Automatic report from sources (radiusd) between 15.07.2007 - 16.07.2007 GMT
CVS log entries from 15.07.2007 (Sun) 08:00:00 - 16.07.2007 (Mon) 08:00:01 GMT ===================================================== Summary by authors ===================================================== Author: aland File: radiusd/configure.in; Revisions: 1.245, 1.198.2.15.2.17 File: radiusd/configure; Revisions: 1.132, 1.95.2.12.2.14 File: radiusd/src/modules/rlm_otp/otp_pw_valid.c; Revisions: 1.1.2.14 Author: nbk File: radiusd/debian/rules; Revisions: 1.54.2.16.2.7 File: radiusd/src/modules/rlm_krb5/configure; Revisions: 1.13, 1.8.4.2.2.3 File: radiusd/debian/changelog; Revisions: 1.60.2.18.2.9 File: radiusd/src/modules/rlm_krb5/configure.in; Revisions: 1.10, 1.7.6.1 Author: pnixon File: radiusd/raddb/postgresqlippool.conf; Revisions: 1.1, 1.1.2.1 File: radiusd/raddb/sqlippool.conf; Revisions: 1.1.2.6 ===================================================== Combined list of identical log entries ===================================================== Description: Regenerate from configure.in Modified files: File: radiusd/src/modules/rlm_krb5/configure; Revision: 1.13; Date: 2007/07/15 12:22:45; Author: nbk; Lines: (+2118 -1662) File: radiusd/src/modules/rlm_krb5/configure; Revision: 1.8.4.2.2.3; Date: 2007/07/15 12:23:15; Author: nbk; Lines: (+2099 -1663) ------------------------------- Description: Added --with-snmp-include-dir Modified files: File: radiusd/configure; Revision: 1.132; Date: 2007/07/15 19:27:28; Author: aland; Lines: (+779 -2477) File: radiusd/configure.in; Revision: 1.245; Date: 2007/07/15 19:27:28; Author: aland; Lines: (+12 -1) ------------------------------- Description: Fix test for -lk5crypto. Thanks to Stephen Gran <sgran@debian.org> Modified files: File: radiusd/src/modules/rlm_krb5/configure.in; Revision: 1.10; Date: 2007/07/15 12:13:45; Author: nbk; Lines: (+11 -9) File: radiusd/src/modules/rlm_krb5/configure.in; Revision: 1.7.6.1; Date: 2007/07/15 12:14:18; Author: nbk; Lines: (+13 -11) ------------------------------- Description: Added --with-snmp-include-dir, already used in SNMP checks Modified files: File: radiusd/configure; Revision: 1.95.2.12.2.14; Date: 2007/07/15 19:26:04; Author: aland; Lines: (+36 -24) File: radiusd/configure.in; Revision: 1.198.2.15.2.17; Date: 2007/07/15 19:26:03; Author: aland; Lines: (+12 -1) ------------------------------- Description: rename sqlippool.conf to postgresqlippool.conf and add MySQL version as sqlippool.conf to keep with 1.1.x naming patterns Modified files: File: radiusd/raddb/postgresqlippool.conf; Revision: 1.1.2.1; Date: 2007/07/16 06:35:22; Author: pnixon; Lines: (+122 -0) File: radiusd/raddb/sqlippool.conf; Revision: 1.1.2.6; Date: 2007/07/16 06:35:23; Author: pnixon; Lines: (+45 -49) ===================================================== Log entries ===================================================== Description: Use the expected date format. Modified files: File: radiusd/debian/changelog; Revision: 1.60.2.18.2.9; Date: 2007/07/15 11:48:57; Author: nbk; Lines: (+1 -1) ------------------------------- Description: Autoconf 2.61 breaks the support for chained configure scripts in combination with config.cache :-( Modified files: File: radiusd/debian/rules; Revision: 1.54.2.16.2.7; Date: 2007/07/15 21:22:06; Author: nbk; Lines: (+0 -1) ------------------------------- Description: file postgresqlippool.conf was initially added on branch branch_1_1. Modified files: File: radiusd/raddb/postgresqlippool.conf; Revision: 1.1; Date: 2007/07/16 06:35:22; Author: pnixon; ------------------------------- Description: Corrected typo Modified files: File: radiusd/src/modules/rlm_otp/otp_pw_valid.c; Revision: 1.1.2.14; Date: 2007/07/15 19:21:04; Author: aland; Lines: (+3 -3) ===================================================== Summary of modified files ===================================================== File: radiusd/configure Revisions: 1.132, 1.95.2.12.2.14 Authors: aland (+779 -2477), aland (+36 -24) ------------------------------- File: radiusd/configure.in Revisions: 1.245, 1.198.2.15.2.17 Authors: aland (+12 -1), aland (+12 -1) ------------------------------- File: radiusd/debian/changelog Revisions: 1.60.2.18.2.9 Authors: nbk (+1 -1) ------------------------------- File: radiusd/debian/rules Revisions: 1.54.2.16.2.7 Authors: nbk (+0 -1) ------------------------------- File: radiusd/raddb/postgresqlippool.conf Revisions: 1.1, 1.1.2.1 Authors: pnixon, pnixon (+122 -0) ------------------------------- File: radiusd/raddb/sqlippool.conf Revisions: 1.1.2.6 Authors: pnixon (+45 -49) ------------------------------- File: radiusd/src/modules/rlm_krb5/configure Revisions: 1.13, 1.8.4.2.2.3 Authors: nbk (+2118 -1662), nbk (+2099 -1663) ------------------------------- File: radiusd/src/modules/rlm_krb5/configure.in Revisions: 1.10, 1.7.6.1 Authors: nbk (+11 -9), nbk (+13 -11) ------------------------------- File: radiusd/src/modules/rlm_otp/otp_pw_valid.c Revisions: 1.1.2.14 Authors: aland (+3 -3) -- Automatic cron job from /web/pages/us.freeradius.org/bin/new_makelog.pl
Hi All, First, i have to say, that I'm a newbie in freeradius-developing. The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode. Is there a possibility to compile Freeradius without the ability to start in debugging mode? Thanks for your help Markus
Rascher, Markus wrote:
The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode.
