similar to: Firewalling outbound connections...

I''d like to see if we can use DTrace to as the kernel implementation of the BSD systrace security policy system (http://www.systrace.org). I don''t really want to port systrace to Solaris because I think with DTrace we already have all the necessary in kernel hooks to do this. With systrace you express things like: "httpd can bind to port 80 but not any other port, it

Hi, The systrace and rlimit sandboxes have been committed and will be in snapshots dated 20110623 and later. This diff adds support for pre-auth privsep sandboxing using the OS X sandbox_init(3) service. It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to

There is a Slashdot discussion today titled "Cambridge Researcher Breaks OpenBSD Systrace". Slashdot anonymous member has a comment "Even Sun''s Dtrace might be vulnerable." I don''t think it is. Comments? Exploiting Concurrency Vulnerabilities in System Call Wrappers http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf Abstract

Hi, OpenSSH 5.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The

I'm porting the most recent version of Neil Provos' systrace to FreeBSD 5.1. I'm sending him the diffs to integrate into his distribution. I'd also like to submit them to someone with FreeBSD for consideration, and hopefully inclusion as a port or whatever you prefer. Who could I send them to, or what would you prefer me to do with regard to FreeBSD? Thanks, Rich Murphey

Hey, Do you guys think that is a good idea to have a manual page for each provider with a complete description of what probes are offered ? Found some already under 7D category: dtrace dtrace (7d) - DTrace dynamic tracing facility fasttrap fasttrap (7d) - DTrace user instruction tracing provider fbt fbt (7d) - DTrace function boundary tracing provider

I have a number of systems running solaris10 and i see the package and binary for dtrace installed however whenever we try to run anything we get this error dtrace: failed to initialize dtrace: DTrace device not available on system the only system in which i dont have this error is the development server that has the full solaris 10 install while others are minimized, do i need additional

Hello together, since upgrading on samba 3.0.x (issue happens with all 3.0. release) the cpu-load on my samba PDC ist constantly near 100%. The cpu power ist consumed by all running smb-processes. Systrace shows me that the smb processes tried to access to /etc/passwd on a permanent basis. My question is: Why tries samba to access etc/passwd so often and produces this high cpu-load? Regards,

OpenSSH 5.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

OpenSSH 5.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

Hi, I encountered a problem using Dovecot (todays CVS, 11/10/2005) with libsafe, systemwide install. Dovecot silently dies. Here is the end of the systrace output I got: bind(6, {sin_family=AF_INET, sin_port=htons(143), sin_addr=inet_addr("0.0.0.0")}}, 16) = 0 getsockname(6, {sin_family=AF_INET, sin_port=htons(143), sin_addr=inet_addr("0.0.0.0")}}, [16]) = 0 listen(6, 8)

Hi, This patch (relative to -HEAD) defines an API to allow sandboxing of the pre-auth privsep child and a couple of sandbox implementations. The idea here is to heavily restrict what the network-face pre-auth process can do. This was the original intent behind dropping to a dedicated uid and chrooting to an empty directory, but even this still allows a compromised slave process to make new

Hi, If you have a custom kernel (and therefore have duplicates of everything in /kernel in your custom kernel) and have noticed that when you try to use anonymous tracing, dtrace adds multiple copies of the forceload directives to /etc/system, e.g.: * vvvv Added by DTrace * * The following forceload directives were added by dtrace(1M) to allow for * tracing during boot. If these

Hi, OpenSSH 6.6 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a small release mostly to fix some minor but annoying bugs in openssh-6.5. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable

Hi all! I have got a vpn connection set up using FreeSwan and shorewall. Everything works fine but I want to add another subnet to the whole. This means that 1 box will get two net-to-net connections. I want to limit the services on one subnet however. Cuurently I have defined a vpn zone for the current connection and allow all vpn<->loc traffic. How would I go about in tightening the

Hello All, In reviewing source code for OpenSSH-6.1p1, I found instances of deprecated library calls still within various source code files. Examples of deprecated calls are: bzero() (replaced with memset() which is ANSI compliant), index() (replaced with strchr() which is also ANSI compliant). In file 'auth2-jpake.c', I've replaced all the bzero() calls with the equivalent

I'm having a problem with IAX running through an intermediate asterisk box. Perhaps a small diagram will explain the situation better: *A ------- [cloud (public internet)] ------- *B --------[cloud (private network)]----------- *C Asterisk server's A, B, and C, are all connected together with IAX All asterisk servers are 1.6.0.6 Server A and B are geographically close, but connected over

Works on my netbsd tinkerbox. NetBSD 5.0.2 NetBSD 5.0.2 (GENERIC) It uses rlimit. Privsep sandbox style: rlimit I also get warnings during make. fmt_scaled.c: In function 'scan_scaled': fmt_scaled.c:84: warning: array subscript has type 'char' fmt_scaled.c:111: warning: array subscript has type 'char' fmt_scaled.c:155: warning: array subscript has type 'char'

I have renamed all of the patch files to .txt, which should be acceptable for the mailer daemon at mindrot, per Angel's suggestion. I am attaching the patch files to the email, with the extra space removed and a minor correction made. Bill Parker (wp02855 at gmail dot com) -------------- next part -------------- --- port-linux.c.orig 2012-12-19 17:40:53.231529475 -0800 +++ port-linux.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2419 Bug ID: 2419 Summary: SECCOMP filter does not accept getpgid syscall Product: Portable OpenSSH Version: 6.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at