From owner-freebsd-stable  Tue May 29 16:34:23 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP
	id 87AE037B423; Tue, 29 May 2001 16:34:20 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f4TNYKg31968;
	Tue, 29 May 2001 16:34:20 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 29 May 2001 16:34:20 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200105292334.f4TNYKg31968@earth.backplane.com>
To: Mike Smith <msmith@FreeBSD.ORG>
Cc: stable@FreeBSD.ORG
Subject: Re: adding "noschg" to ssh and friends 
References:  <200105292336.f4TNaRT01704@mass.dis.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

:Er, Matt.  I appreciate what you're trying to say, but this argument is 
:logically invalid.  You could use it to argue that any security is a bad 
:idea because it forces people to do sneakier things.

    I have to disagree.  Here, let me give a contrasting example:

    * you schg a binary
    * hacker breaks root
    * hacker is unable to modify binary.  Whoopie.  Hacker decides to rm -rf
      your data files instead.

    Problem:  Hacker was still able to break root.  Setting schg on the
    file didn't save you from that.

    * you have a hole in telnetd
    * you fix the hole
    * hacker is unable to break root

    No problem.  Your solution prevented the hacker from breaking root
    in the first place.

    So what did setting schg accomplish?  Did it prevent the hacker from
    breaking into the machine?  No.  Did it prevent the hacker from
    compromising the machine?  Not unless you set schg on every single
    file and binary (even the non-suid ones) in the system!  Might it 
    cause the hacker to find some other way to compromise the machine,
    perhaps a way that your current security scripts will not detect?  
    It sure could! 

    So:  setting schg is worse then useless.

					-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message