From owner-freebsd-security Thu Jun 17 23:10: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4386214E2F for ; Thu, 17 Jun 1999 23:09:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA56666; Fri, 18 Jun 1999 00:09:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA73351; Fri, 18 Jun 1999 00:10:12 -0600 (MDT) Message-Id: <199906180610.AAA73351@harmony.village.org> To: Adrian Steinmann Subject: Re: some nice advice.... Cc: security@FreeBSD.ORG In-reply-to: Your message of "Fri, 18 Jun 1999 07:36:11 +0200." <199906180536.HAA23430@marabu.marabu.ch> References: <199906180536.HAA23430@marabu.marabu.ch> Date: Fri, 18 Jun 1999 00:10:12 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906180536.HAA23430@marabu.marabu.ch> Adrian Steinmann writes: : Make sure /boot.config is schg as well, otherwise : echo "wd(0,a)/evil_kernel" > /boot.config && reboot : can circumvent your measures [you could also make / schg, I guess]. Yes. You also need to make sure all scripts, executables and shared images that are touched or potentially touched before the secure level is increased, as well as all programs that run as root or could be run by root. Also, any programs that are run by any users on your system. Gotta love that transitive property of security. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message