similar to: bind() on 127.0.0.1 in jail: bound to the outside address?

Dear folks, I'm recently investigating large scale deployment and upgrading FreeBSD RELEASE. It's our tradition to bump "RELEASE-pN" after a security patch is applied, however, it seems that there is less method to determine whether the userland is patched, which is somewhat important for large site managements. So is "uname -sr" the only way to differencate the

Hi folks, While investigating OpenBSD's cron implementation, I found that they set the systemwide crontab (a.k.a. /etc/crontab) to be readable by the superuser only. The attached patch will bring this to FreeBSD by moving crontab out from BIN1 group and install it along with master.passwd. This change should not affect the current cron(1) behavior. Cheers, -- Xin LI <delphij frontfree

Greetings, I'm a little curious about the way FORBIDDEN knob is used in ports system. Traditionally, we use it to mark a port which have known security issue, with the new vuxml mechanism, are we still doing the same thing when necessary? Or, only the "critical" ones, for example, remote exploitable buffer overruns, etc? If the second assumption (only critical ones are marked

Hi, Just want to ask about the status of this:- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0002 >From list archives I gather the fix is still under refinement (but committed (and removed?) in HEAD and RELENG_5_2). One paranoid little shop is running a public web server on RELENG_4_9, and contemplating this patch:-

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have put together a preliminary patchset for dovecot 1.1 at: http://people.freebsd.org/~delphij/misc/dovecot-1.1-rc4.diff My intention is to repocopy the current dovecot port to dovecot11 and make changes on the latter. In this version of patchset, I have intentionally removed the following chunk of change which by default allows gid=0

Hello! Port security/portaudit reports the following problem: Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.htm l> Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf I have 2 related questions: 1)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, A feature of Cyrus-IMAPd I really missed after migrated to Dovecot is their optional "duplicate suppression", which eliminates duplicate message at deliver time, if their envelope sender, recipient and message-id matches. For example, if one subscribes to a mailing list, and someone hit "Reply All" to reply to him, there

On 16 May 2015, at 09:39, Xin Li <delphij at delphij.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > On 5/15/15 10:58, Xin Li wrote: >> Hi, >> >> I have seen the following assertion fails on my own mail server >> (indexer-worker): >> >> Panic: file charset-iconv.c: line 132 (charset_to_utf8):

Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so

On 05/22/15 13:18, Cassidy Larson wrote: > We're using FreeBSD 10.1 I see. Yes that's the same problem I have seen. There is a behavioral difference (I think it's a FreeBSD bug) between FreeBSD's iconv(3) and GNU implementation, and there is arguably a bug with Dovecot that iconv(3) state should be reset for each multipart part. The two together would trigger the problem

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I have seen the following assertion fails on my own mail server (indexer-worker): Panic: file charset-iconv.c: line 132 (charset_to_utf8): assertion failed: (*src_size - pos <= CHARSET_MAX_PENDING_BUF_SIZE) However, when charset_to_utf8_try returns FALSE (e.g. iconv() got EINVAL or EILSEQ), the for loop in charset_to_utf8 may end earlier,

I think, there is a neat exploit in the phpbb2.0.8 because I found my home page defaced one dark morning. The patch for phpBB is here. http://www.phpbb.com/downloads.php The excerpt of the log is attached. I believe the link to the described exploit is here. http://secunia.com/advisories/13239 The defacement braggen page is here filter to show the exploited FreeBSD machines that aneurysm.inc

Hello, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! But I have one problem: If I want to stop a jail with 'jaill -r jailname', I get "umount: unmount of /.jail.jailname failed: Device busy" It seems to me that the order of fstab.jailname entries are not reverted by jail(8) when shutting down/umounting. My C skills

Hi *, I recently triggered an error when setting up a jail-host: I configured the jail(s) like evry jail I set up in the past: On the jail-hosts /etc/rc.conf: # ---- Jail-Globals ---- jail_enable="YES" # Set to NO to disable starting of any jails jail_list="ftp mx1 relay" # Space separated list of names of jails

I'm thinking of using jails to improve security on a server I am setting up. Specifically, I would like to put Apache/PHP in a jail, but I might like to set up 2-3 different jails for different purposes. I've found several examples showing how to set the jails up. My questions involve system requirements. Assuming plenty of disk space, 1GB ram and a dual processor PIII 1.13Ghz

Hello, I would like to run other services like messaging services on my firewall machine too. Does it make sense to run shorewall, openvpn and the pppoe package in a chroot jail? And is it possible to run these programs as an other user? Ciao Hugo

Operating system virtualization is the most effective way to utilize your system resources, jails let you setup isolated mini-systems. Jails are explains well in handbook however, from practical standpoint of view, the presented material is incomplete. The post below setup few scrips that follow handbook's 'Application of Jails' article and enhance with few missing features

HI everyone, I have resently installed a jail environment on my freebsd box, and had some problems getting postgresql running under it. After looking a bit on various mailinglists i figured out that I needed to set jail.sysvipc_allowed to be 1 using sysctl in order to make postgresql run. However man jail gives me: jail.sysvipc_allowed This MIB entry determines whether or not

Since last upgrade, I see much more CPU time "eated" by interrupts (at least 10% cpu in top) (see http://dgeo.perso.ec-marseille.fr/cpu-week.png) The server behave correctly (Or seems to?), and high interrupt number seems to come from bce cards (source: systat -vmstat) I just upgraded from "RELENG_7 Mon Sep 8 12:33:06 CEST 2008" to "RELENG_7_1 Sat Nov 29 16:20:35 CET

I am currently setting up a firewall that translates my internal network over to 5 public IP addresses. The addresses are dynamically assigned, so I use ddclient to update my www.dyndns.org account. I've set up several aliases on the external interface of the firewall, and succeeded in having the internal computers use those extra public IPs. What I want to do is have 5 copies of ddclient