Date: Sun, 14 Jun 1998 13:48:24 -0700 (PDT) From: dima@best.net (Dima Ruban) To: njs3@doc.ic.ac.uk (Niall Smart) Cc: security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Message-ID: <199806142048.NAA06480@burka.rdy.com> In-Reply-To: <E0yl9x3-00077K-00@oak71.doc.ic.ac.uk> from Niall Smart at "Jun 14, 98 11:23:53 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Niall Smart writes: > On Jun 13, 11:03pm, Dima Ruban wrote: > Thats arguable, consider this quote from the D&I of 4.4BSD > > Files marked immutable include those that are frequently the subject > of attack by intruders (e.g., login and su). The append-only flag > is typically used for critical system logs. If an intruder breaks > in, he will be unable to cover his tracks. Although simple in > concept, these two features improve the security of a system > dramatically. > > I've already posted the following argument to bugtraq, but I'll repeat > it again here. > > Why do they advocate protecting login and su if such protection can > be trivially defeated using the same techniques we demonstrated in > the attack on inetd? And why do they claim these features improve the > security of a system "dramatically" if they can be bypassed so easily? > > What use are securelevels without propagating the immutable flag? The problem is - your patch doesn't fix anything. It just makes things more complicated. Example was already given, but here we go again: You make text segment of a program that marked immutable being a read-only. Excellent. In this case you need to make sure that such a process can't be killed or basically can't receive any signals. And this breaks the whole idea of signals. Because otherwise, being root, I can easily kill such a process and start another one with a back door in it. pid is not an issue - it can be easily faked to be the same as a target process. > > Niall > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806142048.NAA06480>