From owner-freebsd-security  Sat Oct  6  1:16:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from squigy.ddm.wox.org (p13b.neon2.sentex.ca [64.7.130.173])
	by hub.freebsd.org (Postfix) with ESMTP id 996C237B401
	for <freebsd-security@FreeBSD.ORG>; Sat,  6 Oct 2001 01:16:30 -0700 (PDT)
Received: from rama.ddm.wox.org (rama.ddm.wox.org [204.50.152.20])
	by squigy.ddm.wox.org (Postfix) with ESMTP
	id 349F98B94D; Sat,  6 Oct 2001 04:16:28 -0400 (EDT)
Received: by rama.ddm.wox.org (Postfix, from userid 5000)
	id 9636A3200F; Sat,  6 Oct 2001 04:16:02 -0400 (EDT)
Date: Sat, 6 Oct 2001 04:16:02 -0400
From: Dave Chapeskie <freebsd@ddm.wox.org>
To: Jeff Palmer <scorpio@drkshdw.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Kern Secure Level
Message-ID: <20011006041601.A7815@ddm.wox.org>
References: <Pine.GSO.4.21.0110052303250.18017-100000@bergman.umail.ucsb.edu> <20011006022008.R66168-100000@Scorpio.drkshdw.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011006022008.R66168-100000@Scorpio.drkshdw.org>; from scorpio@drkshdw.org on Sat, Oct 06, 2001 at 02:36:41AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote:
> A lot of newbie  (please,  no flames if this includes anyone reading this
> list)   a lot of newbie admins will read about securelevels,   and make
> the entire /bin /sbin and other directories immutable.   This is a BAD
> THING!

Bzzzt!  Thanks for playing!

You have it backwards.  There is no security (other than from typos) in
making files in /sbin immutable if /sbin itself is not immutable.


For example try this on your setup:

$ chflags schg /sbin/init	# just to be sure
$ ls -lo /sbin/init		# notice schg

$ cp -R /sbin /.sbin.new
$ mv /sbin /... && mv /.sbin.new /sbin
$ ls -lo /sbin/init		# notice no schg

For /usr/sbin/* you must make BOTH /usr/sbin and /usr immutable to
avoid the same problem.

-- 
Dave Chapeskie
OpenPGP Key KeyId: 3D2B6B34

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message