similar to: Possible security issue with jails

Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced:

Hello, Possibly some of you will have read the news about "Hijacking a Macbook in 60 Seconds or Less"[1]. At this time I was searching a wireless card for my server and I wonder how this can affect to the combination FreeBSD+ath(4). The ath_hal page states that FreeBSD use a binary driver and I think it is located in this file[2]. Unlike OpenBSD which affirms that they have

We have a number of Soekris devices that we will be deploying remotely in semi- hostile physical environments. The remote links are dialup so I dont have a lot of bandwidth available. I want to do integrity checks of the images so that I can detect any tampering of the flash image. If I upload a static sha256 binary to /tmp on the remote box (which is a RAM disk) and then do something

On a FreeBSD 5.0 the behaviour of screen when connecting to other users sessions have changed. Previously: 1. login as userA start a screen as userA and disconnect 2. login as root su - userA "screen -r" 3. result failure as userA cant access the ttyX with such a message Current: 1. login as userA start a screen as userA and disconnect 2. login as root su - userA "screen -r" 3.

shell# /sbin/devfs rule -s 2 delset shell# /sbin/devfs rule -s 2 add hide shell# /sbin/devfs rule -s 2 add path random unhide shell# /sbin/devfs rule -s 2 add path urandom unhide shell# /sbin/devfs rule -s 2 add path zero unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path pty\* unhide shell# /sbin/devfs rule -s 2 add path tty\* unhide shell#

In message <20050731135919.GA43753@afields.ca>, Allan Fields writes: >Yes, this is all very nice, but when is someone actually going to >commit it? ;) I'm (as always) short of time, and GBDE is not the top priority for me for the time being. So I am more than happy to see people band together and improve gbde. The main work necessary is to polish the userland program and that

I have a grown list of IPs that I am "deny ip from ###.### to any". Infected machines, hackers, etc.. Is there a way to have this list outside of rc.firewall and just read it in?

Hi, I'm pondering building my own SSL accelerator out of a multi-CPU FreeBSD system and a crypto accelerator. What's the recommended hardware crypto accelerator card these days? Thanks, ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org Today's chance of throwing it all away to start a goat farm: 49.1% http://www.BlackHelicopters.org/~mwlucas/

Hello, I think there was already a thread on this. I just want to raise the question again if anyone has successfully booted an gdbe-encrypted filesystem (everything encrypted except the bootloader). The passphrase is entered at the bootloader prompt or embedded in the bootloader. I appreciate any tips. Thanks, - ronnel

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works?

Hi. I've been playing a bit with "use sound card as an entropy source" idea. This simple program does what I wanted: http://people.freebsd.org/~pjd/misc/sndrand.tbz The program is very simple, it should be run with two arguments: % sndtest /dev/dspW 1048576 > rand.data This command will generate 1MB of random data. With my sound card: pcm0: <Intel ICH3 (82801CA)>

Hi all! I found this today on FD: http://seclists.org/fulldisclosure/2012/Aug/4

I've included all posts till now. Can I ask anyone with older proliant multi-cpu hardware using the smart2 controllers to get in touch with me? I am curious to know if this works for anyone... -D Quoting Danny Carroll <fbsd@dannysplace.net>: > Still more info... > It does not work on 5_0-RELEASE either. > > -D > ----- Original Message ----- > From: "Danny

Hi all. This might seem really naive, but can mtree be used effectively as a native-to-core-OS tripwire equivalent? Would it be as efficient in terms of time-to-run and resource requirements? What sort of pitfalls should I be aware of? Has anyone here done this? If so, would you care to share your scripts/techniques? Thanks, Dave -- ______________________

I had originally mentioned this only to 2 people, which was Jordan K. Hubbard and Paul Henning-Kemp, but since I have received a lot of queries on this, I thought I might as well post it on the FreeBSD announce groups. Included below is a posting done on the Linux-atm mailing group, by Pragnesh Sampat. I have just adapted for FreeBSD. RV -------------------------- Announcement

Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I really do not agree with adding it to the base system. Just because you guys use sudo does not mean other people do. In fact many people do not have a use for sudo at all. Not every one gives out root accounts. You are only adding another utility In that can possibly be used to escalate privileges. Every time I secure a system I spend some time

Is it possible to find a repository that hold a newer version of tar. The current version is 1.26 I have some students trying to build Yocto project on my Centos 7 host, but OpenEmbedded reports incompatibility problems with the current version of tar. I thank you on beforehand for any help. |< -- Med venlig hilsen Klaus Kolle Teknikumingeni?r, B.Sc.EE., e-mail : klaus at kolle.dk

I'm going to apply the ssh patch. Applying it to the "real" server seems straightforward enough, but I'm wondering what the right procedure is to apply this patch to my jailed servers.