Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Feb 2001 09:27:02 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Ragnar Beer <rbeer@uni-goettingen.de>
Cc:        freebsd-security@freebsd.org
Subject:   Re: File flags
Message-ID:  <20010216092702.A93835@mollari.cthul.hu>
In-Reply-To: <p04330100b6b2d6708b25@[134.76.136.114]>; from rbeer@uni-goettingen.de on Fri, Feb 16, 2001 at 02:15:31PM %2B0100
References:  <p04330100b6b2d6708b25@[134.76.136.114]>

next in thread | previous in thread | raw e-mail | index | archive | help

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 16, 2001 at 02:15:31PM +0100, Ragnar Beer wrote:
> Howdy!
>=20
> I'm wondering which files I should protect with file flags. So far I only
> protected a couple of flags in /var/log but last week I read that someone
> suggested making files in the /bin /sbin /etc directories immutable. How =
much
> sense does that make?

This only makes a real difference to security if:

a) You raise the system securelevel, so that flags cannot be removed,
and:

b) You make just about everything in /boot, /modules, /etc, /bin,
/sbin, /usr/bin, /usr/sbin immutable - any file touched during the
boot process before securelevel is raised, should be protected so that
attackers who break root don't have the ability to reset the
securelevel by modifying a non-protected file (e.g. /sbin/ifconfig, to
pick one at random) to do their dirty work (e.g. removing flags from
everything) when the system reboots.  A full list of files is not
known, and it is probably enough to make upgrading the system a total
PITA.

In other words, there are some pretty fatal flaws with the concept.

It does however confuse the heck out of script kiddies :-D

Kris

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6jWLmWry0BWjoQKURAoVOAJwKzjnIzteEJ2EX/gU45ZytGHN29ACfcHUk
09yEGk7BIy1uZxABbpbnmB8=
=JQ/K
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216092702.A93835>