Date: Mon, 11 Feb 2002 15:45:36 -0800 (PST) From: "f.johan.beisser" <jan@caustic.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Bill Vermillion <bv@wjv.com>, <security@FreeBSD.ORG> Subject: Re: Is the technique described in this article do-able with Message-ID: <20020212021251.B50A59F409@okeeffe.bestweb.net>
next in thread | raw e-mail | index | archive | help
On Sun, 10 Feb 2002, Crist J. Clark wrote: > > not really. you can change chflags on a live machine. > > How do you do it when there is an elevated securelevel(8)? not really sure off hand :) i don't think that it can be done, at least, not without taking a really good look at the code first, and deliberately trying to find a way to bypass the kernel's watch on file permissions and the chflags information. note that i belive most people use the system in "-1" or "0" mode, post install. i did, for a long long while during my first year of FreeBSD usage. to this day, for remote handling of some machines, i still leave them at securelevel "0" for kernel upgrades.. but these are "low risk" machines, usually with very few services (read: single use) and/or they are easily replaced if there is a compromise. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020212021251.B50A59F409>