From owner-freebsd-security Thu Dec 21 8:43:39 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 08:43:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id D9A8437B400; Thu, 21 Dec 2000 08:43:36 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA28168; Thu, 21 Dec 2000 08:44:52 -0800 Date: Thu, 21 Dec 2000 08:44:52 -0800 From: Kris Kennaway To: Mikhail Kruk Cc: Kris Kennaway , "Michael A. Williams" , security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221084452.A28157@citusc.usc.edu> References: <20001221064842.B27118@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from meshko@cs.brandeis.edu on Thu, Dec 21, 2000 at 11:39:56AM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > > > Don't forget chflags'ing every binary involved in the startup proce= ss, > > > > too. And all of your kernel modules. And the boot loader and its > > > > config files. And all of the appropriate directories. And /etc/fstab > > > > so null or union mounts can't be used to shadow a protected file...= you > > > > get the picture :-) > > > > > > Securelevel 2 should not allow loading of kernel modules. > > > > Correct, but if they're not noschg then you can trivially trojan a > > kernel module which you know is loaded at boot time. Or you can add > > yourself a new kernel module and load it by editing the boot loader > > config, or by editing one of the startup scripts, or by trojaning one > > of the binaries run during the system startup prior to raising of > > securelevel, etc etc. > > > > Then cause, or wait for a reboot. >=20 > wait, but can't you make kernel modules and startup scripts noschg too? Go back and read the first paragraph above. It's theoretically possible, but the list of things you would have to noschg is huge, constantly changing from version to version, and not completely known. Kris --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QjOEWry0BWjoQKURAtJ6AJ90zM5qrJkJs6Ty8RoD/c+ck1opEwCfcNBB mjMO51ePPGhugRplpcTmyrA= =ypkK -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message