Cerber -- security module for FreeBSD

Hello Pawel,

Saturday, August 2, 2003, 9:46:20 AM, you wrote:

> I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
> CerbNG-1.0RC3 will be presented for a week, I think.
> No functional changes will be done between RC3 and 1.0.
> I want only fix bugs and add some documentation.
> So, please test CerbNG and report any bugs.

There is no new files on sourceforge, and files in cvs are still old.
Did you add option to uninstall cerb?

What purpose does have op-test? They always fails on my computer.

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

Hello,

I could download new version so here is little update.

Saturday, August 2, 2003, 11:53:10 AM, I wrote:
>> I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
>> CerbNG-1.0RC3 will be presented for a week, I think.

Did you create new branch (RELEASE_1_0_RC3) on purpose or by accident?
:) 

> Did you add option to uninstall cerb?

I think this should be introduced before 1.0

> What purpose does have op-test? They always fails on my computer.

Here is stuff that IMHO should be fixed before 1.0:

1) compiling warning

#v+
sh make_operations.sh

Cerb has been compiled for UP machine.
bison -d -o clang2.c clang2.y
clang2.y: warning: 58 shift/reduce conflicts and 50 reduce/reduce conflicts
cc -O -pipe -march=pentiumpro -I/usr/home/takeda/cvs/cerb/cerb-ng/ucerb/../kcerb -g -Wall -Wno-unused    -c libcerb.c
#v-

It's just a warning, but maybe it would be good idea to fix it.

2) testing

#v+
Running op tests:

        Running test INVALID... FAIL (exit code: 1)
        Running test INVALID... FAIL (exit code: 1)
        Running test INVALID... FAIL (exit code: 1)
[...] - it's more, but all lines are identical, all op test fail,
other test pass.
#v-

On console I see:
#v+
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Bad address of ca_tab: 0xdeadc0de.
CerbNG:ERROR:fcb_cerb: Bad address of ca_tab: 0.
CerbNG:ERROR:fcb_cerb: Bad address of ca_scalls: 0xdeadc0de.
CerbNG:ERROR:fcb_cerb: Cannot copy syscalls from userland.
CerbNG:ERROR:fcb_cerb: Too many rules: 16384 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: Too many rules: 8193 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: Too many rules: 4294967295 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: There are no rules.
CerbNG:ERROR:fcb_cerb: Too big table number: 6 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too big table number: 3 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too big table number: 4294967295 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 788 (should be less than 394).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 394 (should be less than 394).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 4294967295 (should be less than 394).
CerbNG:ERROR:fcb_cerb: ca_nrules (10) is different than real number of urules (5).
CerbNG:ERROR:fcb_cerb: ca_nrules (6) is different than real number of urules (5).
CerbNG:ERROR:fcb_cerb: ca_nrules (2) is different than real number of urules (3 or more).
CerbNG:ERROR:fcb_cerb: ca_nrules (4) is different than real number of urules (5 or more).
CerbNG:ERROR:fcb_urule_fill: Cannot copy table with arguments from userland.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Too many elements in table: 69 (should be less than or equal to 64).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Too many elements in table: 65 (should be less than or equal to 64).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: ur_args field is 0xdeadc0de and should be NULL, because ur_nargs is 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad numbers of elements in table: 32 (should be 0)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Function number too big: 136 (should be less than 136).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Function number too big: 272 (should be less than 136).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=11, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=22, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=4294967295, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Error while coping argument [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad string address [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 4294967295 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String 1 too long: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String 1 too long: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Error while coping argument [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 32 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 64 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 4294967295 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad strings table address [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 4294967295 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Operation not permitted.
CerbNG:ERROR:fcb_cerb: Bad address of ca_tab: 0xdeadc0de.
CerbNG:ERROR:fcb_cerb: Bad address of ca_tab: 0.
CerbNG:ERROR:fcb_cerb: Bad address of ca_scalls: 0xdeadc0de.
CerbNG:ERROR:fcb_cerb: Cannot copy syscalls from userland.
CerbNG:ERROR:fcb_cerb: Too many rules: 16384 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: Too many rules: 8193 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: Too many rules: 4294967295 (should be less than or equal to 8192).
CerbNG:ERROR:fcb_cerb: There are no rules.
CerbNG:ERROR:fcb_cerb: Too big table number: 6 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too big table number: 3 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too big table number: 4294967295 (should be less than 3).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 788 (should be less than 394).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 394 (should be less than 394).
CerbNG:ERROR:fcb_cerb: Too many syscalls to catch: 4294967295 (should be less than 394).
CerbNG:ERROR:fcb_cerb: ca_nrules (10) is different than real number of urules (5).
CerbNG:ERROR:fcb_cerb: ca_nrules (6) is different than real number of urules (5).
CerbNG:ERROR:fcb_cerb: ca_nrules (2) is different than real number of urules (3 or more).
CerbNG:ERROR:fcb_cerb: ca_nrules (4) is different than real number of urules (5 or more).
CerbNG:ERROR:fcb_urule_fill: Cannot copy table with arguments from userland.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Too many elements in table: 69 (should be less than or equal to 64).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Too many elements in table: 65 (should be less than or equal to 64).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: ur_args field is 0xdeadc0de and should be NULL, because ur_nargs is 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad numbers of elements in table: 32 (should be 0)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,true'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,false'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect ,,next'' argument.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Function number too big: 136 (should be less than 136).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Function number too big: 272 (should be less than 136).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=11, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=22, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect v_type of value number 0 (id=1, type=4294967295, op=1)
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Incorrect type of value 0.
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Error while coping argument [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad string address [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String too long: 4294967295 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String 1 too long: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: String 1 too long: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Error while coping argument [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 32 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 64 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Table too big: 4294967295 (should be less than 32).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Bad strings table address [valno: 0].
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 4096 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 8192 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
CerbNG:ERROR:fcb_urule_fill: Strings table too big: 4294967295 (should be less than 4096).
CerbNG:ERROR:fcb_cerb: Error when filling rule 0.
#v-

