Rob

De laatste jaren is JAVA zeer populair geworden onder FreeBSD gebruikers als server-side taal.

Enkele FreeBSD community leden hebben het initatief genomen om een stap verderte gaan‚ ze zijn ermee begonnen dit leidde tot de
bouw van de Java Development Kit (JDK) voor FreeBSD. In [url=http://www.onjava.com/pub/a/onjava/2002/07/10/javabsd.html]dit artikel[/url] van Onlamp’s Justin Stepka wordt dit pad van deze community leden nader bekeken evenals de verschillende instalatie opties en hoe te compileren en instaleren van native versie 1.3 van JDK.

Theo de Raadt poste op de openbsd-misc mailing list dat httpd voortaan standaard gechroot in /var/www.
Dit heeft als gevolg dat alle soorten ongewilde eigenschappen niet meer werken.

[quote]**********************************
To: misc@cvs.openbsd.org
Subject: httpd changes
From: Theo de Raadt
Date: Tue‚ 09 Jul 2002 15:19:07 -0600
——————————————————————————–

httpd by default now chroot’s into /var/www.

This causes all sorts of fancy features to break. Fancy features which
we believe to be quite unsafe.

If you don’t like this behaviour‚ use the -u flag for httpd_flags in
/etc/rc.conf to get back to the way it used to be. We bet that when
the next bug in apache comes‚ you’ll regret it though.

This is the best approach we can currently take against such a
monolothic piece of software with such bad behaviours. It is just too
big to audit‚ so for simple usage‚ we are constraining it to within
that jail.

When you turn the -u flag on and off‚ no other configuration changes
are needed.

All this is documented.

Good luck.
[/quote]

Voor meer informatie hierover lees de volgende [url=http://www.sigmasoft.com/~openbsd/archive/openbsd-misc/200207/threads.html#00639]Thread[/url]

Bron: [url=http://www.freebsd.org/releng/index.html]Freebsd.org[/url]
Bij de volgende release van FreeBSD (17 juli 2002 versie 4.6.1.) wordt SSH en BIND upgedate‚ dit omdat huidige SSH en BIND niet meer veilig zijn.
Hiernaast is er een belangrijke update in de ATA driver en er zijn andere kleine veranderingen.

Ook voor de nieuwe FreeBSD 5.0 wordt een developer preview uitgebracht op 25 Juli. Hiervan zal een volledig package-set aanwezig zijn en een ISO image.

Ik kreeg een aankonding in mijn mailbox dat OpenSSH 3.4 nu in het base system zit (hij zat natuurlijk al in de ports)
[quote]
I finished the upgrade a little over an hour ago‚ and my post-commit
buildworld just completed. It should now be safe to upgrade.

Privilege separation is turned off by default‚ because it breaks
Kerberos ticket passing. If you don’t use ticket passing‚ or don’t
know what Kerberos is‚ it should be safe to turn privilege separation
on in /etc/ssh/sshd_config (after make world and mergemaster‚ of
course.)

Please stay alert for any signs of ssh (particularly sshd) trouble‚ or
unexpected changes in OpenSSH’s behaviour‚ including unexpected
changes in configuration defaults.

DES
[/quote]

Gister kwam op de FreeBSD security mailinglist een melding van een gevaarlijke worm
die op apache 1.3.24 en FreeBSD actief is. Binnen 3 uur was de binary gedeassembleerd en kon
het effect bekeken worden. Later dook ook de source code nog eens op.
Het doel van de trojan was om een DoS aanval uit te voeren op dit adres: 12.127.17.71.
[url=http://dammit.lt/apache-worm/]Meer info[/url]

De worm is als volgt te herkennen:
[quote]
This was spotted on our real-time honeypot systems
(running Apache 1.3.24‚ of course)

bash-2.05a$ ls -la /tmp
total 128
drwxrwxrwt 3 root wheel 512 Jun 28 14:02 .
-rwxr-xr-x 1 nobody wheel 51626 Jun 28 08:25 .a
-rw-r–r– 1 nobody wheel 70563 Jun 28 08:25 .uua
[/quote]

Dus zorg er zeker voor dat je je apache updated

Kerneltrap heeft een interview met Jordan Hubbard gepubliceerd. Deze mede oprichter van het FreeBSD project en momenteel werkzaam bij Apple. Niet zo lang geleden is hij gestopt met het werken aan het FreeBSD project.

