From owner-freebsd-stable Tue Jul 13 1: 7:35 1999 Delivered-To: freebsd-stable@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 501EB1526C; Tue, 13 Jul 1999 01:07:27 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id EAA14410; Tue, 13 Jul 1999 04:06:42 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Tue, 13 Jul 1999 04:06:41 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Doug Rabson Cc: Mark Newton , Mike Tancsa , security@freebsd.org, stable@freebsd.org Subject: Re: 3.x backdoor rootshell security hole In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 12 Jul 1999, Doug Rabson wrote: > On Mon, 12 Jul 1999, Robert Watson wrote: > ... > > In fact, if you have permission to modify the running kernel, you may have > > more privilege than that of a root process, with securelevels.. :-) What > > the THC posting is really about it hiding compromises on a machine that > > has been compromised, and leaving backdoors. The title, "Attacking > > FreeBSD..." is a little misleading, it's more about "Trojaning FreeBSD > > Once You Already Have Absolute Control of a Machine". And these aren't > > even very persistent: they have to be reloaded after each boot, meaning > > changes to configuration files, etc, etc. > > Also if a site is running using securelevel, even root can't load files > into the running kernel. The attacker would have to arrange to load the > code during startup and reboot the box (a noticable event surely). > > Hmm. Shouldn't we protect the contents of /boot with the schg flag? Ideally some of the directories themselves, as well as /boot, parts of /etc large parts of /sbin and /bin (including sh, as that gets run in single-user mode)... My feeling is we should maintain a list, but not ship that way as it would be irritating for most of the world. At one point I had a script that did some of the work, but currently due to file layout and the way we do config files, you end up with a fairly hobbled machine. Which is, of course, the idea. :-) I think security(8) (?) discusses a fair amount of this stuff. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message