mail-lists.delegate-en - <_A3592@delegate-en.ML_>
[DeleGate-En] DeleGate/9.4.0 (ALPHA) -- implanted configuration parameters in the executable file
Dear DeleGate users,
I inform you of the new release of DeleGate available as follows:
--------------------------------------------------------------------------
DeleGate/9.4.0 -- (ALPHA) -- implanted configuration parameters in the executable file
IMPLANTED CONFIGURATION PARAMETERS
- supported "implanting" parameters into the executable file
- implanted parameters can be encrypted to protect it from peeping by others
- "subin" is obsoleted, just set "set-uid-on-exec" flag of the executable
An executable file can have "implanted" parameters to control authentication
and capabilities; which user or group can use it and which protocols or
functions it can execute.
The executable owned by "root" with "set-uid-on-exec" replaces "subin" to
execute privileged operations including binding privileged ports or PAM
authentication.
The implanted parameters in a executable file is edited with "-Fimp" option.
See the help information of it with "delegated -Fimp -h" and the page
<URL:http://www.delegate.org/delegate/implant/>
SECURE BINARY DISTRIBUTION
- executable files distributed from DeleGate.ORG are signed with it RSA key
- modification to the executable since the compilation is detected on startup
The executable file of DeleGate (delegated) has become signed and verified.
The file is signed at the build-time, and a modification of it (might be
a malicious interpolation) is detected when it is invoked to stop the
invocation.
ENCRYPTION OF CONFIGURATION PARAMETERS
- introduced a pseudo URL "enc:" to represent a chunk of encrypted data
- arbitrary data can be encrypted to the "enc:" format with "-Fenc".
- encrypted data can be used as parameters of DeleGate with "+=enc:..."
See the help information of it with "delegated -Fenc -h" and the page
<URL:http://www.delegate.org/delegate/encrypt/>
--------------------------------------------------------------------------
SITE: <URL:ftp://ftp.delegate.org/pub/DeleGate/>
FILE: delegate9.4.0.tar.{gz,bz2}
DATE: Dec 4 17:19 JST 2006
TAR-SIZE: 6195200 bytes
TAR-MD5: 04bd47b34a8ac3fd2a4f4e75659c296d
PUBLIC-KEY: http://www.delegate.org/rsa-pubkey.pem
TAR-MD5-SIGN:
0KZLaVhJSerfRwo0Aioo7brd7yxu+xjjZsaIzd0B3jl/WqR51GJX20JXhOnYdIClmGJBaxj0
HAv8TG5EkMFsZXdUXxZAKEGb5qu2iaHJ8e3MMqJa2Upv1VpLQfvt+DF0YdBnPY3R1lLB9kco
5trk095wmwKB7BBQeI/TDXlaDDI=
[NEW]
* general: "-Fimp" option to implant parameters into the executable
* general: restricting users who can invoke the executable file (with passwd)
* general: restricting capable Functions, protocols, params, and systemcalls
* general: auto. invocation of SERVER="sudo" proc. for privileged operations
* general: detection of interpolation of the executable file
+ general: "-Fenc" option to make encrypted parameters (or file)
+ POP: implemented RFC2449 "CAPA" for STLS
+ HTTP: introduced HTTPCONF=kill-iqhead and HTTPCONF=kill-irhead
[MOD]
+ OWNER: OWNER="invoker's-uid" by default when invoked with set-uid-on-exec
+ general: wait in foreground till daemon process launches
+ general: don't start in background without -Pxxx
+ CFI: act as a filter if without -Pxxx and invoked with std-I/O of sockets
