Date: Sat, 10 Feb 1996 10:33:24 -0800 (PST) From: "az.com" <yankee@anna.az.com> To: freebsd-security@FreeBSD.org Subject: Want OS patch to restrict root processes to local Message-ID: <Pine.BSF.3.91.960210094921.26616E-100000@anna.az.com> In-Reply-To: <Pine.LNX.3.91.960210110352.492B-100000@n2wx.ampr.org>
index | next in thread | previous in thread | raw e-mail
Where would I go in the source code or has someone already created the following: For all network and dialin parented processes, i.e., hackers coming from internet or dial-in using a legitimate user's password to get a shell: Prevents any process which gained root access via hacking from getting real root priveledge even though it appears they attained it. (kernel does nothing) this would prevent setuid or even if someone actually used the root passwd via su I have no need, except in special circustances (hence the toggle switch), to allow any process originating from a dialin or network port to ever execute as root. To make the whole thing fly would require the inclusion of a short registry file containing /pathname/programname(s) exempt from this restriction. This would allow common users to execute setuid programs like /usr/bin/passwd. Otherwise, the kernel would not return an error to the user, but never actually execute as root. It would also immedately generate a log. This would completely automate the detection of new holes the first time they are ever tried. Instead of only searching for and analyzing for security holes - let the holes exist, and when they are found autodiscover them and plug them at the moment of intrusion.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960210094921.26616E-100000>