Date: Sat, 6 Oct 2001 12:52:17 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Jeff Palmer <scorpio@drkshdw.org> Cc: David S Strait <basilisk@umail.ucsb.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Kern Secure Level Message-ID: <20011006125217.A350@blossom.cjclark.org> In-Reply-To: <20011006022008.R66168-100000@Scorpio.drkshdw.org>; from scorpio@drkshdw.org on Sat, Oct 06, 2001 at 02:36:41AM -0400 References: <Pine.GSO.4.21.0110052303250.18017-100000@bergman.umail.ucsb.edu> <20011006022008.R66168-100000@Scorpio.drkshdw.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote:
> In my opinion, secure levels is nly a deterrant. In fact, most people
> don't even use it properly.
True.
> The idea of secure levels is to set certain files as immutable (not even
> root or superusers can change the file.)
Making files immutable is only part of it. No more KLDs or write
access to /dev/mem.
> The problem with it is twofold:
>
> 1) Most people fail to set the proper binaries as immutable, to stop them
> from being trojaned in the even of a succesful hack.
Yep.
> 2) FreeBSD doesn't have the appropriate files set as immutable by
> default,... [snip]
This is actually the same point.
> I personally have all binaries that deal with passwords and remote
> authentication set immutable. My feeling is this: they already have
> access to my machine, why allow them to trojan ssh, ftp, telnet, login,
> etc etc and give them access to OTHER remote machines.. simply because
> mine was vulnerable.
This does not necessarily stop anyone from collecting passwords. The
easiest thing to do is to place a trojaned sshd (or telnetd, whatever)
in /tmp/sshd, kill the running one, and manually start the one
/tmp/sshd. The path will show up wrong in ps(1) output? A program can
easily lie about that. It is also possible, but not easy, to grab
passwords from the process as it runs without actually modifying it on
disk. There are also some very interesting attacks possible on your
immutable files on things like /usr/sbin/sshd and /usr/libexec/telnetd
since you can still potentially mount and umount /usr (just how
interesting depends on whether you are at securelevel = 1 or > 1). For
anything going over the network in clear text, you can just run a
sniffer and not worry about trojaned binaries at all.
The minimum set of files that must be immutable to make a box
reasonably secure goes far beyond /etc/rc.conf. You need to make _all_
files executed with root privs before the securelevel is raised
immutable. A quick look at /etc/rc shows this includes ones you
expect,
/bin/sh
/sbin/fsck
/sbin/mount
etc.
And some others that don't immediately seem obvious,
/bin/chmod
/bin/rm
/bin/stty
/sbin/dmesg,
/usr/bin/awk
/usr/bin/chflags
/usr/sbin/chown
etc.
> Securelevels will not stop your machine from being hacked or even
> attacked. It may, with proper configuration, help stop your machine from
> being the reason some other machine was hacked.
Exactly. It will not stop a compromise. No matter what you do with
securelevels, if you have a telnetd from before July of this year
listening, someone can root your box. What it can do is make it
difficult for the attacker to take complete control of the box and
cover his tracks before he is detected. Difficult, but not
impossible.
--
Crist J. Clark cjclark@alum.mit.edu
cjclark@jhu.edu
cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011006125217.A350>