Date: Tue, 13 Jul 1999 10:23:04 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Robert Watson <robert@cyrus.watson.org> Cc: Doug Rabson <dfr@nlsystems.com>, Mark Newton <newton@atdot.dotat.org>, Mike Tancsa <mike@sentex.net>, security@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: 3.x backdoor rootshell security hole Message-ID: <199907131723.KAA79286@apollo.backplane.com> References: <Pine.BSF.3.96.990713040415.14330C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:> :> Hmm. Shouldn't we protect the contents of /boot with the schg flag? : :Ideally some of the directories themselves, as well as /boot, parts of :/etc large parts of /sbin and /bin (including sh, as that gets run in :single-user mode)... My feeling is we should maintain a list, but not :ship that way as it would be irritating for most of the world. At one :point I had a script that did some of the work, but currently due to file :layout and the way we do config files, you end up with a fairly hobbled :machine. Which is, of course, the idea. :-) I think security(8) (?) :discusses a fair amount of this stuff. : : Robert N M Watson : :robert@fledge.watson.org http://www.watson.org/~robert/ Anyone serious enough and paranoid enough simply mounts / and /usr read-only, then bumps the security level up. -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907131723.KAA79286>