3) bugs in rules
- apache.cb still doesn't work with apache 2.0, it didn't display any
  error, but it don't start. I couldn't find the problem, strace
  didn't work while cerber was loaded (in some previous version, I'll
  try it again)
- crontab - didn't work for users which aren't member of wheel group,
  it also didn't work while I switched user using su (it was
  depending on login variable), I sent modiffied version, but I guess
  it was rejected o overlooked. This doesn't allow to change root's
  crontab when you cannot login as root directly (but you need to use
  su to become root)
- openssh - I'm not 100% sure if this is bug in cerber, I noticed that
  "w" and "who" commands doesn't realy show who is realy logged in,
  also last does show that somebody logged in, but it shows that user
  is still logged in even when that person loggs out. This happend to
  regular users, I'm actually shown correctly (but I'm member of wheel
  group). I think there could be bug in openssh rules.
- screen - doesn't have rights to check if password is correct (while
  is locked by ^A-x) but that could be on purpose - screen then asks
  to specify custom password

4) And very tiny bug (date is old :):
Aug  2 22:33:59 freebsd /kernel: CerbNG v1.0-RC3-2003070401 loaded.

5) this could be rather feature request, I noticed just now that cerb
   cannot compile statement like this one:

   if (a == b) {
     something(a)
   } else if (a == c) {
     something_else(b)
   }

   After 'else' it's expecting '{' It doesn't allow 'if'

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

Hello, Dariusz Kulinski!

On Sat, Aug 02, 2003 at 11:53:10AM -0700, you wrote:

> > I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
[...]
> What purpose does have op-test? They always fails on my computer.

I think this option will be avaliable in port for cerb.

