From owner-freebsd-security  Wed Oct  4  2:58:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id A537437B503; Wed,  4 Oct 2000 02:58:36 -0700 (PDT)
Received: (from kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id CAA90908;
	Wed, 4 Oct 2000 02:58:36 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Date: Wed, 4 Oct 2000 02:58:36 -0700
From: Kris Kennaway <kris@FreeBSD.org>
To: Dima Dorfman <dima@unixfreak.org>
Cc: Kris Kennaway <kris@FreeBSD.org>,
	Alfred Perlstein <bright@wintelcom.net>,
	Mike Silbersack <silby@silby.com>, security@FreeBSD.ORG
Subject: Re: BSD chpass (fwd)
Message-ID: <20001004025836.A84165@freefall.freebsd.org>
References: <20001004021948.A76230@freefall.freebsd.org> <20001004092758.335931F0A@static.unixfreak.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001004092758.335931F0A@static.unixfreak.org>; from dima@unixfreak.org on Wed, Oct 04, 2000 at 02:27:58AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Oct 04, 2000 at 02:27:58AM -0700, Dima Dorfman wrote:

> In securelevel >= 2, you can't open a disk for writing unless you're
> mount(2).  I don't know much about null mounts, so I don't know if
> that will prevent them from working.

mounting is still allowed at all securelevels, so you could also null
mount over the top of /usr/bin even if /usr/bin is schg. The fact that
you can mount volumes at high securelevel seems to mean there is no
way you can protect a running system against tampering with a given
file (i.e. replacing the runtime-visible instance of a given file).

Robert Watson would probably start talking about MAC about now :-) but
I'm not sure if this is something which should be fixed as a security
problem, or if it is just not practical to expect securelevels to
prevent run-time tampering of a given file (leaving aside the issues
of protecting the boot path against taking control of the machine at
next reboot time, which only happens as a result of incomplete
coverage of the relevant files and directories with schg)

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message