From owner-freebsd-security  Sun Oct 17 23:48: 5 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253])
	by hub.freebsd.org (Postfix) with ESMTP id 3951014A2A
	for <freebsd-security@FreeBSD.ORG>; Sun, 17 Oct 1999 23:47:51 -0700 (PDT)
	(envelope-from jread@fever.semiotek.com)
Received: (from jread@localhost)
	by fever.semiotek.com (8.9.3/8.9.3) id CAA00790;
	Mon, 18 Oct 1999 02:47:05 -0400 (EDT)
	(envelope-from jread)
Date: Mon, 18 Oct 1999 02:47:05 -0400
From: Justin Wells <jread@semiotek.com>
To: Doug <Doug@gorean.org>
Cc: Justin Wells <jread@semiotek.com>,
	Antoine Beaupre <beaupran@IRO.UMontreal.CA>,
	Mike Nowlin <mike@argos.org>,
	"Rashid N. Achilov" <shelton@sentry.granch.ru>,
	freebsd-security@FreeBSD.ORG
Subject: Re: kern.securelevel and X
Message-ID: <19991018024704.A512@semiotek.com>
References: <XFMail.991015111802.shelton@sentry.granch.ru> <Pine.LNX.4.05.9910150036170.5339-100000@jason.argos.org> <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> <19991017012750.A812@fever.semiotek.com> <380A1E2C.CCA326F5@gorean.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <380A1E2C.CCA326F5@gorean.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Oct 17, 1999 at 12:06:20PM -0700, Doug wrote:

> > The problem with securelevel, in my mind, is that an attacker who
> > got root would simply write stuff into the /etc/rc scripts and then
> > force the machine to reboot.
   ...
> > Does anyone have any clever solutions?
> 
> 	Mount / read only. 

That is clever. I even thought it was work, and tried it. However, 
there are a couple of problems:

  1) securelevel does not stop root from remounting / read-write,
     since mount is specifically excepted (I tried it too, I was 
     able to do a "mount -u -o rw /" at securelevel 3 as root)

  2) mounting / read only is nasty anyway, since you lose the 
     ability to chown /dev/tty* which makes some things act 
     very weird (many programs expect you will own your tty
     or else they get angry)

So, any more clever suggestions?

Maybe at securelevel 3 you should not be allowed to change the
mount table either (no mounting and no umounting, period).  That
and a solution to the tty problem would make things fairly secure.

Justin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message