+ AF_UNIX: expanded VSAddr from 32B to 128 for AF_UNIX
+ FreeBSD: use setproctilte() if it's available
+ Windows: MAXIMA=winmtu:0 (from 1024) by default (7.9.4)
[FIX]
+ SSLway: fixed session cache with client's certificate (9.2.4)
+ general: fixed SEGV on long CRYPT key
+ general: fixed infinite loop by malformed hostlist
+ SockMux: fixed SockMux on a FIFO pair (8.8.6)
+ TUNNEL: fixed SERVER=tunnel1 for TUNNEL=tty7:xxx.shio (8.0.1)
+ HTTP: fixed FFROMCL="-p,"filter for binary-relay (with HTTP/CONNECT)
+ Telnet: fixed relaying DataMark/OOB ASAP. without seeing TimingMark (9.0.3)
+ FreeBSD:don't care EOF of PIPE as OOB on FreeBSD (9.0.3)
+ MacOSX: coped with "OWNER=nobody" on MacOSX (in which uid(nobody) == -2)
+ CGI/SSI: enabled invocation via CGI/SSI
+ CGI/SSI: restarting as a service from CGI/SSI on Windows
+ SSH: enabled invocation via SSH
+ AF_UNIX: re-enabled AF_UNIX on Solaris (3.0.35)
+ AF_UNIX: repaired AF_UNIX + UDP to work (since 9.0.0 for IPv6)
Cheers,
Yutaka
--
9 9 Yutaka Sato <pfqcabdyi-mxhgu437bchw.ml@delegate.org> http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
--
9.4.0 061201 fix credhy.c: faster strtoHex/hextoStr without sscanf/sprintf
9.4.0 061130 new {httpx,script,delegated}.c: generic usage of enc: URI "scheme"
9.4.0 061130 mod {dgauth,dgsign}.c: accepts ":passWord" for "pass:passWord"
9.4.0 061130 fix script.c: coped with large +=enc: string
9.4.0 061129 new dgsign.c: erasing implanted param/opts with -zPARAM / -z-X
9.4.0 061129 new dgsign.c: -Fenc / -Fdec to encrypt/decrypt +=enc:ext:...
9.4.0 061129 new dgsign.c: loading encrypted parameters as +=enc:ext::xxxx:
9.4.0 061129 new dgsign.c: saving encrypted parameters with -Fimp -se or -sk
9.4.0 061128 new dgsign.c: supported -Fimp -U on Win
9.4.0 061128 new windows.c: implemented getting the owner name on Win
9.4.0 061128 new windows.c: implemented st_ino on Win (but only in short int)
9.4.0 061128 fix dgsign.c: supported -Fimp -k on Win
9.4.0 061126 new {dgauth,dgsign}.c: generic PASSWD=Dom:User:pass:xxxx storage
9.4.0 061125 new dgsign.c: introduced -Fimp -k to encrypt implanted config.
9.4.0 061125 fix {delegated,pelcgb}.c: fixed SEGV on long CRYPT key
9.4.0 061125 mod dgsign.c: allow -Fimp only to the owner and the group of exe.
9.4.0 061124 mod credhy.c: stopped too slow "dazzling" in CreyEncrypts(9.0.6)
9.4.0 061124 fix hostlist.c: infinite loop by malformed hostlist as "{a,b}c"
9.4.0 061123 new credhy.c: added simple safe string encoding instead of Hex
9.4.0 061123 fix {dgsign,credhy}.c: coped with a large config. file
9.4.0 061122 new param.c: supported -C -PARAM to disable the PARAM
9.4.0 061122 new dgsign.c: save/load commented configuration of -Fimp as is
9.4.0 061121 new dgsign.c: introduced -Fimp -e option (edit with vi or EDITOR)
9.4.0 061120 new dgsign.c: enabled arbitrary parameter NAME=value with -Fimp
9.4.0 061120 mod embed.c: enlarged the default size of IMP area to 4KB
9.4.0 061119 mod delegated.c: act as a filter if without -Pxxx and via socket
9.4.0 061117 fix dgsign.c: fixed broken password MD5 for repetitive -Fimp
9.4.0 061117 mod delegated.c: execute -Fkill as a usual -Ffunction
9.4.0 061117 new {delegate,param*.c: added ".lock.NAME=value" or ".lock.NAME"
