From owner-freebsd-security Sun Jan 24 08:14:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA18036 for freebsd-security-outgoing; Sun, 24 Jan 1999 08:14:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18031 for ; Sun, 24 Jan 1999 08:14:37 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA06416; Sun, 24 Jan 1999 11:14:19 -0500 (EST) Date: Sun, 24 Jan 1999 11:14:19 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: cjclark@home.com cc: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership In-Reply-To: <199901231551.KAA05725@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Jan 1999, Crist J. Clark wrote: > Robert Watson wrote, > > Access to the bin account is very limited; > > effectively, to acquire a uid bin process capable of modifying the > > binaries, you would first have to have a uid root process that you had > > subverted. > > I realize that, but the argument goes that if someone /did/ access > root, he could give himself long-term access to bin and possibly other > administrative users. Since the actions of these other administrative > users are not as tightly watched as root (e.g. no syslog message when > you su to one), it might be possible to maintain access for a long > time (even if the original way he accessed root had been closed). Come now--if I had root access on machine and really didn't like you, I'd install my spiffy stealth kernel module that hides its presence from modstat etc (actualy, this is still an lkm so might not work on 3.*), accepts commands to run as root via the payload of ICMP ping packages. :) I think this argument might apply to only the weakest of script kiddies; besides which, FreeBSD emails you about changes to the password file each night; if they're stupid enough to leave backdoors in your password file, they're stupid enough to not interfere with the security script. :) If they're not that stupid and you're not using securelevels, the you probably ought to reinstall anyway, as there are many many ways to trojan a machine; assuming you can catch all of them by simple inspection might not be wise. > BTW, I am running a 2.2.*, 2.2.7. I believe that in 3.x many of the files owned by bin are now owned by root. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message