-- 
NEVE-RIPE, will build world for food
Ukrainian FreeBSD User Group
http://uafug.org.ua/

On Sun, Aug 03, 2003 at 12:24:04AM -0700, Dariusz Kulinski wrote:
+> Saturday, August 2, 2003, 11:53:10 AM, I wrote:
+> >> I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
+> >> CerbNG-1.0RC3 will be presented for a week, I think.
+>=20
+> Did you create new branch (RELEASE_1_0_RC3) on purpose or by accident?
+> :)=20

On purpose of course. There will be CerbNG-v1.0RC3, so there is branch to
(There are also branches RELEASE_1_0_RC1 and RELEASE_1_0_RC2).

+> > Did you add option to uninstall cerb?
+>=20
+> I think this should be introduced before 1.0

And it will be. It is almost done.

+> Here is stuff that IMHO should be fixed before 1.0:
+>=20
+> 1) compiling warning
+>=20
+> #v+
+> sh make_operations.sh
+>=20
+> Cerb has been compiled for UP machine.
+> bison -d -o clang2.c clang2.y
+> clang2.y: warning: 58 shift/reduce conflicts and 50 reduce/reduce confli=
cts
+> cc -O -pipe -march=3Dpentiumpro -I/usr/home/takeda/cvs/cerb/cerb-ng/ucer=
b/../kcerb -g -Wall -Wno-unused    -c libcerb.c
+> #v-
+>=20
+> It's just a warning, but maybe it would be good idea to fix it.

I think this can't be fixed. There are some problems with bison that just
can't be solved. For example we can't add as many warnings checks as we
want because produced code (with bison) doesn't compile with those
warnings.

+> 2) testing
+>=20
+> #v+
+> Running op tests:
+>=20
+>         Running test INVALID... FAIL (exit code: 1)
+>         Running test INVALID... FAIL (exit code: 1)
+>         Running test INVALID... FAIL (exit code: 1)
+> [...] - it's more, but all lines are identical, all op test fail,
+> other test pass.
+> #v-

Are you sure that you have loaded <cerb-directory>/test/optests/optests.cb
rules before you've run those tests?

File INSTALL was out of date. Look at docs/HOWTO.html.

+> On console I see:
+> #v+
[...]
+> #v-

This is because one of test suite if checking illegal behaviour.
It is giving wrong addresses to cerb, it is trying to loaded rules
as an unprivileged user, etc. And informations of those illegal tries
are send to console. Is this is really annoying? Maybe it should goes
only to logs...

+> 3) bugs in rules
+> - apache.cb still doesn't work with apache 2.0, it didn't display any
+>   error, but it don't start. I couldn't find the problem, strace
+>   didn't work while cerber was loaded (in some previous version, I'll
+>   try it again)

I can't check this. So only thing that I could do here is to give a note,
that this policy works with apache 1.3.x only.

+> - crontab - didn't work for users which aren't member of wheel group,

I'll look at this.

+>   it also didn't work while I switched user using su (it was
+>   depending on login variable), I sent modiffied version, but I guess
+>   it was rejected o overlooked. This doesn't allow to change root's
+>   crontab when you cannot login as root directly (but you need to use
+>   su to become root)

Could you send it again?
But I susspect that this will be hard to fix. su(1) doesn't call
setlogin(2) and I'm not sure why. And we really need login, because
cron's data goes to /var/cron/tabs/<login>. I see 2 possibilities:
1. Leave as it is with note about that.
2. One should create two tables using global registers and put there
   uids and logins:
	greg[0] =3D [ 0, 1000, 1001, 1002, 1003 ];
	greg[1] =3D [ "root", "jules", "takeda", "foo", "bar" ];
   Then policy could use those tables to find real login name.

+> - openssh - I'm not 100% sure if this is bug in cerber, I noticed that
+>   "w" and "who" commands doesn't realy show who is realy logged in,
+>   also last does show that somebody logged in, but it shows that user
+>   is still logged in even when that person loggs out. This happend to
+>   regular users, I'm actually shown correctly (but I'm member of wheel
+>   group). I think there could be bug in openssh rules.

I'll look at this as well.

+> - screen - doesn't have rights to check if password is correct (while
+>   is locked by ^A-x) but that could be on purpose - screen then asks
+>   to specify custom password

This isn't on purpose. I susspect screen(1) is only trying to read
/etc/spwd.db and this should be permited. I'll fix this.

