[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Re: cobalt-users digest, Vol 1 #3703 - 18 msgs

Subject: [cobalt-users] Re: cobalt-users digest, Vol 1 #3703 - 18 msgs
From: Adfree Web Hosting <sales@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Nov 29 20:53:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

At 07:46 PM 13/11/2001 -0800, you wrote:

Send cobalt-users mailing list submissions to
        cobalt-users@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        http://list.cobalt.com/mailman/listinfo/cobalt-users
or, via email, send a message with subject or body 'help' to
        cobalt-users-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
        cobalt-users-admin@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-users digest..."

Today's Topics:

   1. Backup MX Server (John M)
   2. suid perl - 2 month old hazard (Barbara -)
   3. Re: RaQ2 emergency help (Gerald Waugh)
   4. Re: NAMED UPDATE !!! (Rusty Wilson)
   5. RE: RaQ2 emergency help (Dan Kriwitsky)
   6. Re: NAMED UPDATE !!! (flash22@xxxxxxx)
   7. RE: NAMED UPDATE !!! (Dan Kriwitsky)
   8. Re: suid perl - 2 month old hazard (flash22@xxxxxxx)
   9. Japanese characters and Apache on the RAQ (Brad Hubbard)
  10. RE: NAMED UPDATE !!! (Todd Kirk)
  11. RE: NAMED UPDATE !!! (JC Jones)
  12. Re: NAMED UPDATE !!! (Sqlcoders.com Programming Dept)
  13. Strange log entry... (Bradley Caricofe)
  14. Re: RaQ2 emergency help (Robbert Hamburg (HaVa Web- & Processdesign))
  15. Re: phpBB on a raq4i (Jay Summers)
  16. Is a firewall necessary with a RaQ? (Rusty Wilson)
  17. Re: suid perl - 2 month old hazard (Rusty Wilson)
  18. Re: Strange log entry... (Sqlcoders.com Programming Dept)

--__--__--

Message: 1
From: "John M" <discuss@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Date: Tue, 13 Nov 2001 16:29:52 -0600
Subject: [cobalt-users] Backup MX Server
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

Where can I find info for setting up a Backup MX server with my Cobalt Raq
as my primary server.

IE in Domain.com

10 mail.domain.com
20 backupmail.domain.com

what software can I use to capture the mail and attempt to redeliver for a
period of time?

--__--__--

Message: 2
Date: Tue, 13 Nov 2001 15:05:49 -0800 (PST)
From: Barbara - <thebizworkers@xxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] suid perl - 2 month old hazard
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

>For this exploit to work, you need
>to have /usr/bin/suidperl setuid.
>We do not ship suidperl setuid.  We do
>ship the binary, but purposely removed
>the suid bit on the program because it
>was not needed.  This exploit will not
>work unless you have changed permissions
>on the suidperl binary.

Okay now, correct me if I'm wrong, but on my RaQ's,
SUID **IS** set on this file by default:

-rws--x--x  2 root  root 517916  Apr  6  1999 suidperl

It was my understanding that any file with the 's' in
the permission mode of the binary (-rws--x--x) is
built with the SUID bit set to *ON* -and- usually
removing the SUID bit on a binary will almost
certainly always break something.

This poster noted that they found this exploit on a
hacked RaQ3 and stated "it works on all the raq3's we
had". So I got nosey and checked my boxes and found
that *YES* indeed SUID bit *IS* set on this file by
default.

I have not installed ANY software on ANY of these
machines short of all Cobalt patches and the Neomail
pkg and a firewall - not even so much as PHP and/or
mySQL -all clean machines right out of the shipping
box.

So...

1) Are these boxes indeed vulnerable to this exploit
or not?

2) Doesn't one need command line to run this exploit?