Only if you break the default install. If the attacker is able to *start* the server in -X mode, then it means that the site administrator has given "a+r" permission to the server configuration files. The simple answer is: "Don't do that". The server will refuse to start if its configuration files are globally readable. So it's secure.
Is there a possibility to compile Freeradius without the ability to start in debugging mode?
Edit the source code. Good luck trying to figure out why your policies don't work if you don't have -X. As you may have noticed from the README, FAQ, INSTALL, and daily messages on the -users list, using -X is *highly* recommended. Alan DeKok.
thx -----Ursprüngliche Nachricht----- Von: freeradius-devel-bounces+markus.mr.rascher=siemens.com@lists.freeradius.org [mailto:freeradius-devel-bounces+markus.mr.rascher=siemens.com@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 16. Juli 2007 11:27 An: FreeRadius developers mailing list Betreff: Re: Freeradius -X option Rascher, Markus wrote:
The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode.
Only if you break the default install. If the attacker is able to *start* the server in -X mode, then it means that the site administrator has given "a+r" permission to the server configuration files. The simple answer is: "Don't do that". The server will refuse to start if its configuration files are globally readable. So it's secure.
Is there a possibility to compile Freeradius without the ability to start in debugging mode?
Edit the source code. Good luck trying to figure out why your policies don't work if you don't have -X. As you may have noticed from the README, FAQ, INSTALL, and daily messages on the -users list, using -X is *highly* recommended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Rascher, Markus wrote:
Hi All,
First, i have to say, that I'm a newbie in freeradius-developing.
The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode. Is there a possibility to compile Freeradius without the ability to start in debugging mode?
Do you mean "spoof" or "steal"?
Sorry, I wanted to say "can see" I used the wrong word -----Ursprüngliche Nachricht----- Von: freeradius-devel-bounces+markus.mr.rascher=siemens.com@lists.freeradius.org [mailto:freeradius-devel-bounces+markus.mr.rascher=siemens.com@lists.freeradius.org] Im Auftrag von Joe Maimon Gesendet: Montag, 16. Juli 2007 16:28 An: FreeRadius developers mailing list Betreff: Re: Freeradius -X option Rascher, Markus wrote:
Hi All,
First, i have to say, that I'm a newbie in freeradius-developing.
The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode. Is there a possibility to compile Freeradius without the ability to start in debugging mode?
Do you mean "spoof" or "steal"? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Rascher, Markus wrote:
Hi All,
First, i have to say, that I'm a newbie in freeradius-developing.
The -X option of radiusd can be used to spoof passwords if the attacker is able to start the radius-deamon in -X mode. Is there a possibility to compile Freeradius without the ability to start in debugging mode?
If someone has the ability to start the radius daemon, then they have the ability to capture the clear text passwords by means other than using debug. It is far better to secure your machine so that attackers can not get access in order to "start the radius-deamon in -X mode". It may well be necessary for the administrator to use the debug mode, if they run into problems and need assistance from this community, so disabling it could be a bad idea. That being said, all you have to do to disable it, is to remove the option from the list of acceptable switches in your code. I can not see any reason to build a compile time switch to disable the debug feature since there is likely very few people who would prefer to disable debug mode over securing their server. -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787
participants (5)
-
Alan DeKok -
Automatic cvs log generator -
Guy Fraser -
Joe Maimon -
Rascher, Markus