+> 4) And very tiny bug (date is old :):
+> Aug  2 22:33:59 freebsd /kernel: CerbNG v1.0-RC3-2003070401 loaded.

This isn't current date:)
This is date when last important change (from policies point of view)
was made - new operation was added, some operations was removed, some
fixed, etc. It is something like sysctl kern.osreldate in FreeBSD.

+> 5) this could be rather feature request, I noticed just now that cerb
+>    cannot compile statement like this one:
+>=20
+>    if (a =3D=3D b) {
+>      something(a)
+>    } else if (a =3D=3D c) {
+>      something_else(b)
+>    }
+>=20
+>    After 'else' it's expecting '{' It doesn't allow 'if'

Yes, there is no 'else if' in cerb for now. Slawek Zak is working on it,
but I'm not sure if it will be done before 1.0. It isn't easy hack.

Many thanks for your reports/suggestions. I'll try to solve them today.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

On Sat, Aug 02, 2003 at 06:46:20PM +0200, Pawel Jakub Dawidek wrote:
=3D> Hello.
=3D>=20
=3D> I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
=3D>=20
=3D> CerbNG-1.0RC3 will be presented for a week, I think.
=3D> No functional changes will be done between RC3 and 1.0.
=3D> I want only fix bugs and add some documentation.
=3D>=20
=3D> So, please test CerbNG and report any bugs.

Will Cerb be avaliable for CURRENT before 1.0 release?

--=20
k.

On Sun, Aug 03, 2003 at 01:30:48PM +0200, Jakub Klausa wrote:
+> =3D> I just tagged CVS with RELEASE_1_0_RC3 and RELEASE_1_0.
+> =3D>=20
+> =3D> CerbNG-1.0RC3 will be presented for a week, I think.
+> =3D> No functional changes will be done between RC3 and 1.0.
+> =3D> I want only fix bugs and add some documentation.
+> =3D>=20
+> =3D> So, please test CerbNG and report any bugs.
+>=20
+> Will Cerb be avaliable for CURRENT before 1.0 release?

I hope so. That's why I've create RELEASE_1_0 tag now, because code
need to be reorganized to be ready for 4.x and 5.x and this is hard
task. When CerbNG v1.0 will be avaliable I want to present
CerbNG v2.0-DP1 or something, that will work on 4.x and 5.x.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

On Sun, Aug 03, 2003 at 01:49:35PM +0200, Pawel Jakub Dawidek wrote:

=3D> I hope so. That's why I've create RELEASE_1_0 tag now, because code
=3D> need to be reorganized to be ready for 4.x and 5.x and this is hard
=3D> task. When CerbNG v1.0 will be avaliable I want to present
=3D> CerbNG v2.0-DP1 or something, that will work on 4.x and 5.x.

I'm holding my breath then ;>

--=20
k.

On Sun, Aug 03, 2003 at 12:18:53PM +0200, Pawel Jakub Dawidek wrote:
+> +> > Did you add option to uninstall cerb?
+> +>=20
+> +> I think this should be introduced before 1.0
+>=20
+> And it will be. It is almost done.

Done.

+> +> - crontab - didn't work for users which aren't member of wheel group,
+>=20
+> I'll look at this.

Done.

+> +>   [...] This doesn't allow to change root's
+> +>   crontab when you cannot login as root directly (but you need to use
+> +>   su to become root)

No. Those checks are made only when real uid > 0, so not for root.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

Hello Pawel,

Sunday, August 3, 2003, 3:18:53 AM, you wrote:

After upgrading to RC3 and logged out, I couldn't log in back.
After some investigation I noticed that openssh tried to seteuid back
to root while I was trying to log in.
I saw that there was no difference in seteuid code, so  concentrated
on setegid, and noticed that there was call instead of a sucall.
I attached a patch (I doubt it's needed, but it'll probably save you
some time to search for that line :P)

> Are you sure that you have loaded <cerb-directory>/test/optests/optests.cb
> rules before you've run those tests?
> File INSTALL was out of date. Look at docs/HOWTO.html.