Barb

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

--__--__--

Message: 3
From: "Gerald Waugh" <gerald@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-users] RaQ2 emergency help
Date: Tue, 13 Nov 2001 16:42:24 -0500
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

> > And then I tried http://www.test.com, I got admin
> > default site with user name and password windows.
> >
> > I tried http://www.jelly.com, the same thing.
>
> This may help
> Edit the /etc/hosts file and put
> ip www.test.com
> ip www.jelly.com
> ( use the entries already there as an example)
> Gerald
>
I mean \windows\hosts file (assuming your using windows).

Gerald

--__--__--

Message: 4
Date: Tue, 13 Nov 2001 12:17:08 -0800 (PST)
From: Rusty Wilson <rustyw007@xxxxxxxxx>
Subject: Re: [cobalt-users] NAMED UPDATE !!!
To: cobalt-users@xxxxxxxxxxxxxxx
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

--- "Robbert Hamburg (HaVa Web- & Processdesign)" <user@xxxxxxx> wrote:
> Security: Running Bind as Named Update 1.0.1
>
> HTTP RaQ4-All-Security-1.0.1-10749.pkg Posted: November 13, 2001
> FTP Point your FTP client to ftp://ftp.cobalt.com Size: 3,305,443
> bytes
>

Thanks for posting this! Does Sun/Cobalt provide a "notification list"
for these updates? Currently i rely on this list, and frequent checks
to the download site to see if there are updates. I sure would like to
get an email everytime an update is made available.

--
Rusty

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

--__--__--

Message: 5
From: "Dan Kriwitsky" <webhosting@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-users] RaQ2 emergency help
Date: Tue, 13 Nov 2001 15:31:20 -0500
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

> I did read the site you attached, and I deleted all
> virtual sites. Now only one main site with an ip
> address. Also I did upload files into it.
>
> When I checked to know which directory they has been
> uploaded, it is in /home/sites/www.test.com/web
>
> Then my dns record points to this ip. When I tried
> www.test.com, I got default admin site. It asks you
> user name and password when you click the link. When I
> tried www.test.com/web, file not found.
>
> Which way is right to test.
>

Create a virtual site in the GUI.
Click on that site in the Siteadmin screen and add a user as site
administrator.
Upload index.html file to the /web directory. Not /web/users/username/web.
You may need to set your FTP program to /web for the remote directory.
--
Dan Kriwitsky

--__--__--

Message: 6
From: flash22@xxxxxxx
Date: Tue, 13 Nov 2001 17:34:22 -0500 (EST)
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] NAMED UPDATE !!!
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

On 13 Nov 2001, Jeff Lovell wrote:

> On Tue, 2001-11-13 at 13:43, Nico Meijer wrote:
> >
> > P.P.S. To the Sun/Cobalt people on this list: I would very much like to
> > know why this reboot is in order. If you would be so kind as to disclose

> > this information, this particular RaQ3 owner would be a happiercamper. :-)

>
> That is a very good question....  (email forwarded to the proper
> person)...

Well, the flip side to this, the first pass at the Raq2 update for named
had the same problem, and i expect it's because the pre/post install
scripts can't handle replacing the start script around named ...eg it had
already installed the stop/start script, but the new script can't kill the
old named because it works differently....(no NDC)
Requiring a reboot was likely...expedient ;)

Still, it's kinda ugly ;)

gsh

--__--__--

Message: 7
From: "Dan Kriwitsky" <webhosting@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-users] NAMED UPDATE !!!
Date: Tue, 13 Nov 2001 18:48:32 -0500
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

> Thanks for posting this! Does Sun/Cobalt provide a "notification list"
> for these updates? Currently i rely on this list, and frequent checks
> to the download site to see if there are updates. I sure would like to
> get an email everytime an update is made available.
>
http://www.cobalt.com/support/resources/usergroups.html
--
Dan Kriwitsky

--__--__--

Message: 8
From: flash22@xxxxxxx
Date: Tue, 13 Nov 2001 17:51:57 -0500 (EST)
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] suid perl - 2 month old hazard
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

On Tue, 13 Nov 2001, Barbara - wrote:

