November 2005 - openSUSE Security - openSUSE Mailing Lists

Re: [suse-security] SlightlyOT: [was] How do I encrypt the swap (partition[s]) under SuSE 9.3 Prof ?
by Carlos E. R. 21 Nov '05

21 Nov '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 005-11-19 a las 06:36 -0200, Ariel Sabiguero Yawelak escribió: > > You might consider erasing the swap partition when powering off, using > > for the purpose "/etc/init.d/halt.local". The perfomance while in use > > will be better, but halting will be much slower. > > > Again you are not 100% sure. > It has been discussed several times about the posibility of un-erasing erased > data, but we can consider that unerasing and trying to recover data from swap > might be not very useful. Erasing the swap, as it is not a file, and because we are talking security here, means overwriting the swap data with something else. Even in that case, data is recoverable, if you have the means; but I suppose the ordinary thief picking a portable does not have those means, and if he has those means then he is not ordinary thief and even encryption will not deter him much. > But on the other hand, you are leaving your information thief-readable > whenever halt.local is not executed. If the system does not shut down clearly, > or the thief knows that he has to unplug the cable (remove the batery) instead > of initing-6 he is done. If the thief can get to my PC while running, I have bigger worries. He might be armed! > Ok, you can say that whenever *you* shut down the system, then it is "safe", > and I agree :-) > It is only a matter of how much you want to be secure and all-data-encription > is the way to be MORE confident on the solution. Yes. But I'm not that "paranoid". As I use "suspend to disk", what worries me is that the password to the encrypted partitions is saved in clear in the swap partition - this a pending problem. And encrypting the swap partition would not solve it, because then I could not suspend to disk, and also I fear that swapping would be much slower. - -- Saludos Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDgLihtTMYHG2NR9URAsrPAKCSIoiwc9CjbYVSWSH8XP+4I0mEwQCffj6p LAsJqAEOquTUtkfeIVQf/lk= =lgEw -----END PGP SIGNATURE-----

4 7

How do I encypt the swap (partition[s]) under SuSE 9.3 Prof ?
by Christoph Merk 21 Nov '05

21 Nov '05

Hello All, Can anyone tell me how to encrypt swap under SuSE 9.3? This is standard on Mac's and should be as well possible in 9.3. Regards and thnx for your help Chris PS: Sorry for writing in German on the first posting. Should not happen again ;-)

10 18

Re: SuSE 9.1 + quota = deadlock - SOLVED!!!
by Marcus Meissner 21 Nov '05

21 Nov '05

On Mon, Nov 21, 2005 at 11:50:37AM +0100, Jan Kara wrote: > Hello, > > > any idea when a bugfixed kernel will be available via YOU? this > > weekend we had to reboot our systems more than once :-( > I'm sorry but have you created a bugzilla entry as I asked you? I > could not find it in our bugzilla. Otherwise I've already sent the patch > to Marcus. Marcus do you have any idea when there will be a release of > a new updated kernel? Should I do anything for that? The problem is that users can create only bugzillas for 10.0 or later... We will not release a 9.1 kernel from the SLES9_SP2 branch again, the next will be from the SLES9_SP3 branch. I take the issue is not there in the SP3 branch, so it should be safe. (9.1 is using the SLES 9 kernels.) An update should be released mid of december. If you need it earlier, check the SP3 kernel from: ftp://ftp.suse.com/pub/projects/kernel/kotd/sles9-beta-i386/SLES9_SP3_BRANC… (careful please.) Ciao, Marcus

1 0

SPAM: unsubscribe
by stephan＠sc-config.de 20 Nov '05

20 Nov '05

unsubscribe

1 0

Re: Re: [suse-security] libwrap supported services
by Petteri Hakkarainen 20 Nov '05

20 Nov '05

Good try guys, BUT...:-) I tried both rpm and ldd way and got plenty of services listed. After a quick look I could not find either portmap or telnet (both installed on the system), yet I know they are libwrap supported software. Petteri -----Original Message----- From: Christian Boltz <suse-security(a)cboltz.de> To: suse-security(a)suse.com Date: Thu, 17 Nov 2005 21:52:33 +0100 Subject: Re: [suse-security] libwrap supported services Hello, Am Donnerstag, 17. November 2005 12:31 schrieb Armin Schoech: [...] > > Do you think this is a complete list of services (with the files in > > /etc/xinetd.d, of course)? > > --> I don't really know. But if you really want to be sure, you could > use a command like > "ldd /usr/sbin/* /sbin/* ..." > > to list all libraries used by the different programs. Then you have > to look for "libwrap" to find the tcp-wrapper. This will list only > programs using the shared version of libwrap, though. For a fast overview, you can also try rpm -q --whatrequires libwrap.so.0 ;-) > Programs compiled linking libwrap statically are probably much harder > to nail down. I guess rpm also doesn't know about them. Regards, Christian Boltz -- One of the main reasons for the downfall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

