November 2005 - openSUSE Security - openSUSE Mailing Lists

Wie richtet man einen Encrypted Swap unter 9.3 ein?
by Christoph Merk 17 Nov '05

17 Nov '05

Hallo Liste, kann mir bitte jemand sagen, wie man unter SuSE 9.3 Prof. die Swap Partition verschluesselt? Beim Mac ist das eine Standard Option, solte also unter 9.3 auch ohne weiteres moeglich sein. Vielen Dank fuer Eure (Mit-)Hilfe. thnx Chris

2 1

libwrap supported services
by Petteri Hakkarainen 17 Nov '05

17 Nov '05

Is there a list (or a way to find out in a running system) somewhere for libwrap supported services? Petteri

2 1

safety with scp
by piet 14 Nov '05

14 Nov '05

Good morning group, I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop. Is it safe to just open port 22 for the external world, or do I need extra safety measures? regards, piet

10 16

/etc/shadow unchanged but password not valid anymore
by David Huecking 14 Nov '05

14 Nov '05

Hi! I'm facing something like a miracle: On a SuSE 9.3 PC from time to time for some users the login is denied but the accounts are not set up with expiration nor are they disabled and the /etc/shadow is unchanged (compared with diff and md5sum with a copy of the file). In the log you get: Nov 12 22:12:34 tombombadil sshd[8677]: error: PAM: Authentication failure for bla from dslb-... Two other accounts still work every time. Hashing-algorithm for files in /etc/default/passwd is blowfish (CRYPT=des but CRYPT_FILES=blowfish). When running a passwd bla as root and defining the same password as before everything ist fine again. I ran chkrootkit (from a clean enviroment) on the machine without finding anything suspicious. Can anyone give me a hint? -- Eat, sleep and go running, David Hücking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216

2 1

AppArmor
by Thorsten Scherf 13 Nov '05

13 Nov '05

Hi, I just tried to install AppArmor on a SuSE Linux 10.0 System, but without success. YAST2 does not offer me any packages when searching for AppArmor and/or Subdomain. So, the question is, is AppArmor only available in SLES or in the Novell Desktop System? Happy Day. Thorsten

4 6

Web Server Security
by Markus Gaugusch 12 Nov '05

12 Nov '05

Hi, Does anyone think, that it makes sense to let have /bin/bash the following permissions? -rwx---r-x 1 root www 490716 Sep 9 18:12 /bin/bash With that setting, anyone exploiting the webserver could not execute /bin/bash (if course the same permissions could also be applied to /bin). Has anyone ever tried this? Does it break things? Did I find something cool? ;-) Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \

8 9

logrotate ALERT
by Bruno Cochofel 11 Nov '05

11 Nov '05

I'm getting this alert under /var/log/messages: ... linux logrotate: ALERT exited abnormally with [1] and ... STATS dropped 0 Can someone tell me if this is a problem? If so, how can I fix it? Thanks, Bruno

2 1

Re: [suse-security] safety with scp
by m3047＠inwa.net 10 Nov '05

10 Nov '05

A low-tech alternative: why be complicated when you don't need to? You are not running ssh at the moment. Do you send and receive e-mail while on the road? Can you/do you run a mailserver? Set up a special account and allow it to receive e-mail from anywhere, but use procmail to filter so that everything which is not sent by you and/or doesn't fit some profile of the messages containing images is discarded. There are mail-based authentication techniques as well, if you feel a need to go that far rather than simply sifting through the accumulated messags when you return home. -- Fred Morris http://www.inwa.net/~m3047/contact.html

2 1

SuSE 9.1 + quota = deadlock - SOLVED!!!
by Christopher Lenzberger 10 Nov '05

10 Nov '05

thanks a lot to jan kara for solving the problem - but will the be an upgraded package via yast-online-update sooner or later? i don't like rebooting the machine all the time... here the fix: ---snip When i_acl_default is set to some error we do not hold the lock (hence we are not allowed to drop it and reacquire later). --- linux-2.6.5/fs/reiserfs/inode.c 2005-11-05 08:57:09.000000000 +0100 +++ linux-2.6.5/fs/reiserfs/inode.c 2005-11-07 07:57:50.000000000 +0100 @@ -1884,7 +1884,7 @@ * iput doesn't deadlock in reiserfs_delete_xattrs. The locking * code really needs to be reworked, but this will take care of it * for now. -jeffm */ - if (REISERFS_I(dir)->i_acl_default) { + if (REISERFS_I(dir)->i_acl_default && !IS_ERR(REISERFS_I(dir)->i_acl_default)) { reiserfs_write_unlock_xattrs(dir->i_sb); iput(inode); reiserfs_write_lock_xattrs(dir->i_sb); ---snap

2 2

Fwd: Unzulässiger Anhang - Positivliste <KBS>
by miguel gmail 10 Nov '05

10 Nov '05

Sorry, list, my first two mails to the list (been listening for a long while), and always get this mail back. My knowledge of German is as closer to null as you wish. What is about? SPAM? Thanks! ---------- Forwarded message ---------- From: mailcheck(a)kbs.de <mailcheck(a)kbs.de> Date: Nov 10, 2005 12:07 PM Subject: Unzulässiger Anhang - Positivliste <KBS> To: miguel.listas(a)gmail.com GROUP Watchdog Server: bknns_02 ----------------------------------------------------------------------- Die von Ihnen mit einem oder mehreren Dateianhängen versandte E-Mail konnte nicht bzw. nur unvollständig zugestellt werden. Um eine sichere Zustellung Ihrer E-Mail zu gewährleisten, werden Sie gebeten, sich vor dem erneuten Versenden mit der knappschaftlichen Mail-Prüfinstanz ( mailto:mailcheck@kbs.de) in Verbindung zu setzten. Mitarbeiter der Bundesknappschaft erhalten weitere Informationen im Laufwerk I:\E-Mail\Weiterleitung.doc oder über eine der folgenden Telefonnummern: 61090 - 83110 - 61180 ----------------------------------------------------------------------- Mail-Info From: miguel gmail <miguel.listas(a)gmail.com> CC: SuSE-Security <suse-security(a)suse.com> Rec.: holger.winkler(a)bundesknappschaft.de Date: 10.11.2005 12:09:40 Subject: Re: [suse-security] safety with scp [KBS checked] ----------------------------------------------------------------------- Datei ist nicht erlaubt tkmime01 -- Saludos, miguel

2 1