org (umbilical.porcupine.org [168.100.189.1])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA19271
for <linux-security@redhat.com>; Sun, 6 Dec 1998 07:57:33 -0500
Received: by spike.porcupine.org (Postfix, from userid 100)
id 9EF66458A5; Sun, 6 Dec 1998 07:57:31 -0500 (EST)
Subject: [linux-security] Re: portmap vulnerability?
To: osquigle@cs.uchicago.edu (Sam Quigley)
Date: Sun, 6 Dec 1998 07:57:31 -0500 (EST)
Cc: linux-security@redhat.com, BUGTRAQ@netspace.org
In-Reply-To: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu> from Sam Quigley
at "Dec 5, 98 05:50:38 pm"
X-Time-Zone: USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19981206125731.9EF66458A5@spike.porcupine.org>
From: wietse@porcupine.org (Wietse Venema)
X-moderate: yes
Sam Quigley:>
> Are there any known vulnerabilities in portmap (redhat's
> portmap-4.0-7b)? I've been receiving a lot of attempts to access the
> portmap port on some linuxppc machines I administer by various
> machines which clearly have no business with mine, and I wonder if
> this is an attempt to break in to my machines.
Reportedly, there's an automated tool that looks for vulnerable
RPC daemons.
The portmapper is a dictionary service. RPC daemons register with
the portmapper. That's how the attacker finds them.
Wietse
From mail@mail.redhat.com Sun Dec 6 19:20:17 1998
Received: (qmail 25570 invoked from network); 7 Dec 1998 00:25:24 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 7 Dec 1998 00:25:24 -0000
Received: from rosie.BitWizard.nl (root@7dyn221.delft.casema.net
[195.96.122.221])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id TAA03004
for <linux-security@redhat.com>; Sun, 6 Dec 1998 19:20:17 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id BAA20558
for <linux-security@redhat.com>; Mon, 7 Dec 1998 01:20:09 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id BAA03032
for linux-security@redhat.com; Mon, 7 Dec 1998 01:20:04 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sun Dec 6 21:54:48 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Sun Dec 6 21:54:36 1998)
X-From_: linux-security-request@redhat.com Sun Dec 6 21:46:28 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id VAA23837
for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 6 Dec 1998 21:46:28 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id VAA22044
for <r.e.wolff@BitWizard.nl>; Sun, 6 Dec 1998 21:46:34 +0100
Received: (qmail 24999 invoked by uid 501); 6 Dec 1998 20:51:33 -0000
Received: (qmail 24987 invoked from network); 6 Dec 1998 20:51:33 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 6 Dec 1998 20:51:33 -0000
Received: from alexandria.cs.uchicago.edu (alexandria.cs.uchicago.edu
[128.135.11.87])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id PAA28924
for <linux-security@redhat.com>; Sun, 6 Dec 1998 15:46:34 -0500
Received: from yeenoghu.cs.uchicago.edu (yeenoghu.cs.uchicago.edu
[128.135.20.107])
by alexandria.cs.uchicago.edu (8.9.1/8.9.1) with ESMTP id OAA02852
for <linux-security@redhat.com>; Sun, 6 Dec 1998 14:46:33 -0600 (CST)
Received: (from osquigle@localhost)
by yeenoghu.cs.uchicago.edu (8.9.1/8.8.5) id OAA18681;
Sun, 6 Dec 1998 14:46:32 -0600 (CST)
To: linux-security@redhat.com
Subject: [linux-security] Re: portmap vulnerability?
References: <o9u7lw6ywq9.fsf@yeenoghu.cs.uchicago.edu>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Sam Quigley <osquigle@cs.uchicago.edu>
Date: 06 Dec 1998 14:46:32 -0600
In-Reply-To: Sam Quigley's message of "05 Dec 1998 17:50:38 -0600"
Message-ID: <o9ud85xdmmv.fsf@yeenoghu.cs.uchicago.edu>
Lines: 27
X-Mailer: Gnus v5.6.9/XEmacs 20.4 - "Emerald"
X-moderate: yes
Sam Quigley <osquigle@cs.uchicago.edu> writes:
> Are there any known vulnerabilities in portmap (redhat's
> portmap-4.0-7b)? I've been receiving a lot of attempts to access the
> portmap port on some linuxppc machines I administer by various
> machines which clearly have no business with mine, and I wonder if
> this is an attempt to break in to my machines.
...> I haven't yet looked at the source to see if there are any obvious
> problems with portmap (buffer overflows, etc.), but I suspect that
> there may be.
>
> -sq
I actually now have reason to believe that these probes were part of
a search to find machines running mountd, in an attempt to exploit the
recently-publicized bugs in that code.
portmap itself doesn't seem to have been the target of the attack,
although on my machines that was how the attack manifested itself.
