April 2000 - openSUSE Security - openSUSE Mailing Lists

OT: Bugfix for Samba with NIS netgroups -- how to submit?
by Robert Casties 11 Apr '00

11 Apr '00

Hello! Sorry for being off-topic. I wandered around SuSEs website but I couldn't find any place to submit bugfixes for their packages. Can anyone from SuSE tell me how this is supposed to be done? The problem: SuSE 6.4's samba 2.0.6-62 doesn't accept NIS netgroups (I don't know if any version before did that). More specifically the NIS test part of configure fails because it isn't linked with -lnsl. The fix: configure has to be called as "LIBS=-lnsl ./configure". Fixing the spec file is easy. (A fix to the configure script would be nicer but more work) I found the fix in a mail from Johannes Martin on linux.debian.bugs.dist (October 99) Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)

3 2

Re: [suse-security] Cracking passwd file on suse systems
by Markus Gaugusch 11 Apr '00

11 Apr '00

> I may be wrong, but it does not seem very safe to me to > change a password by a telnet connection, probably better > make that a ssh connection. in theory you are right, but since this are pop-accounts the connections are never encrypted anyway ... so i think this is the best solution ... greetings Markus Gaugusch -- ________________________________________ Markus Gaugusch markus(a)gaugusch.dhs.org ICQ-ID: 11374583 [www.mirabilis.com]

1 0

Re: [SLE] For those who had SusE 6.3 and licq running....
by Francisco M. Marzoa Alonso 11 Apr '00

11 Apr '00

I wonder that is the "configure" script that's telling you about that error, so can you please post exactly the output of that script? Better all than last lines... Calyth wrote: > I'm encountering a problem installing licq (v0.81 src Tarbal1 from > licq.org) . > The problem is that it claims that gcc cannot compile executables, while > I didn't believe it and compiled executables (like one on Linux Journal) > Does anyone have any idea? > > Calyth > > -- > To unsubscribe send e-mail to suse-linux-e-unsubscribe(a)suse.com > For additional commands send e-mail to suse-linux-e-help(a)suse.com > Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/ -- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45

1 0

/etc/sshd_config wize to change
by Joop Boonen 11 Apr '00

11 Apr '00

Dear all, I think there is a unsafe setting in the /etc/sshd_config file. The following setting is be done: PermitRootLogin yes. It think it would be best to change the yes to no. This is to make it more difficult for a hacker. Regards, Joop Boonen. Can this please also be changed in the rpm package?

3 4

cgi-bin/printenv
by alex medvedev 10 Apr '00

10 Apr '00

hallo, just wondering why the PATH variable changes after reloading the printenv script? Example: i requested http://localhost/cgi-bin/printenv i got lots of stuff back including: PATH = /bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/local/bin reload the browser: PATH = /sbin:/bin:/usr/sbin:/usr/bin reload again: PATH = /bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/local/bin moreover the PATH does not change consistently after each reload. it is on suse 6.1: SERVER_SOFTWARE = Apache/1.3.6 (Unix) (SuSE/Linux) PHP/3.0.7 mod_perl/1.19 mod_ssl/2.2.8 SSLeay/0.9.0b is that a security feature :) -alexm the bandwidthwaister