9.4.0 061117 new embed.c: setting size of -Fimp area as "make IMPSIZE=1234"
9.4.0 061116 new dgsign.c: -Fimp coped with rewriting self on ETXTBSY
9.4.0 061115 fix sox.c: SockMux on a FIFO pair with Credhy preamble (8.8.6)
9.3.1 061111 fix sslway.c: sess. cache with client's certificate(9.2.4)
9.4.0 061113 mod sslway.c: introduced TLSOCNF="context:xxx"
9.4.0 061113 new http.c: introduced HTTPCONF=kill-iqhead and kill-irhead
9.4.0 061110 mod sslway.c: showing library loading errors on the start (-vl)
9.4.0 061108 fix telnet.c: relay DM/OOB A.S.A.P. without seeing TM(9.0.3-pre18)
9.4.0 061109 fix nbio.c: FFROMC=-p,filter for binary-relay (HTTP/CONNECT)
9.4.0 061108 fix _-select.c: don't care EOF of PIPE as OOB on FreeBSD (9.0.3)
9.4.0 061108 fix delegated.c: fixed SEGV on start (9.4.0-pre1)
9.4.0 061107 mod delegated.c: wait in foreground till daemon proc. launch
9.4.0 061107 mod dgsign.c: -Fimp -m not to change the group-ownership
9.4.0 061107 mod embed.c: SUDOAUTH=":root,.u,/.g,/wheel,/staff" by default
9.4.0 061107 new svport.c: showing help for -Fimp -m on bind(-Pxx) error
9.4.0 061107 mod sudo.c: set the owner of SUDO socket to the one in OWNER
9.4.0 061107 mod dgsign.c: -Fimp -o copies modes of original to a new exec.
9.4.0 061107 mod delegated.c: create LOGFILE as DGROOT/{sudo,sudo-error}.log
9.4.0 061107 fix delegated.c: don't create generalist PROTOLOG for SERVER=sudo
9.4.0 061106 mod windows.c: MAXIMA=winmtu:0 (from 1024) by default (7.9.4)
9.4.0 061105 mod {pstitle,setproctitle}.c: use setproctilte() if available
9.4.0 061104 mod {__locking,_-CreateThread}.c: merged into windows.c
9.4.0 061103 mod unix.c: extracted Unix only code from windows.c
9.4.0 061103 mod {winserv,winreg}.c: merged into windows.c
9.4.0 061103 new pop.c: implemented RFC2449 "CAPA" for STLS
9.4.0 061102 new delegated.c: detecting interpolation of the executable file
9.4.0 061102 new {service,delegated}.c: masking capable protocols by -Fimp
9.4.0 061102 new {dgsign.c,commands}.c: masking capable functions by -Fimp
9.4.0 061101 new delegated.c: "-r" option for INETD="" without -Pxxx
9.4.0 061031 mod delegated.c: don't start in background without -Pxxx
9.4.0 061028 fix file.c: coped with "OWNER=nobody" on MacOSX (uid == -2)
9.4.0 061028 new dgsign.c: -Fimp to implant config. params. into executable
9.4.0 061028 mod master.c: OWNER="invoker-uid" by default on set-uid-on-exec
9.4.0 061028 new sudo.c: introduced SUDOPASS=pass to be run with set-uid-flag
9.4.0 061028 fix httpd.c: fixed SERVER=tunnel1 for TUNNEL=tty7:x.shio (8.0.1)
9.4.0 061027 fix {delegated,winserv}.c: restarting as a service from CGI/SSI
9.4.0 061027 fix delegated.c: closing stdout on error restart from CGI/SSI
9.4.0 061026 fix {delegated,remote}.c: enabled invocation via SSH
9.4.0 061024 new windows.c: sending a file desc. by DuplicateHandle on Win
9.4.0 061024 mod delegated.c: re-enabled AF_UNIX on Solaris (3.0.35)
9.4.0 061024 fix nbio.c: fixed connect() with timeout to wotk with AF_UNIX
9.4.0 061022 new sendFd1.c: sending a file descriptor via AF_UNIX socket
9.4.0 061022 fix inets.c: repaired AF_UNIX + UDP to work (since 9.0.0 for IPv6)
9.4.0 061022 mod {vaddr,vsocket}.h: expanded VSAddr from 32B to 128 for AF_UNIX
--
Implanted Configuration Parameters of DeleGate