> >For this exploit to work, you need
> >to have /usr/bin/suidperl setuid.
> >We do not ship suidperl setuid.  We do
> >ship the binary, but purposely removed
> >the suid bit on the program because it
> >was not needed.  This exploit will not
> >work unless you have changed permissions
> >on the suidperl binary.
>
> Okay now, correct me if I'm wrong, but on my RaQ's,
> SUID **IS** set on this file by default:
>
> -rws--x--x  2 root  root 517916  Apr  6  1999 suidperl
>
> It was my understanding that any file with the 's' in
> the permission mode of the binary (-rws--x--x) is
> built with the SUID bit set to *ON* -and- usually

Yup

And i hate to add this, but the Raq2 with factory software has suid bits
set also :(

-rws--x--x   2 root     root       868404 Oct 20  1998 /usr/bin/suidperl

This is perl, version 5.004_04 built for mips-linux

md5sum /usr/bin/suidperl
525d33b9690cd958ddc39075f5d997ca

Note that up to and including 5.00403 are vulnerable...:(

I don't *think* there ever was an update for this...

gsh

--__--__--

Message: 9
From: Brad Hubbard <brad@xxxxxxxxxxxxxxxx>
Organization: Congo Systems
To: cobalt-users@xxxxxxxxxxxxxxx
Date: Wed, 14 Nov 2001 11:08:54 +1100
Subject: [cobalt-users] Japanese characters and Apache on the RAQ
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

I'm using Apache on my RAQ to serve up some pages with Japanese chars. The
files contain the following META instruction;

<meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS">

The files display appropriately in IE 5+ but are gibberish in most other
browsers. Can someone give me a quick rundown of what's required or,
alternatively, point me to some sites?

Cheers,
Brad

--__--__--

Message: 10
From: "Todd Kirk" <tkirk@xxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-users] NAMED UPDATE !!!
Date: Wed, 14 Nov 2001 11:08:07 +1100
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

> Thanks for posting this! Does Sun/Cobalt provide a "notification list"
> for these updates? Currently i rely on this list, and frequent checks
> to the download site to see if there are updates. I sure would like to
> get an email everytime an update is made available.
>
> --
> Rusty

Yep...go to the below link and sign up for the announce list.
http://www.cobalt.com/support/resources/usergroups.html

regards,

Todd Kirk

--__--__--

Message: 11
From: "JC Jones" <jcjones@xxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-users] NAMED UPDATE !!!
Date: Tue, 13 Nov 2001 16:51:55 -0700
Organization: Golden Computer Service
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

They are supposed to come out on the cobalt-announce list, but this one
has not showed up there yet.

JC Jones

-> -----Original Message-----
-> From: cobalt-users-admin@xxxxxxxxxxxxxxx
-> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Rusty Wilson
-> Sent: Tuesday, November 13, 2001 1:17 PM
-> To: cobalt-users@xxxxxxxxxxxxxxx
-> Subject: Re: [cobalt-users] NAMED UPDATE !!!
->
->
->
-> --- "Robbert Hamburg (HaVa Web- & Processdesign)"
-> <user@xxxxxxx> wrote:
-> > Security: Running Bind as Named Update 1.0.1
-> >
-> > HTTP RaQ4-All-Security-1.0.1-10749.pkg Posted: November
-> 13, 2001 FTP
-> > Point your FTP client to ftp://ftp.cobalt.com Size: 3,305,443 bytes
-> >
->
-> Thanks for posting this! Does Sun/Cobalt provide a
-> "notification list"
-> for these updates? Currently i rely on this list, and frequent checks
-> to the download site to see if there are updates. I sure
-> would like to
-> get an email everytime an update is made available.
->
-> --
-> Rusty
->
->
-> __________________________________________________
-> Do You Yahoo!?
-> Find the one for you at Yahoo! Personals
-> http://personals.yahoo.com
->
-> _______________________________________________
-> cobalt-users mailing list
-> cobalt-users@xxxxxxxxxxxxxxx
-> To Subscribe or Unsubscribe, please go to:
-> http://list.cobalt.com/mailman/listinfo/cobalt-users
->

--__--__--

Message: 12
From: "Sqlcoders.com Programming Dept" <coders@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-users] NAMED UPDATE !!!
Date: Wed, 14 Nov 2001 02:00:08 -0800
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

----- Original Message -----
From: "Rusty Wilson" <rustyw007@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, November 13, 2001 12:17 PM
Subject: Re: [cobalt-users] NAMED UPDATE !!!

