From owner-freebsd-security  Mon Feb 11 18:31:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67])
	by hub.freebsd.org (Postfix) with ESMTP
	id 791C437B674; Mon, 11 Feb 2002 18:19:23 -0800 (PST)
Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110])
	by newman2.bestweb.net (Postfix) with ESMTP
	id DA14D231DB; Mon, 11 Feb 2002 21:18:17 -0500 (EST)
Received: by okeeffe.bestweb.net (Postfix, from userid 0)
	id B50A59F409; Mon, 11 Feb 2002 21:12:51 -0500 (EST)
Date: Mon, 11 Feb 2002 15:45:36 -0800 (PST)
From: "f.johan.beisser" <jan@caustic.org>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: Bill Vermillion <bv@wjv.com>, <security@FreeBSD.ORG>
Subject: Re: Is the technique described in this article do-able with
Message-Id: <20020212021251.B50A59F409@okeeffe.bestweb.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 10 Feb 2002, Crist J. Clark wrote:

> > not really. you can change chflags on a live machine.
>
> How do you do it when there is an elevated securelevel(8)?

not really sure off hand :)

i don't think that it can be done, at least, not without taking a really
good look at the code first, and deliberately trying to find a way to
bypass the kernel's watch on file permissions and the chflags information.

note that i belive most people use the system in "-1" or "0" mode, post
install. i did, for a long long while during my first year of FreeBSD
usage. to this day, for remote handling of some machines, i still leave
them at securelevel "0"  for kernel upgrades.. but these are "low risk"
machines, usually with very few services (read: single use) and/or they
are easily replaced if there is a compromise.



-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message