From owner-freebsd-stable  Wed May 30  2:13:29 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from athena.hq.herculeez.com (adsl-213-254-161-195.mistral-uk.net [213.254.161.195])
	by hub.freebsd.org (Postfix) with SMTP id D994237B423
	for <stable@FreeBSD.ORG>; Wed, 30 May 2001 02:13:23 -0700 (PDT)
	(envelope-from simon@herculeez.com)
Received: (qmail 10486 invoked from network); 30 May 2001 09:12:29 -0000
Received: from madoka.hq.herculeez.com (HELO herculeez.com) (192.168.0.23)
  by athena.hq.herculeez.com with SMTP; 30 May 2001 09:12:29 -0000
Message-ID: <3B14B9E6.4D5E4CF6@herculeez.com>
Date: Wed, 30 May 2001 10:14:14 +0100
From: Simon Loader <simon@herculeez.com>
Reply-To: simon@herculeez.com
Organization: www.herculeez.com
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.2-RELEASE i386)
X-Accept-Language: en, fr, cs
MIME-Version: 1.0
Cc: stable@FreeBSD.ORG
Subject: Re: adding "noschg" to ssh and friends
References: <200105292336.f4TNaRT01704@mass.dis.org> <200105292334.f4TNYKg31968@earth.backplane.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


>     I have to disagree.  Here, let me give a contrasting example:
> 
>     * you schg a binary
>     * hacker breaks root
>     * hacker is unable to modify binary.  Whoopie.  Hacker decides to rm -rf
>       your data files instead.

So they change sshd start up script, hack peoples paths so they run the
hackers version of stuff. Modify the startup scripts to change security
level ( this is possible isnt it???) and then change the file.

if you schg one file you start having to do everything and then
it becomes unmanageable.

-- 
Simon Loader

(side note on nis last time I was a nis admin (5 yrs ago?)
when root on a one box I could su to another user (say an admin user)
and then change there start up scripts. So I dont 
think NIS is that brilliant)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message