[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] ftp security

Jim Dory schrieb:

>
> Goetz Lohmann wrote:
>
>>
>> after watching my files ;-)
>>
>> # rpm -qa|grep sg-
>> sg-cpp-1.1.2-30_SG201_cobalt
>> sg-egcs-1.1.2-30_SG201_cobalt
>>
>> I noticed that I installed the RaQ550 compiler a while ago which
>> works still fine on my RaQ4 ...
>>
>> you might get them from:
>>
>> # rpm -Uvh
>> ftp://ftp.cobalt.sun.com/pub/products/raq550/RPMS/sg-cpp-1.1.2-30_SG201_cobalt.i386.rpm
>> # rpm -Uvh
>> ftp://ftp.cobalt.sun.com/pub/products/raq550/RPMS/sg-egcs-1.1.2-30_SG201_cobalt.i386.rpm
>>
> So this looks easy enough. Just install these two rpms and then when I
> compile proftp it will use these to stack harden the installation? If
> I find some time I will try and read any documentation that may exist
> on the parent directories to those rpms. This way I don't have to deal
> with the Stackguard gcc, I'm assuming. - though at this point I don't
> yet know what a sg-cpp or sg-egcs is.

Stackguard means a technique to prevent buffer overflows.

every time a subfunction is called, maybe a C function to collect a
string input, the program parameters are kept on the stack to
rejump to that position. A Bufferoverflow attack cheats this cause it
overwrites this part in the stack where the return address is.
So the program jump not back but instead jumps into other code which
maybe gave root access to the one who started the attack.
The Stackguard technique checks now if the return address is valid, if
not, it stops operation instead of running wild.

the sg (Stackguard) enabled compiler from above are the one froms Cobalt
themself. It does quite the same as the default gcc
except that it insert the checks on return jumps. You could disable this
feature by giving a compiler flag.

if you install this two RPMs your default gcc is now the sg-gcc. So you
don't have to change any Makefile to give another compiler.
You are able to compile still as before and now on hardens the programs.

>> get proftpd-1.2.8 (better use the 1.2.8 stable the the 1.2.9 RC)
>>
>> # cd /tmp
>> # wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.8.tar.bz2
>> # tar -jxvf proftpd-1.2.8.tar.bz2
>> # cd proftpd-1.2.8
>> # ./configure --with-modules=mod_tls --prefix=/usr --sysconfdir=/etc
>> # make
>
>
> Do this and then make install would be what I usually do.. any benefit
> or reason to not do 'make install' and instead copy the files to those
> directories you listed below? 

normaly if you are sure what will happen a make install is quit what you
want. But in fact if you do this, any previous proftpd in
/usr/sbin will be overriden without notice. Maybe if you like to make a
backup copy of the files it is sometimes better to copy
them by hand instead. Notice that there is no trash can like in
Winboxes, and you could easily smahs a box with the wrong
make install in some cases (in example imap is extremly freaky at this).
Proftpd is a quite simpel program with a pretty good
make file. But anyway I liked to show. Maybe if you study the makefile
you will find @ install that the makefile still do nothing
else top copy and chmod the files.

>> maybe then copy the files by your own or do a make install
>> the compiled files are:
>>
>> ftpcount --> /usr/bin/
>> ftpshut  --> /usr/sbin/
>> ftptop   --> /usr/bin/
>> ftpwho   --> /usr/bin/
>> proftpd  --> /usr/sbin/
>>  
>>
>> maybe you could also do a RPM file but you have to change the
>> configure line in proftpd.spec first
>>
> I don't know what that change would be or where it would go so will
> consider just doing what you said above that last line. That all
> sounds good and easy - thanks very much again. 

SPEC files are the building description of a RPM file. You may find a
lot programs in tarballs to compile by yourself but only a few
of them came with a predefined spec file. In this spec file which is
something like a bash script (batch file) are the same
compiling commands as I typed above. But by default the "mod_tls" option
is not enabled, so this has to be turned on to
get SSL support in proftpd. You need not bother about. It's only if you
wish to distribute the package.

I could do a package for you, but you might run in dependency checks
(maybe you got another openssl version running than I)
so it is far more easy to compile it by yourself.

jepp ... proftpd is kind a real good girl if its about the way compiling
it. I wish some other programs might be such easy but anyway
be aware that you are hacking on the ground of your cobalt box which
isn't a playgound. A typo could have bad effects in linux.

... I'm a freaky guy living on the prompt of my korn shell *ggg* ...
always nice to help !

-- 

¸,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸

Götz Lohmann  |  D-Mannheim  |  Web-Developer & Sys-Admin
---------------------------------------------------------
He's the fellow that people wonder what he does and why
the company needs him, until he goes on vacation.
¸,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