search for: piechota

I wrote a small app that monitors a Back-UPS ES500 UPS via the uhid0 interface. I want to run the daemon with as little privs as possible. gastest# ls -l /dev/uhid0 crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 gastest# Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop privs of the daemon yet still be able to read from the device ? All I am doing is

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn,

We're supposed to provide redundant firewall service. I'm wondering if anyone has ever tried to do this and if it's realistic. Basically 2 firewall machines hooked up so if one fails the other will transparently step in. I've googled it to death without much luck. The security issue here lies in that the 2 firewalls can't talk to each other. So if I'm keeping state on

Hey Guys, today I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to default accept in my kernel config file. Config & make weren't complaining so, installed the kernel, reboot and there it was: >IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Another rebuild didn't work out so... I reviewed

Hello, I am having a small problem with the ssh daemon on my freebsd box. I am using the standard ssh daemon asked at the installation. I am able to acces my box using ssh from the internal lan network but not from any external machine. The error code is connection refused. I am using release 6.1 and my modem firewall permits the inbound traffic on port 22. I also use port forwarding for sending

I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages.

Hi list Several people have physical access to my FreeBSD box and I have the feeling that somebody try to get access with boot -s options . Can I log activity after boot -s option (change user password, install software and etc.). I use boot -s and change user password, but after reboot i can't find this atcivity in log files. The BSD box is shutdown and run again many time at day. Best

Hi, I am trying to setup an IPSEC transport between a Windows 2000 box and a FreeBSD server for a customer... Both systems are on live public IP's and packets are not filtered by any intermediate systems or firewalls/routers in between. I have the following setup: Windows 2000 box: 1.1.1.2 FreeBSD Server: 2.2.2.3 (The actual IP's have been changed to above to protect the innocent..)

Every attempt to connect to anything from a new FreeBSD system results in a "host key verification failed." ssh 127.0.0.1 even fails this way. I started with a new FreeBSD4.7 installation and un-tarred the contents of another 4.7 system to essentially clone this one. My tar ball purposefully did not have the /etc/ssh directory in it so as to not overwrite any of the files in the

...tem. Really there is no difference in what you are asking. Just another program that is not going to get used by everyone. - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Xin LI Sent: Thursday, July 21, 2005 8:53 AM To: piechota@argolis.org Cc: freebsd-security@freebsd.org; Dima Dorfman Subject: Re: Adding OpenBSD sudo to the FreeBSD base system? * PGP Signed by an unknown key: 07/21/05 at 08:52:41 On Thu, Jul 21, 2005 at 10:23:33AM -0500, piechota@argolis.org wrote: > > FWIW, I don't see any reason to include s...

hello, i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for my home. It also acts as a dns / mail server to the outside world. I'm using ipf and basically filter for bogus networks on the way in and out. I allow everything out keeping state, and allow this in: pass in proto icmp from any to any icmp-type squench group 200 pass in proto icmp from any to any icmp-type timex

Howdy, I may be approaching this problem entirely wrong, or not. Was hoping for a little guidance one way or the other. I've got this AS/400 with gobs of unused file storage on it that I want to share across as a file server to a FreeBSD box. The AS/400 side of things supports NFS and kinda pretends to be a Unix like machine in this role. Users will be booting from diskless clients

Hi. This is mostly hypothetical, just because I want to see how knowledgeable people would go about achieving it: I want to sandbox Mozilla Firefox. For the sake of example, I'm running it under my own user account. The idea is that it should be allowed to connect to the X server, it should be allowed to write to ~/.mozilla and /tmp. I expect some configurations would want access to audio

Hi everyone, Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . should some kind of advisory be sent to advise people not to rely solely on MD5 checksums? Maybe an update to the man page is due ? : " MD5 has not yet (2001-09-03) been broken, but sufficient attacks have been made that its security is in some doubt. The attacks on MD5 are in the

Hello, i want to encrypt my HDD's with GELI (not the root-fs, though). I want to do the encryption without password, just with a key. The key should be stored in a floppy disk, and the read should be read automatically on boot, from the floppy. There is a problem here, because GELI initializes _before_ mounting the disks from /etc/fstab (for obvious reasons, of course). So GELI is not able

I made a mistake setting my shell and have set the root users shell to /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su.

Aloha! (I've Googled around a bit, but failed to find much previous posts about this though I'm sure it has been discussed...) Have anybody (in core etc) considered adding a sudo implementation to thr FreeBSD base system. At least for me, sudo is an important part of implementing good security policy in FreeBSD. Yes, it is available as a port, but in a similar fashion of for example,

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:21.openssl Security Advisory The FreeBSD Project Topic: Potential SSL 2.0 rollback Category: contrib Module: openssl Announced: 2005-10-11