2 1

Re: [suse-security] checking rpm integrity
by Volker Kuhlmann 09 Apr '00

09 Apr '00

> This is different to Volker's result: Well, lets not go into details and concentrate on the main issue instead: SuSE's MD5 sum scheme does not work too well. > If I knew how to work md5sum right I would be happy. With I can see 2 problems with using md5sum, one more serious than the other: 1) There is no guarantee that SuSE will ever be able to ensure correct md5 sums are published. This is in the nature of things. Doesn't the number of incorrectly published md5 sums so far make a farce of the system? 2) It is not all that user-friendly IMHO. > pgp I think we have compatibility, licence and US export > issues (**is it legal in France to use pgp for signature > checking??) This should be irrelevant. If the act of veryfying signatures by the user is illegal, does that make it illegal for SuSE to provide signed rpms? No. RH has provided pgp-signed rpms at least since version 4.0. > The SuSE CDs have pgp version 2.6.2 (as do > RedHat CDs I think), RH has nothing. Unless they have something on a US-only version, if they have one. The problem with RH is that it's an American distribution. Forget about any encryption software (at least until extremely recently). Likewise with the USA version of SuSE. Note that the USA and international versions of SuSE are not(!!) the same. The international one has a bulk of encryption software included. The USA one doesn't - reasons are well known. > but it seems that many suse-security > list members use version 5 source release or version 6 This should also be irrelevant. As SuSE ships pgp 2.6.2 on all but the USA versions of the distribution, everyone has a working version of pgp to check the signatures. If someone wanted to install other versions of pgp and/or gpg as well, where is the problem? > binary release. 5 and 6 are not be compatible with my > version of rpm, I think. Then you have mis-configured your rpm, or rpm does not support pgp 5 and 6 (unlikely though I never checked). It supports pgp 2.6.2 and gpg; unless there is a command-arg difference between pgp 2 and 5/6 rpm itself sees no difference. rpm simply calls pgp as an external program (the details of which you can configure). > GPG is very young for me to totally trust it, yet. Does it > work with rpm? Yes. Red Hat signs their stuff with gpg since RH 6.0. I.e. for a while now. SuSE does not sign at all. It kind of makes me wince... Volker

1 0

SuSEfirewall 2.2beta: SAMBA and masquerade forwarding support!
by marc＠suse.de 08 Apr '00

08 Apr '00

Hi folks! many people bothered me with the request to a) support SAMBA (as client and server) on the firewall b) put in config options to let the internet access hosts on the internal, masqueraded network I did that in 2.2beta, which is available from www.suse.de/~marc Please try it out if you need this functionality - but note: both things are not good for your security! *sigh* In 2.3 or 2.4 I'll add a more fine grained internet access for the internal network, so that it is not all-or-nothing, but you can say www and ftp for everyone, but mail only from the mailserver etc. Here's the CHANGES file for 2.2beta: v2.2 06.04.00 * Added the long awaited FW_SERVICE_SAMBA support! * Added FW_FORWARD_MASQ_{TCP,UDP} so people can make their webservers on the internal, masqueraded nets available to the internet. * Now masquerading timeouts are set * NOTE: changed the preconfigured value of FW_ALLOW_INCOMING_HIGHPORTS_{TCP,UDP} to "yes" * Renamed the file HOLES to PROBLEMS * Fixed some few typos Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

1 0

Cracking passwd file on suse systems
by Carsten Schmitz 08 Apr '00

08 Apr '00

Hello... I want to check the passwd-file for insecure passwords. Is there a way to do this easily? User just have pop-access to their accounts, no telnet, so forcing the user to change the password from time to time is not possible. Greetins, Carsten Schmitz

3 2

checking rpm integrity
by Volker Kuhlmann 08 Apr '00

08 Apr '00

Stupid question: when I download an updated rpm for SuSE, how do I check whether it's realy come from SuSE??? There is md5sum - but arrrrrrrrgggggggggg it's tedious!!! Copy the relevant lines out of the SuSE advisory into a new file, edit out the "ftp://..." part at the front, save, run md5sum -c. That can't be it, can it? It does not seem to be a very reliable way to go. I find that > md5sum -c ~/t/m update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED from 09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm > md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm I know SuSE has published bogus md5 sums before. Has it happen again? Seems like it. See: ec64fd1187373f48c02922eb71ae2f7a ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm-1.18.1-45.i386.rpm out of the gpm advisory. <HERESY> When I was still using Red Hat, the whole job for any number of downloaded rpms was done with "rpm -Kv *.rpm". </HERESY> Question: why does SuSE not pgp/gpg sign their rpms? It would be much more user-friendly as well as less error-prone. Or does it take that much more effort to organise on SuSE's part? (This is what I was meaning to gripe about for a while :-( ) Volker

2 1

Change group/owner of dir or files
by wil van der wee 06 Apr '00

06 Apr '00

Hi all, Thanks for all the help I have received from this group. I have tried to change group owneras root, but in all cases it says "operation not permitted" To be be more specific I have a DOS partition where I have installed dos OS and a Dos programm, automaticly this partition is mounted at start up of Linux in /home/dos, but as mentioned before I can not change the group or owner. Only when I login as root on a win95/98 machine it is allowed to execute this dos programm installed on the Linux server. Does anyone know what I'am doing wrong here. Thanks for any suggestions, solutions. rgd Wil

4 3