In dit interview vertelt hij over zijn huidige werk en over zijn vroegere werk als FreeBSD developer.

[url=http://kerneltrap.org/node.php?id=278]Het interview[/url]
[url=http://daily.daemonnews.org/view_story.php3?story_id=2837]Zijn reden om te stoppen met FreeBSD[/url]

De nieuwe FreeBSD release is dan echt een feit‚ er zijn wat onechte berichten geweest o.a. op /. maar nu trof ik toch echt een pgp signed message in mijn mailbox aan dat 4.6 gereleased is.

Voor de release notes: [url=http://www.FreeBSD.org/releases/4.6R/relnotes.html]klik hier[/url]

Dus cvsup je sources en maak die wereld opnieuw.

Een quote van de announce mail:
[quote]
I am happy to announce the availability of FreeBSD 4.6-RELEASE‚ the
very latest release on the FreeBSD -STABLE development branch. Since
FreeBSD 4.5-RELEASE in January 2002‚ we have made hundreds of fixes‚
updated many system components‚ and addressed a wide variety of
security issues.

One of the most significant changes in FreeBSD 4.6 is the adoption of
XFree86 4.2.0 as the default version of the X Windows System. We
encourage users (particularly those upgrading from older installations
of XFree86) to consult the relevant section of the FreeBSD Handbook
for information on installing and configuring XFree86 4.2.0. This
information can be found on-line at:

[url]http://www.FreeBSD.org/handbook/x11.html[/url]

On systems with the doc distribution installed‚ it can also be found
at:

/usr/share/doc/en_US.ISO8859-1/books/handbook/x11.html

A number of enhancements to network device drivers have been made‚ as
well as updates to the ATA storage subsystem.

Some contributed programs have been updated‚ such as sendmail
(updated to 8.12.3) and the ISC DHCP client (updated to 3.0.1RC8).

For more information about the most significant changes with this
release of FreeBSD‚ please see the release notes:

[url]http://www.FreeBSD.org/releases/4.6R/relnotes.html[/url]

It is also useful to peruse the errata file‚ as it contains
late-breaking news about the release:

[url]http://www.FreeBSD.org/releases/4.6R/errata.html[/url]

For more information about FreeBSD release engineering activities
(including a schedule of upcoming releases)‚ please see:

[url]http://www.FreeBSD.org/releng/[/url]

Availability
————

FreeBSD 4.6-RELEASE supports the i386 and alpha architectures and can
be installed directly over the net using the boot floppies or copied
to a local NFS/FTP server. Distributions for the i386 are available
now. Final builds for the alpha architecture are in progress and will
be made available shortly.

We can’t promise that all the mirror sites will carry the larger ISO
images‚ but they will at least be available from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.FreeBSD.org/pub/FreeBSD/
ftp://ftp.au.FreeBSD.org/pub/FreeBSD/
ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/
ftp://ftp.lt.FreeBSD.org/pub/FreeBSD/
ftp://ftp.nctu.edu.tw/FreeBSD/

If you can’t afford FreeBSD on media‚ are impatient‚ or just want to
use it for evangelism purposes‚ then by all means download the ISO
images‚ otherwise please continue to support the FreeBSD Project by
purchasing media from one of our supporting vendors. The following
companies have contributed substantially to the development of
FreeBSD:

FreeBSD Mall‚ Inc. http://www.freebsdmall.com/
FreeBSD Services Ltd. http://www.freebsd-services.com/
Daemon News http://www.bsdmall.com/freebsd1.html

