From owner-freebsd-security  Tue Jul 24 11:25:56 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39])
	by hub.freebsd.org (Postfix) with SMTP id 6D36437B405
	for <security@freebsd.org>; Tue, 24 Jul 2001 11:25:40 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 19568 invoked by uid 1000); 24 Jul 2001 18:24:44 -0000
Date: Tue, 24 Jul 2001 21:24:44 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Ben Smithurst <ben@FreeBSD.org>
Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org
Subject: Re: Security Check Diffs Question
Message-ID: <20010724212444.A19217@ringworld.oblivion.bg>
Mail-Followup-To: Ben Smithurst <ben@FreeBSD.org>,
	Jon Loeliger <jdl@jdl.com>, security@freebsd.org
References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> <20010724190607.F20105@strontium.shef.vinosystems.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com>; from ben@FreeBSD.org on Tue, Jul 24, 2001 at 07:06:07PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Jul 24, 2001 at 07:06:07PM +0100, Ben Smithurst wrote:
> Peter Pentchev wrote:
> 
> > ypchfn changed its inode number, and its link count.  This means that
> > somebody performed an unlink() (delete) on ypchfn, and then created
> > a new ypchfn with the same size, timestamp, permissions and stuff,
> > but still a new file - and that's where the hardlink count + inum
> > tracking of /etc/security kicked in and alerted you.
> 
> hmm, so if an intruder replaced a file without changing it's link count,
> size, or modification time, I wouldn't be alerted?  Perhaps we should
> change the security script to print the files ctime instead of mtime,
> since the ctime can't be forged?

'Replacing' would not be enough - removing the file or moving something
over it (the way install(1) does) would change its inode number.
It is trivial to replace a file without changing its inode number, but
fortunately, almost none of the ready-made toolkits do that, and very
few crackers know that they should watch out for this, too.

The ctime, too, can be changed, but that would require modifying
the inode contents by writing to the raw device.  Again, not something
most crackers (and any script kiddies) know how to do.

G'luck,
Peter

-- 
No language can express every thought unambiguously, least of all this one.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message