From owner-freebsd-hackers Mon Feb 24 14:48:53 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA25469 for hackers-outgoing; Mon, 24 Feb 1997 14:48:53 -0800 (PST) Received: from cougar.aceonline.com.au (adrian@cougar.aceonline.com.au [203.103.81.36]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA25210; Mon, 24 Feb 1997 14:43:29 -0800 (PST) Received: from localhost (adrian@localhost) by cougar.aceonline.com.au (8.8.4/8.7) with SMTP id GAA11554; Tue, 25 Feb 1997 06:43:34 +0800 Date: Tue, 25 Feb 1997 06:43:34 +0800 (WST) From: Adrian Chadd To: Nate Johnson cc: Julian Elischer , jehamby@lightside.com, hackers@freebsd.org, auditors@freebsd.org Subject: Re: disallow setuid root shells? In-Reply-To: <9702242229.AA03727@biohazard.csc.ncsu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Feb 1997, Nate Johnson wrote: > %well the security audit should pick up any new suid files each night, > > Except the case where the hacker truly knows what they're doing, in which > case, the security audit will be worthless. root can modify any files he > wants, including the database used to compare suid files against. =( > An extension of what I said before - what about logging ALL setuid programs? And not in the program source (of course), but in the kernel? Tis just an idea. Btw - yes I know adduser isn't suid, sorry, I just woke up .. now I've had my coffee things are clearer. :) Adrian Chadd