From owner-freebsd-hackers Thu Aug 27 13:57:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA28005 for freebsd-hackers-outgoing; Thu, 27 Aug 1998 13:57:47 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27982 for ; Thu, 27 Aug 1998 13:57:35 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id WAA02854; Thu, 27 Aug 1998 22:47:32 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id WAA05167; Thu, 27 Aug 1998 22:47:31 +0200 (MET DST) Message-ID: <19980827224731.61006@follo.net> Date: Thu, 27 Aug 1998 22:47:31 +0200 From: Eivind Eklund To: rotel@indigo.ie, dyson@iquest.net, joelh@gnu.org Cc: imp@village.org, dkelly@hiwaay.net, rabtter@aye.net, hackers@FreeBSD.ORG Subject: Re: I want to break binary compatibility. References: <19980825154320.29030@follo.net> <199808272016.VAA01420@indigo.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199808272016.VAA01420@indigo.ie>; from Niall Smart on Thu, Aug 27, 1998 at 09:16:13PM +0000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Aug 27, 1998 at 09:16:13PM +0000, Niall Smart wrote: > On Aug 25, 3:43pm, Eivind Eklund wrote: > } Subject: Re: I want to break binary compatibility. > > On Mon, Aug 24, 1998 at 10:36:24PM +0000, Niall Smart wrote: > > > On Aug 24, 1:20am, "John S. Dyson" wrote: > > > > Try modifying your system so that one of the flags bits is required to > > > > run a program. It would the require both the flags bit and the executable > > > > bit. Make sure the system cannot allow anyone but root set the chosen > > > > flags bit. Maybe you could use the immutable flag, for this so that you > > > > get theoretical immutability along with the ability to run code. You > > > > might want to relax the restriction for root, but maybe not (depending > > > > on how your admin scheme is setup.) > > > > > > None of these hacks achieve security. You, of all people, should > > > know better. The original poster should figure out how they are > > > breaking in and close the hole, obfuscation schemes like the above > > > are a waste of time. > > > > As I see it, this is not an obfuscation scheme - it is a security > > layer blocking anybody but root from creating runnable programs (or, > > if you are running at a higher secure-level, block anybody from > > creating runnable programs). > > You're basically trying to disable chmod +x for anyone but root, > but to do that properly you have to audit every program the user > has permission to execute and each library which those programs > use. It's _far_ easier to understand how they are getting in. Eh? What? You don't have to audit anything - you just add a check for this in the places in the kernel where you start an executable. And we were talking of a new flag, not a change to the mode structure... This effectively deny the user the possibility of creating new executables; if you also limit the possibility of setting the flag to only be at low securelevel, you have removed the possibility of creating new executables even with root access. Clearly a security win in my book, and has _nothing_ to do with obscurity. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message