Each CD or DVD set contains the FreeBSD installation and application
package bits for the i386 (“PC”) architecture. For a set of distfiles
used to build ports in the ports collection‚ please see the FreeBSD
Toolkit‚ a 6 CD set containing extra bits which no longer fit on the 4
CD set‚ or the DVD distribution from FreeBSD Services Ltd.
[/quote]

Bron: [url=http://www.bsdforums.org/forums/showthread.php?threadid=1126]BSDForums[/url]

Luigi Rizzo heeft de ipfw code( userland + kernel ) uitgebreid herscheven hiermee te pogen de code sneller en flexibeler te maken.

[quote]Date: Sat‚ 8 Jun 2002 20:19:09 -0700
From: Luigi Rizzo
To: ipfw@freebsd.org
Subject: New ipfw code available
Message-ID: <20020608201909.A41807@iguana.icir.org>

[Bcc to -current because it is relevant there as well — sorry for the
crosspost]

Hi‚
over the past 2-3 weeks I have done an extensive rewrite of the
ipfw code (userland + kernel) in an attempt to make it faster and
more flexible.

The idea (which I discussed a few times on the mailing lists) was
to replace the current ipfw rules (macroinstructions) with a set
of microinstructions‚ each of them performing a single operation
such as matching an address‚ or a port range‚ or a protocol flag‚
etc. — much in the spirit of BPF and derivatives — and to let
the userland front-end compile ipfw(8) commands into an appropriate
set of microinstructions.

There are several advantages in using this technique: first of all‚
instructions are typically shorter and faster‚ because the former
code had to check for the presence of all the possible options in
a rule‚ whereas the new one can simply do just the things that are
required — e.g. an instruction like

allow ip from 1.2.3.0/24 to any

translates to a couple of microinstructions (whose complete
implementation is below the instructions themselves):

O_IP_DST
if (((ipfw_insn_ip *)cmd)->addr.s_addr ==
(dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr))
goto cmd_match;
goto cmd_fail;

O_ACCEPT:
retval = 0; /* accept */
goto accept;

But there is a lot more — the instruction set is easily extensible‚
and without backward compatibility problems. Furthermore‚ you can
build (and I have already implemented them) more complex rules by
assembling microinstructions with OR and NOT operands. I.e. you can write
something like:

pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25‚1024-4095
to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50

You get the idea…

I have a fairly complete version of the above code at the moment‚
which is only missing a small set of functionalities
(ip/tcp flags matching‚ “log” and fixing hooks to the stateful
code). However the glue to implement all the missing pieces is
already there‚ it is just a matter of adding a few lines of code
and testing things.
Other than that‚ the code is meant to be fully compatible with the
old syntax so you will not have to rewrite your existing rulesets.

I have put a preliminary snapshot of this code (for CURRENT) at

http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz

It replaces the following files from a recent (2002/05/14) version of -current.

sys/netinet/ip_dummynet.c
sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sbin/ipfw/ipfw.c

I would be very grateful if someone could have a look at the
code‚ maybe give it a try‚ and see e.g. how it compiles your
typical ruleset and whether the new extensions can make your
ipfw rulesets simpler.

Feedback welcome‚ both on the architecture and on the implementation.

NOTE: if people wonder why I did not use BPF and reinvented the wheel:
the keyword is “backward compatiblity” — i thought it was a bit too
complex to compile the existent ipfw syntax into BPF‚ especially because
BPF at least as far as i know does not handle UIDs‚ and GIDs and
interface matches and different “actions” than match or not match‚
so i would have had to extend the code anyways‚ at which point i
thought I could as well write my own microinstruction set…

cheers
luigi
———————————–+————————————-
Luigi RIZZO‚ luigi@iet.unipi.it . Dip. di Ing. dell’Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2‚ 56126 PISA (Italy)
Mobile +39-347-0373137
———————————–+————————————-
to

thanks
luigi
[/quote]