So this note becomes, rather, a warning to others that people are
actively attempting to exploit the mountd vulnerabilities: be careful.
-sq
From mail@mail.redhat.com Wed Dec 9 06:42:17 1998
Received: (qmail 14878 invoked from network); 9 Dec 1998 11:48:37 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Dec 1998 11:48:37 -0000
Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA22719
for <linux-security@redhat.com>; Wed, 9 Dec 1998 06:42:17 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id MAA05112
for <linux-security@redhat.com>; Wed, 9 Dec 1998 12:42:10 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id MAA01204
for linux-security@redhat.com; Wed, 9 Dec 1998 12:42:09 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Dec 9 09:13:27 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Dec 9 09:13:27 1998)
X-From_: linux-security-request@redhat.com Wed Dec 9 08:57:48 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id IAA26724
for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 9 Dec 1998 08:57:48 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id IAA10680
for <r.e.wolff@BitWizard.nl>; Wed, 9 Dec 1998 08:57:46 +0100
Received: (qmail 4184 invoked by uid 501); 9 Dec 1998 08:03:52 -0000
Received: (qmail 4172 invoked from network); 9 Dec 1998 08:03:51 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Dec 1998 08:03:51 -0000
Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA17794
for <linux-security@redhat.com>; Wed, 9 Dec 1998 02:57:43 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id IAA03068;
Wed, 9 Dec 1998 08:57:31 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id IAA00430;
Wed, 9 Dec 1998 08:57:29 +0100
Message-Id: <199812090757.IAA00430@cave.bitwizard.nl>
Subject: [linux-security] Re: portmap vulnerability?
In-Reply-To: <199812081857.MAA23959@ferret.ncsa.uiuc.edu> from Christopher
Lindsey at "Dec 8, 98 12:57:00 pm"
To: lindsey@ncsa.uiuc.edu (Christopher Lindsey)
Date: Wed, 9 Dec 1998 08:57:29 +0100 (MET)
Cc: soonu@sl-175-44.rh.uchicago.edu, linux-security@redhat.com
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
X-Mailer: ELM [version 2.4ME+ PL37 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-moderate: yes
Christopher Lindsey wrote:> > Some versions of portmap would allow users to read/modify
> > their table or would forward requests as the local system. You
> > might just be getting attempts to try to exploit these holes. I
> > would probably disable the portmap daemon if you don't need it.
Reading
> > the readme that comes with the package also gives more info on the
> > vulnerabilities that may be present.
>
> And of course if you must run portmap, use TCP wrappers to limit
> it to a certain range of hosts. Assuming that hosts.deny has
Actually, portmapper cannot run "behind" tcp wrappers. It opens
its port and waits for connections. However, it seems that modern
portmappers are linked with the library from tcpwrappers, so that
it takes the same config files as the tcpwrappers do. Nifty!
> ALL:ALL
>
> You can add an entry like
>
> portmap:199.198.24.0/255.255.255.0
>
> (assuming you're at redhat.com and want to limit RPC services to that
> IP block)...
>
> rpc.mountd can also be limited, but I don't know if that support
> is in the default RedHat binaries. You can always grab the source
> from
>
> ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/
>
> Chris
>
Roger.
--
My pet light bulb is a year old today. \_________ R.E.Wolff@BitWizard.nl
That's 5.9*10^12 miles. Your mileage will NOT vary.\__Phone: +31-15-2137555
--(time <-> distance can be converted: lightspeed)-- \____ fax:
..-2138217
We write Linux device drivers for any device you may have! \_______________
From mail@mail.redhat.com Wed Dec 9 10:24:39 1998
Received: (qmail 18836 invoked from network); 9 Dec 1998 15:31:07 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Dec 1998 15:31:07 -0000
Received: from rosie.bitwizard.nl (root@8dyn92.delft.casema.net [195.96.123.92])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id KAA30368
for <linux-security@redhat.com>; Wed, 9 Dec 1998 10:24:39 -0500
Received: from cave.bitwizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.5/8.8.5) with ESMTP id QAA06088
for <linux-security@redhat.com>; Wed, 9 Dec 1998 16:24:30 +0100
Received: (from wolff@localhost)
by cave.bitwizard.nl (8.8.8/8.8.8) id QAA04189
for linux-security@redhat.com; Wed, 9 Dec 1998 16:24:27 +0100
Received: from pop.vuurwerk.nl
by rosie.bitwizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Dec 9 15:04:10 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Dec 9 15:04:10 1998)
X-From_: linux-security-request@redhat.com Wed Dec 9 15:01:51 1998
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id PAA01506
for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 9 Dec 1998 15:01:51 +0100
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.1/8.9.1) with SMTP id PAA04525
for <r.e.wolff@BitWizard.nl>; Wed, 9 Dec 1998 15:01:49 +0100
Received: (qmail 22934 invoked by uid 501); 9 Dec 1998 14:07:12 -0000
Received: (qmail 22892 invoked from network); 9 Dec 1998 14:07:12 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Dec 1998 14:07:12 -0000
Received: from greene.custom.net (greene.custom.net [206.97.73.7])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id JAA27101
for <linux-security@redhat.com>; Wed, 9 Dec 1998 09:00:58 -0500
Received: from k9ps.ampr.org (root@modem85.custom.net [206.97.73.85])
by greene.custom.net (8.9.0/8.9.0) with ESMTP id JAA09056
for <linux-security@redhat.com>; Wed, 9 Dec 1998 09:00:56 -0500
Received: (from pschmidt@localhost) by k9ps.ampr.org (8.7/8.6.9) id IAA26714;
Wed, 9 Dec 1998 08:39:24 -0500
Date: Wed, 9 Dec 1998 08:39:22 -0500 (EST)
From: "Paul L. Schmidt" <pschmidt@custom.net>
X-Sender: pschmidt@k9ps.ampr.org
To: linux-security@redhat.com
Subject: [linux-security] Re: portmap vulnerability?