Yes, I followed the old INSTALL (I actually readed it only once while
I was installing cerb first time)
But shouldn't test be more automatic? I mean they could load just
compiled cerb mod, and rules for testing?

> This is because one of test suite if checking illegal behaviour.
> It is giving wrong addresses to cerb, it is trying to loaded rules
> as an unprivileged user, etc. And informations of those illegal tries
> are send to console. Is this is really annoying? Maybe it should goes
> only to logs...

For me realy anoying is that some rules give too much informations.
Especially openssh.cb, I moddified some rules to make my logs more
cleaner.

+>> - crontab - didn't work for users which aren't member of wheel group,
> I'll look at this.

It's a matter to set euid to 0 while doing realpath. And also allow
chdir.

> Could you send it again?
> But I susspect that this will be hard to fix. su(1) doesn't call
> setlogin(2) and I'm not sure why. And we really need login, because
> cron's data goes to /var/cron/tabs/<login>. I see 2 possibilities:
> 1. Leave as it is with note about that.
> 2. One should create two tables using global registers and put there
>    uids and logins:
>         greg[0] = [ 0, 1000, 1001, 1002, 1003 ];
>         greg[1] = [ "root", "jules", "takeda", "foo", "bar" ];
>    Then policy could use those tables to find real login name.

I used:
3) allow cron to modiffy /var/cron/tabs/*. This is less secure, so I
   understand that this could be reason for rejecting the patch.

+>> - screen - doesn't have rights to check if password is correct (while
+>>   is locked by ^A-x) but that could be on purpose - screen then asks
+>>   to specify custom password
> This isn't on purpose. I susspect screen(1) is only trying to read
> /etc/spwd.db and this should be permited. I'll fix this.

+>> 4) And very tiny bug (date is old :):
+>> Aug  2 22:33:59 freebsd /kernel: CerbNG v1.0-RC3-2003070401 loaded.

> This isn't current date:)
> This is date when last important change (from policies point of view)
> was made - new operation was added, some operations was removed, some
> fixed, etc. It is something like sysctl kern.osreldate in FreeBSD.

Ok, I got it now, but don't you think - last change date would be
better? Especialy for people who use cerb from cvs. But it could be
too much work.

+>> 5) this could be rather feature request, I noticed just now that cerb
+>>    cannot compile statement like this one:
+>> 
+>>    if (a == b) {
+>>      something(a)
+>>    } else if (a == c) {
+>>      something_else(b)
+>>    }
+>> 
+>>    After 'else' it's expecting '{' It doesn't allow 'if'

> Yes, there is no 'else if' in cerb for now. Slawek Zak is working on it,
> but I'm not sure if it will be done before 1.0. It isn't easy hack.

Maybe we should wait with this after 1.0, this is not that important,
and would just make 1.0 appear even later.

> Many thanks for your reports/suggestions. I'll try to solve them today.

Thanks for cerb :)

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

Hello,

Sunday, August 3, 2003, 1:23:41 PM, I wrote:

> After upgrading to RC3 and logged out, I couldn't log in back.
> After some investigation I noticed that openssh tried to seteuid back
> to root while I was trying to log in.
> I saw that there was no difference in seteuid code, so  concentrated
> on setegid, and noticed that there was call instead of a sucall.
> I attached a patch (I doubt it's needed, but it'll probably save you
> some time to search for that line :P)

UPS! There still is a bug, after I logged in I'm member of sshd group
not wheel! So I guess patch will be little bit more complicated.

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

Hello,

Sunday, August 3, 2003, 1:41:26 PM, I wrote:

> UPS! There still is a bug, after I logged in I'm member of sshd group
> not wheel! So I guess patch will be little bit more complicated.

Here is updated patch, this time appears to be correct. I hope there
is no more bugs.

Anyway, I guess sucall isn't really working, so maybe instead of
applying this patch, would be better idea to fix it?

As I understand sucall is exactly as call but is running with root
privileges. Is that correct?