>
> --- "Robbert Hamburg (HaVa Web- & Processdesign)" <user@xxxxxxx> wrote:
> > Security: Running Bind as Named Update 1.0.1
> >
> > HTTP RaQ4-All-Security-1.0.1-10749.pkg Posted: November 13, 2001
> > FTP Point your FTP client to ftp://ftp.cobalt.com Size: 3,305,443
> > bytes
> >
>
> Thanks for posting this! Does Sun/Cobalt provide a "notification list"
> for these updates? Currently i rely on this list, and frequent checks
> to the download site to see if there are updates. I sure would like to
> get an email everytime an update is made available.

I get an email every time, i thought everyone did?
just goto patchmonitor.com and give them your email address, and you get a
email like this every time....

<mail>
----- Original Message -----
From: "patchmonitor" <patchmonitor@xxxxxxxxxxxxxxxx>
To: <webmaster@xxxxxxxxxxxxx>
Sent: Tuesday, November 13, 2001 1:13 PM
Subject: New Cobalt Patch Released!

Dear William dw,
On November 13 Cobalt released a new patch for the RaQ3 and a new patch for
the RaQ4.
This is a security related patch and should be installed.
[snip unsubscribe info]
 </mail>

>
> --
> Rusty
>
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

--__--__--

Message: 13
Date: Tue, 13 Nov 2001 17:13:27 -0800 (PST)
From: Bradley Caricofe <bcaricofe@xxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Strange log entry...
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

Hello,

As some of you may know, I had to rebuild our production webserver from
scratch in the last week after our thoughtful provider, CobaltRacks.com,
kindly reloaded our operating system.  I am now seeing this in my LogCheck
emails:

Nov 13 19:59:50 www kernel: lockd_up: makesock failed, error=-111

I did search the Cobalt archives as well as a few other Linux mailing
groups and have not been able to find much information on it's cause.  The
past posts I have found all seem to point to possible security concerns
over this entry, so I thought I'd run in past you folks to see if anyone
had any ideas.  Thanks!

-Bradley Caricofe

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

--__--__--

Message: 14
From: "Robbert Hamburg \(HaVa Web- & Processdesign\)" <user@xxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-users] RaQ2 emergency help
Date: Tue, 13 Nov 2001 18:32:12 +0100
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

>
> How to set up each site, and how to configure each
> site, I mean some sites' default is index.html,
> index.htm, default.asp, whatever, how to configure it?
>
> Please help, and thank you so much in advance.

Starting:

Did you setup and DNS-server ?
Did you create a set of dns records for each virtual site ?

--- Robbert

--__--__--

Message: 15
Date: Tue, 13 Nov 2001 11:36:47 -0600
Subject: Re: [cobalt-users] phpBB on a raq4i
From: Jay Summers <jay@xxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

> Hi Sean, I am very new at this, I installed mysql and php from the cobalt

> site, now I need to link them together, not sure how to do that, alsowhere do

> you install phpBB, so that you can get to it to run the install program?

I believe you just need to untar it and move it into a web accessable
directory, edit the config.php and bring up the installer in your web
browser.

Here's the installer instructions from the site:

http://www.phpbb.com/guide.php

hth,
j

--
http://www.bizmanuals.com

--__--__--

Message: 16
Date: Tue, 13 Nov 2001 17:50:50 -0800 (PST)
From: Rusty Wilson <rustyw007@xxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Is a firewall necessary with a RaQ?
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

I cant imagine how many virtual groans my subject line caused, but I'm
not an expert in this area, and I am curious...

