From owner-freebsd-security  Fri May 12  2: 9:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 0701D37BCE4
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 May 2000 02:09:28 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost.freebsd.dk [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id KAA04228;
	Fri, 12 May 2000 10:00:12 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Paul Hart <hart@iserver.com>
Cc: Adam Laurie <adam@algroup.co.uk>, freebsd-security@FreeBSD.ORG
Subject: Re: envy.vuurwerk.nl daily run output 
In-reply-to: Your message of "Thu, 11 May 2000 10:03:38 MDT."
             <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com> 
Date: Fri, 12 May 2000 10:00:11 +0200
Message-ID: <4226.958118411@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.BSF.4.21.0005110953510.8386-100000@anchovy.orem.iserver.com>, 
Paul Hart writes:
>On Thu, 11 May 2000, Adam Laurie wrote:
>
>> If someone backdoors your system with an authorized key, and is
>> confident they can gain root from a luser account, they don't need to
>> go any further, and it's extremely likely that the change will go
>> unnoticed *forever*
>
>But if you have hostile local users with root access, can you even trust
>the output from /etc/security?

Yes, if you put them in a jail(8).

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD coreteam member | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message