From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 05:51:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067BB37B404 for ; Sun, 27 Jul 2003 05:51:39 -0700 (PDT) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1196543FD7 for ; Sun, 27 Jul 2003 05:51:38 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 3DA528291; Sun, 27 Jul 2003 07:51:37 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h6RCpaJ10453; Sun, 27 Jul 2003 07:51:36 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 27 Jul 2003 07:51:36 -0500 From: D J Hawkey Jr To: Socketd Message-ID: <20030727125136.GA6810@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030727143600.1517c588.db@traceroute.dk> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 12:51:39 -0000 CC'ing security@ now, since you did. On Jul 27, at 02:36 PM, Socketd wrote: > > On Sun, 27 Jul 2003 06:29:33 -0500 > D J Hawkey Jr wrote: > > > Your plan is to incorporate this into/for rc.conf, and your program > > would be run at boot? > > It is meant to be installed from the port collection and then executed > once, but you can of course run it as many times you want (but if you > haven't changed the sytem, since the last time you ran it, this makes no > sense). Would you consider my above suggestion? It could certainly be installed from the ports collection, but it would be most useful to me (and p'raps others?) as a boot-time thang. Think of dedicated firewalls and routers, especially those that boot from custom CDs [and p'raps read floppies for "volatile" configuration]. In my mind, the conf could be installed as /etc/rc.whatever, and the program could be installed as /usr/local/etc/rc.d/whatever. In this way, it'd be run on boot, and could be run anytime as "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a box and force a reboot to "kick it in". Your program, by enforcing the "rules" in the conf, could remove the exec bits on the trojan, or just blow the trojan away. I realize I might be widening the scope here... Were you to go this way, I could see where Core might consider adding your work into the base? I'd lobby for it. :-) > > What language do you think you'll use (hopefully, > > something supported by the base OS, e.g., not ruby, modula, or perl)? > > I use C++ Oh. I was hoping you'd answer "shell script" (my preference, for quick 'n easy modification), or "C". Just some suggestions, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/