From owner-freebsd-hackers Mon Feb 24 17:41:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA08577 for hackers-outgoing; Mon, 24 Feb 1997 17:41:50 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA08439; Mon, 24 Feb 1997 17:39:15 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vzBqu-0005Sc-00; Mon, 24 Feb 1997 18:38:44 -0700 To: "Matthew N. Dodd" Subject: Re: disallow setuid root shells? Cc: Nate Johnson , Julian Elischer , adrian@obiwan.aceonline.com.au, jehamby@lightside.com, hackers@freebsd.org, auditors@freebsd.org In-reply-to: Your message of "Mon, 24 Feb 1997 20:14:15 EST." References: Date: Mon, 24 Feb 1997 18:38:44 -0700 From: Warner Losh Message-Id: Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message "Matthew N. Dodd" writes: : On Mon, 24 Feb 1997, Nate Johnson wrote: : > %well the security audit should pick up any new suid files each night, : > Except the case where the hacker truly knows what they're doing, in which : > case, the security audit will be worthless. root can modify any files he : > wants, including the database used to compare suid files against. =( : : Tripwire suggests storing the file signature database on a hardware : protected read only device. Say a SCSI drive with WP on. : : I'm not that paranoid so running in secure level 1 with the database set : schg is good enough for me. Our next router will boot off a floppy drive and will log to another system. The floppy will be write protected. Only console logins will be allowed. We'll likely run at security level 2 once we come up, if the dynamic interfaces we have on the router will allow that. Warner