From owner-freebsd-security  Sun Jun 14 03:25:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA18573
          for freebsd-security-outgoing; Sun, 14 Jun 1998 03:25:41 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from heron.doc.ic.ac.uk (NUfxxxohbcWmRjE9XRp7S3Dh+sNBkZ2j@heron.doc.ic.ac.uk [146.169.46.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA18551
          for <security@freebsd.org>; Sun, 14 Jun 1998 03:24:57 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([/RBoVJgpf8PObHMJT70g9qx/iaSgt7lS])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0yl9x4-00060g-00; Sun, 14 Jun 1998 11:23:54 +0100
Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0yl9x3-00077K-00; Sun, 14 Jun 1998 11:23:53 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Sun, 14 Jun 1998 11:23:53 +0100
In-Reply-To: dima@best.net (Dima Ruban)
       "Re: bsd securelevel patch question" (Jun 13, 11:03pm)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: dima@best.net, avalon@coombs.anu.edu.au (Darren Reed)
Subject: Re: bsd securelevel patch question
Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG
Message-Id: <E0yl9x3-00077K-00@oak71.doc.ic.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 13, 11:03pm, Dima Ruban wrote:
} Subject: Re: bsd securelevel patch question
>
> > > According to Thomas Ptacek, this is not exactly a bug, and after thinking some
> > > more about it, I kinda agree with him. (Feature, not a bug)
> > 
> > Given it is exploitable, whether or not it is a feature, is irrelevant.
> > It permits the protection intended by securelevel over /dev/kmem to be
> > bypassed, reducing the overall security of the system.
> 
> Hmm, this is not exactly bypassing a protection, you know.
> Mainly because this protection is simply not targeted for this.

Thats arguable, consider this quote from the D&I of 4.4BSD

   Files marked immutable include those that are frequently the subject
   of attack by intruders (e.g., login and su).  The append-only flag
   is typically used for critical system logs.  If an intruder breaks
   in, he will be unable to cover his tracks.  Although simple in 
   concept, these two features improve the security of a system
   dramatically.

I've already posted the following argument to bugtraq, but I'll repeat
it again here.

Why do they advocate protecting login and su if such protection can
be trivially defeated using the same techniques we demonstrated in
the attack on inetd?  And why do they claim these features improve the
security of a system "dramatically" if they can be bypassed so easily?

What use are securelevels without propagating the immutable flag?

Niall

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message