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

On Sun, Aug 03, 2003 at 01:23:41PM -0700, Dariusz Kulinski wrote:
+> I saw that there was no difference in seteuid code, so  concentrated
+> on setegid, and noticed that there was call instead of a sucall.
+> I attached a patch (I doubt it's needed, but it'll probably save you
+> some time to search for that line :P)

Yes, thanks. I've found it also while I was tracking bug with 'w'/'who'
that you've reported.

+> > Are you sure that you have loaded <cerb-directory>/test/optests/optest=
s.cb
+> > rules before you've run those tests?
+> > File INSTALL was out of date. Look at docs/HOWTO.html.
+>=20
+> Yes, I followed the old INSTALL (I actually readed it only once while
+> I was installing cerb first time)
+> But shouldn't test be more automatic? I mean they could load just
+> compiled cerb mod, and rules for testing?

No, because some rules could be loaded already. I want to be sure, that
user know exactly what he is doing.

+> > This is because one of test suite if checking illegal behaviour.
+> > It is giving wrong addresses to cerb, it is trying to loaded rules
+> > as an unprivileged user, etc. And informations of those illegal tries
+> > are send to console. Is this is really annoying? Maybe it should goes
+> > only to logs...
+>=20
+> For me realy anoying is that some rules give too much informations.
+> Especially openssh.cb, I moddified some rules to make my logs more
+> cleaner.

I think I'll add some sysctl: cerb.user.verbose and modify CB_LOG() macro
to output logs only when it is set to 1.

+> +>> - crontab - didn't work for users which aren't member of wheel group,
+> > I'll look at this.
+>=20
+> It's a matter to set euid to 0 while doing realpath. And also allow
+> chdir.

There was problem with chdir() and stat(), but adding wheel group
instead of euid 0 is enough.

There was problems with realpath() as well, but I've change it to
'cdir' + argument.

+> I used:
+> 3) allow cron to modiffy /var/cron/tabs/*. This is less secure, so I
+>    understand that this could be reason for rejecting the patch.

Yes. Here we got one of the most importnat topics related with cerb or
other syscall wrappers.

Cerb exists, because I decide that this is stupid to give some applications
euid 0 just because it want to open raw socket or open /etc/spwd.db for
reading. But sometimes we need to give more privileges.
For example, there is su.cb policy, but it doesn't protect su(1)
application, because if process is permited to change its uid to 0
there is nothing that we can do. If some process want to open /etc/spwd.db
for writing there is noting that we can do. su.cb policy exists only
because of degrade-unknown-sugids.cb policy.

In crontab.cb case we are able to limit crontab(1) operations to only
"safe" operations. We could control everythings there.
And now if you allow crontab(1) to write just to /var/cron/tabs/ we're
loosing all security. If process is permited to write only to its own
file in /var/cron/tabs/ it is secure.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

Hello Pawel,

Sunday, August 3, 2003, 2:08:55 PM, you wrote:

> On Sun, Aug 03, 2003 at 01:23:41PM -0700, Dariusz Kulinski wrote:
+>> I saw that there was no difference in seteuid code, so  concentrated
+>> on setegid, and noticed that there was call instead of a sucall.
+>> I attached a patch (I doubt it's needed, but it'll probably save you
+>> some time to search for that line :P)

> Yes, thanks. I've found it also while I was tracking bug with 'w'/'who'
> that you've reported.

When  you'll update CVS?
I think to update cerb.

BTW: Does latest security advisory (about realpath) have effect on
cerb? Shold I recompile it?

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

On Mon, Aug 04, 2003 at 11:20:31AM -0700, Dariusz Kulinski wrote:
+> +>> I saw that there was no difference in seteuid code, so  concentrated
+> +>> on setegid, and noticed that there was call instead of a sucall.
+> +>> I attached a patch (I doubt it's needed, but it'll probably save you
+> +>> some time to search for that line :P)
+>=20
+> > Yes, thanks. I've found it also while I was tracking bug with 'w'/'who'
+> > that you've reported.
+>=20
+> When  you'll update CVS?
+> I think to update cerb.