In-Reply-To: <tcppop3.2146931@Viaduct.CUSTOM.NET>
Message-ID: <Pine.LNX.3.91.981209081742.26510B-100000@k9ps.ampr.org>
Errors-To: pschmidt@custom.net
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On 9 Dec 1998 R.E.Wolff@BitWizard.nl wrote:> Christopher Lindsey wrote:
> > And of course if you must run portmap, use TCP wrappers to limit
> > it to a certain range of hosts. Assuming that hosts.deny has
>
> Actually, portmapper cannot run "behind" tcp wrappers. It opens
> its port and waits for connections. However, it seems that modern
> portmappers are linked with the library from tcpwrappers, so that
> it takes the same config files as the tcpwrappers do. Nifty!
>
<-snip->> > rpc.mountd can also be limited, but I don't know if that support
> > is in the default RedHat binaries. You can always grab the source
> > from
> >
> > ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/
Another solution is to compile the kernel with IP firewalling and
do the filtering at the kernel level. This solution will be port-
specific rather than application-specific, but it will work with
anything - whether or not it's wrapper-aware.
-ps
Paul Schmidt < >< PSchmidt at Custom dot Net
Bloomfield, IN USA Linux 2.0.36 web: viaduct.custom.net/pschmidt
Truckstop Psychic
1998-Dec-04 06:16 UTC
[linux-security] Re: interactions between OPIE-ftpd and RH5.2
Quoting Guan Sin Ong (guansin@inet-one.com):> Any change to /etc/shells after the upgrade?As it turns out... Yes. Discovered this last night, and should have caught it sooner -- it''s a pretty distinct error condition. Now, why a package upgrade would change /etc/shells and *not* leave a distinct .rpmsave file behind it, I''m not certain -- but that''s more a problem/misunderstanding with rpm than an honest to pete security issue, I''m guessing. *sigh* Thanks for the indulgence, everyone. I''ll try and find something meatier next time. :) A -- Cooking is a sacred activity. It is an act of lovemaking. Our society is spiritually malnourished because we have abandoned the kitchen. - novelist Laura Esquivel, author of _Like Water for Chocolate_ <adam@baz.org> <adam hirsch>
Tony Nugent
1998-Dec-04 18:10 UTC
[linux-security] Re: interactions between OPIE-ftpd and RH5.2
On Fri Dec 04 1998 at 09:16, Truckstop Psychic wrote:> > Any change to /etc/shells after the upgrade? > As it turns out... Yes. > Discovered this last night, and should have caught it sooner -- it''s a > pretty distinct error condition. > Now, why a package upgrade would change /etc/shells and *not* leave a > distinct .rpmsave file behind it, I''m not certain -- but that''s more a > problem/misunderstanding with rpm than an honest to pete security issue, > I''m guessing./etc/shells can be very tricky as so many "unlikely" programs use it - ftpd is a classic example... we were having all sort of hassles with it until, of all things, /etc/shells was tweaked to reflect the "non-standard" location of the login shells of users on a box yp''ing and nfs''ing off a server. If this is happening with the OPIE-ftpd package (I don''t know it myself), then it is an rpm package problem and the person who maintains this package should be told about this. There is a way in the %files section of the .spec file to specify files that should be .rpmsave''d -- from (my rusty) memory, I think they should be specified as %config files - I don''t have my copy of MaximumRPM with me at the moment. Cheers Tony