I know what the basic purpose of a firewall is, and I understand the
different types (application/proxy, packet filtering, hybrid). What I
am wondering is...

How much *additional* security does a firewall afford over a cobalt RaQ
with only "official" (i.e. from Sun support) packages installed?

Even with a firewall, good practice dictates that you shut down all
unnecessary services on your servers (whatever they may be). My
understanding of the internet "applicance" idea is that only the
necessary services are there in the first place - so I'm not sure what
I gain by adding a firewall.

Thanks!
Rusty

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

--__--__--

Message: 17
Date: Tue, 13 Nov 2001 17:52:50 -0800 (PST)
From: Rusty Wilson <rustyw007@xxxxxxxxx>
Subject: Re: [cobalt-users] suid perl - 2 month old hazard
To: cobalt-users@xxxxxxxxxxxxxxx
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

--- Barbara - <thebizworkers@xxxxxxxxx> wrote:
>
> I have not installed ANY software on ANY of these
> machines short of all Cobalt patches and the Neomail
> pkg and a firewall - not even so much as PHP and/or
> mySQL -all clean machines right out of the shipping
> box.
>
Barb,

What firewall do you have installed? Is it on a RaQ "in front" of your
network, or on each RaQ server?

I'm looking to improve the security of my RaQs.

--
Rusty

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

--__--__--

Message: 18
From: "Sqlcoders.com Programming Dept" <coders@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-users] Strange log entry...
Date: Wed, 14 Nov 2001 04:10:30 -0800
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

----- Original Message -----
From: "Bradley Caricofe" <bcaricofe@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, November 13, 2001 5:13 PM
Subject: [cobalt-users] Strange log entry...

> Hello,
>
> As some of you may know, I had to rebuild our production webserver from
> scratch in the last week after our thoughtful provider, CobaltRacks.com,
> kindly reloaded our operating system.  I am now seeing this in my LogCheck
> emails:
>
> Nov 13 19:59:50 www kernel: lockd_up: makesock failed, error=-111
>

it looks like it failed to create a socket for that daemon.
heres the description of the lockd daemon....
< http://www.tac.eu.org/cgi-bin/man-cgi?rpc.lockd+8 >
     The rpc.lockd daemon provides monitored and unmonitored file and record
     locking services in an NFS environment.  To monitor the status of hosts
     requesting locks, the locking daemon typically operates in conjunction
     with rpc.statd(8).
</ http://www.tac.eu.org/cgi-bin/man-cgi?rpc.lockd+8 >

so its the network file system locking daemon thats having problems,
i doubt its anything to worry about unless you use nfs in which case some
other component will go tits up and email you or such,
if you dont know what nfs is or whether you have it, then you dont have it
and its nothing to worry about(no offense or anything you understand, but
its something you'd need to setup as far as i know so unless you purposfully
did such its not something you'll be using in a hurry)

i think i heard some warnings about rpc's, which is part of nfs, but that
was for windows if memory serves.

hope that helps,
dw

> I did search the Cobalt archives as well as a few other Linux mailing
> groups and have not been able to find much information on it's cause.  The
> past posts I have found all seem to point to possible security concerns
> over this entry, so I thought I'd run in past you folks to see if anyone
> had any ideas.  Thanks!
>
> -Bradley Caricofe
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

--__--__--

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-users

End of cobalt-users Digest

Follow-Ups:
- RE: [cobalt-users] Re: cobalt-users digest, Vol 1 #3703 - 18 msgs
  - From: Phil Beynon

Prev by Date: [cobalt-users] RAQ3: swapping /home/sites/home with /home/sites/site6
Next by Date: Re: [cobalt-users] RAQ3: swapping /home/sites/home with /home/sites/site6
Previous by thread: Re: [cobalt-users] erase eeprom[please help]
Next by thread: RE: [cobalt-users] Re: cobalt-users digest, Vol 1 #3703 - 18 msgs

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index