It will be updated, but first I need to solve some problems with it.
For now openssh.cb for non-wheel-group members works only when
privilegeseparation is off.

+> BTW: Does latest security advisory (about realpath) have effect on
+> cerb? Shold I recompile it?

No.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

* Dariusz Kulinski:

[2. application/octet-stream; openssh2.diff]...

could you please make simple text diffs a text/plain atachment,
mr. "SCSA, SCNA, LPI, CCNA, MCP certified"?

  clemens

Hello Clemens,

Tuesday, August 5, 2003, 11:24:24 AM, you wrote:

> [2. application/octet-stream; openssh2.diff]...

> could you please make simple text diffs a text/plain atachment,
> mr. "SCSA, SCNA, LPI, CCNA, MCP certified"?

I think diff is a binary file, prove that I'm wrong.
(For my mailer diff is a unknown type so it's treating it as a binary
by default - it's not my concern that it isn't viewed incorrectly on your
gnus - hey! I'm even happy because of that)

Instead of concentrating on sensless talk, you could try do something
useful mr. "I know everything, and nothing"

I'm think I'll put you on my ignore list.
Since I'm on this group, you never said anything related to cerber. I
don't understand why you even subscribed here and why nobody kicked
you off? 

-- 
Best regards,
 Dariusz                            mailto:takeda@...
SCSA, SCNA, LPI, CCNA, MCP certified

* Dariusz Kulinski:

> I think diff is a binary file, prove that I'm wrong.

you did a diff to see the differences of two text files?  the result
is a text file.  so you send it in mails as text/plain.  didn't you
learn that wherever you bought your certificates?  anything about MIME
at all?

  clemens

On Wed, Aug 06, 2003 at 08:56:23PM +0200, Clemens Fischer wrote:
[...]

I said: NOT HERE.

And this is the last warning.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

* Pawel Jakub Dawidek:

> I said: NOT HERE.

you're right, i could have answered in private email.  this list is
not the place for this, i'm sorry.

  clemens

On Sun, Aug 03, 2003 at 12:24:04AM -0700, Dariusz Kulinski wrote:
+> 3) bugs in rules
[...]
+> - openssh - I'm not 100% sure if this is bug in cerber, I noticed that
+>   "w" and "who" commands doesn't realy show who is realy logged in,
+>   also last does show that somebody logged in, but it shows that user
+>   is still logged in even when that person loggs out. This happend to
+>   regular users, I'm actually shown correctly (but I'm member of wheel
+>   group). I think there could be bug in openssh rules.

I've corrected openssh.cb a bit, but I'm not sure if it fix this problem.

+> - screen - doesn't have rights to check if password is correct (while
+>   is locked by ^A-x) but that could be on purpose - screen then asks
+>   to specify custom password

Fixed.

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

On Wed, Aug 13, 2003 at 03:11:06PM +0200, Michal Belczyk wrote:
+> @@ -281,10 +284,13 @@
+>                 }
+>         }
+>         if (syscall =3D=3D SYS_setgroups) {
+> -               reg[0] =3D sucall();
+> +               reg[0] =3D euid;
+> +               setpeuid(0);
+> +               reg[1] =3D call();
+>                 CB_LOG(LOG_INFO, "Setting groups to %U [ret=3D%d].",
+> -                   tabrange(arg[1], arg[0]), reg[0]);
+> -               return reg[0];
+> +                   tabrange(arg[1], arg[0]), reg[1]);
+> +               setpeuid(reg[0]);
+> +               return reg[1];
+>         }
+>         if (syscall =3D=3D SYS_setlogin) {
+>                 reg[0] =3D sucall();
+> -
+>=20
+> Why wasn't that commited ? And why using sucall() makes that all users
+> logged in become members of sshd group ? And it doesn't matter if there
+> is privsep turned on or off - it still doesn't work as it should.

You're right. sucall() cache cred structure and restore it after call to
original syscall. So for setgroups(2) it can't be used.

Commited, thanks!

--=20
Pawel Jakub Dawidek                       pawel@...
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net