6 12

SuSE 9.1 + quota = deadlock - SOLVED!!!
by Christopher Lenzberger 20 Nov '05

20 Nov '05

any idea when a bugfixed kernel will be available via YOU? this weekend we had to reboot our systems more than once :-(

1 0

Re: [suse-security] libwrap supported services
by Petteri Hakkarainen 18 Nov '05

18 Nov '05

(Sorry Armin for emailing directly to you.) Thx dudes. I consider this case closed. A few words, though. >>The executable "telnet" is the client. Only "telnetd" >>is the daemon that is linked against libwrap. That's very true. I spoke about telnet, meant telnetd:-) >>But you seem to have a strange system. The suggested >>syntax works on my SuSE 9.1 and SuSE 9.3 systems. To tell you the truth, I just had a RHEL 4 in hand to play with the suggestions, so maybe the system was a little strange. I'll do some checking on SLES9 in days to come. Anyway, I wonder that there's no list available about all the services to allow/deny with libwrap. Petteri

1 0

LPRng with kerberos authentication
by Mats Folke 18 Nov '05

18 Nov '05

Hi all! Management is forcing me to use LPRng with kerberos authentication in order to print my documents. Right now I'm using CUPS, with some lpr configuration. However, it seems as if the lprng rpm packet (SUSE 9.3) is not compiled with kerberos support. Can someone verify this? Is it possible to solve this situation without compiling my own lprng with kerberos support? I googled, but i couldn't find any lprng-rpm for SUSE 9.3 with kerberos. Is it the same for SUSE 10? One option is of course to upgrade if it solves this problem. Hopefully some of you can help me, otherwise I'll just have to compile my own version. Kind regards, -- Mats Folke Avd. System och interaktion Div. of Systems and Interaction Inst. för Systemteknik Dept. of Computer Science and Electrical Engineering Luleå tekniska universitet Luleå University of Technology Sweden tel: 0920 49 3065 telephone: +46 920 493065

1 0

(kein Betreff)
by Dirk Goldmann 18 Nov '05

18 Nov '05

/suse-security /*unsubscribe(a)suse.com*

1 0

Re: Re: [suse-security] libwrap supported services
by Petteri Hakkarainen 17 Nov '05

17 Nov '05

Thx Armin, Last time I had a look on a SLES9 box, there were no such list in allow or deny file. It seems that the implementation is a little different with workstation versions (including inetd/xinetd). Do you think this is a complete list of services (with the files in /etc/xinetd.d, of course)? Petteri -----Original Message----- From: Armin Schoech <armin.schoech(a)web.de> To: suse-security(a)suse.com Date: Thu, 17 Nov 2005 09:08:20 +0000 (UTC) Subject: Re: [suse-security] libwrap supported services Hi Petteri, > Is there a list (or a way to find out in a running system) somewhere > for libwrap supported services? > --> in SuSE 9.3 at least, there is a list of services and some other information in /etc/hosts.allow On my system it looks like: # /etc/hosts.allow # See `man tcpdX and `man 5 hosts_accessX for a detailed description # of /etc/hosts.allow and /etc/hosts.deny. # # short overview about daemons and servers that are built with # tcp_wrappers support: # # package name | daemon path | token # ---------------------------------------------------------------------------- # ssh, openssh | /usr/sbin/sshd | sshd, sshd-fwd-x11, sshd-fwd-<port> # quota | /usr/sbin/rpc.rquotad | rquotad # tftpd | /usr/sbin/in.tftpd | in.tftpd # portmap | /sbin/portmap | portmap # The portmapper does not verify against hostnames # to prevent hangs. It only checks non-local addresses. # # (kernel nfs server) # nfs-utils | /usr/sbin/rpc.mountd | mountd # nfs-utils | /sbin/rpc.statd | statd # # (unfsd, userspace nfs server) # nfs-server | /usr/sbin/rpc.mountd | rpc.mountd # nfs-server | /usr/sbin/rpc.ugidd | rpc.ugidd # # (printing services) # lprng | /usr/sbin/lpd | lpd # cups | /usr/sbin/cupsd | cupsd # The cupsd server daemon reports to the cups # error logs, not to the syslog(3) facility. # # All of the other network servers such as samba, apache or X, have their own # access control scheme that should be used instead. # # In addition to the services above, the services that are started on request # by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses # the last component of the server pathname as a token to match a service in # /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names. # HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech(a)iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50

3 2