From owner-freebsd-hackers Mon Feb 24 14:52:18 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA25705 for hackers-outgoing; Mon, 24 Feb 1997 14:52:18 -0800 (PST) Received: from cougar.aceonline.com.au (adrian@cougar.aceonline.com.au [203.103.81.36]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA24572; Mon, 24 Feb 1997 14:33:02 -0800 (PST) Received: from localhost (adrian@localhost) by cougar.aceonline.com.au (8.8.4/8.7) with SMTP id GAA10912; Tue, 25 Feb 1997 06:33:48 +0800 Date: Tue, 25 Feb 1997 06:33:48 +0800 (WST) From: Adrian Chadd To: auditors@freebsd.org cc: hackers@freebsd.org Subject: Re: disallow setuid root shells? In-Reply-To: <3.0.32.19970224223639.00b243d0@dimaga.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Feb 1997, Eivind Eklund wrote: > I actually think logging could be much more effective than just exiting - > with logging (especially remote logging) you'd actually have a trace of how > the intruder got in, and standard exploits would probably still use /bin/sh > to give a root shell (they're usually made to demonstrate a point, not to > create good intruder tools). Any luser that use a standard exploit will > end up in the log file on another host *grin*. > Heheh.. yep. > I'd really like it to log the remote address for the session if available - > nice to have for a later manhunt... > Use syslog() ? Since it supports the remote logging, there isn't much point in using anything else. Adrian Chadd