search for: markzero

> Date: Sat, 29 Oct 2005 07:34:28 -0700 > From: Colin Percival <cperciva@freebsd.org> > Subject: Re: Is the server portion of freebsd-update open source? > To: markzero <mark@darklogik.org> > Cc: freebsd-security@freebsd.org > Message-ID: <43638874.2020004@freebsd.org> > Content-Type: text/plain; charset=ISO-8859-1 > > markzero wrote: > > No this isn't insufficient, what is insufficient is that I currently > > can't r...

Hello. I once read somewhere that it's possible to limit SSH pubkeys to 'tunnel-only'. I can't seem to find any information about this in any of the usual places. I'm going to be deploying a few servers in a couple of days and I'd like them to log to a central server over an SSH tunnel (using syslog-ng) however I'd like to prevent actual logins (hence

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm wondering if/where I can get the server side component for freebsd-update. Presumably such a component would build and sign the binary patches and prepare them to be served via HTTP to the freebsd-update client. I need a system for distributing binary updates to a collection of customized FreeBSD machines, jails, and embedded systems.

Just a quick question, My system is quite heavily customised with regard to permissions and MAC labels on system binaries. Is there any way to stop make installworld resetting all my customisation? At the moment I have a set of scripts to set permissions on everything but that's not exactly ideal. Mark -- PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F

Hello, I've been playing a bit with the "noexec" flag for filesystems. It can represent a substantial obstacle against the exploitation of security holes. However, I think it's not perfect yet. First thing, an attempt to execute a program from a noexec-mounted filesystem should be logged. It is either a very significant security event, or it can drive nuts an

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I really do not agree with adding it to the base system. Just because you guys use sudo does not mean other people do. In fact many people do not have a use for sudo at all. Not every one gives out root accounts. You are only adding another utility In that can possibly be used to escalate privileges. Every time I secure a system I spend some time

or "How do I know my copy of FreeBSD is the same as yours?" I have recently been meditating on the issue of validating X.509 root certificates. An obvious extension to that is validating FreeBSD itself. Under "The Cutting Edge", the handbook lists 3 methods of synchronising your personal copy of FreeBSD with the Project's copy: Anonymous CVS, CTM and CVSup. There are