From owner-freebsd-security  Sun Jun 14 14:22:19 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA02069
          for freebsd-security-outgoing; Sun, 14 Jun 1998 14:22:19 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02046
          for <security@FreeBSD.ORG>; Sun, 14 Jun 1998 14:22:13 -0700 (PDT)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id VAA20471;
	Sun, 14 Jun 1998 21:22:00 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id XAA21001;
	Sun, 14 Jun 1998 23:21:59 +0200 (MET DST)
Message-ID: <19980614232158.50384@follo.net>
Date: Sun, 14 Jun 1998 23:21:58 +0200
From: Eivind Eklund <eivind@yes.no>
To: Niall Smart <njs3@doc.ic.ac.uk>, dima@best.net,
        Darren Reed <avalon@coombs.anu.edu.au>
Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG
Subject: Re: bsd securelevel patch question
References: <E0yl9x3-00077K-00@oak71.doc.ic.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <E0yl9x3-00077K-00@oak71.doc.ic.ac.uk>; from Niall Smart on Sun, Jun 14, 1998 at 11:23:53AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Jun 14, 1998 at 11:23:53AM +0100, Niall Smart wrote:
> On Jun 13, 11:03pm, Dima Ruban wrote:
> } Subject: Re: bsd securelevel patch question
> Thats arguable, consider this quote from the D&I of 4.4BSD
> 
>    Files marked immutable include those that are frequently the subject
>    of attack by intruders (e.g., login and su).  The append-only flag
>    is typically used for critical system logs.  If an intruder breaks
>    in, he will be unable to cover his tracks.  Although simple in 
>    concept, these two features improve the security of a system
>    dramatically.
> 
> I've already posted the following argument to bugtraq, but I'll repeat
> it again here.
> 
> Why do they advocate protecting login and su if such protection can
> be trivially defeated using the same techniques we demonstrated in
> the attack on inetd?  And why do they claim these features improve the
> security of a system "dramatically" if they can be bypassed so easily?
> 
> What use are securelevels without propagating the immutable flag?

They can assure that a correct system comes up again after a boot,
with logs of at least the point of attack.  This can be a dramatic
improvement.

If you want better protection than that, I think it would be better to
change the entire security model (throw away setuid, for a start).

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message