From owner-freebsd-security Wed Oct 4 3: 9: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139]) by hub.freebsd.org (Postfix) with ESMTP id 8722337B502; Wed, 4 Oct 2000 03:08:59 -0700 (PDT) Received: by static.unixfreak.org (Postfix, from userid 1000) id 33A4A1F0A; Wed, 4 Oct 2000 03:08:59 -0700 (PDT) Subject: Re: BSD chpass (fwd) In-Reply-To: <20001004023249.B76230@freefall.freebsd.org> from Kris Kennaway at "Oct 4, 2000 02:32:49 am" To: Kris Kennaway Date: Wed, 4 Oct 2000 03:08:59 -0700 (PDT) Cc: Dima Dorfman , Alfred Perlstein , Mike Silbersack , security@FreeBSD.ORG From: Dima Dorfman Reply-To: dima@unixfreak.org X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20001004100859.33A4A1F0A@static.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Oct 04, 2000 at 02:27:58AM -0700, Dima Dorfman wrote: > > > Actually, I think you can do it without null mounts. mv /usr/bin > > /usr/bin2, chmod 000 /usr/bin2, then remake /usr/bin (without chpass, > > of course). > > I think you're right. Which is a good reason why your /usr/bin should > be schg too ;-) Then it'd become: mv /usr /usr2, cp everything from /usr2 to /usr except for bin, etc. You get the idea. It does deter them a little bit, though. I usually set /bin, /sbin, /modules (or /boot/kernel in -current), and /boot schg and not worry too much about /usr/[s]bin. IMO, the bottom line is, schg can only prevent an attacker if they don't have a good understanding of the system (which accounts for most of the script kid population). A really clever attacker would modify your securelevel settings in rc.conf, reboot the machine making it look like a panic or power surge (if they know you exclusivly access it remotly), fool around, then change it back. Tripwire on a r/o disk would tell you about it, but you can't do that remotly unless you plan on never touching any system binaries. Or am I missing something? -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. "I had a terrible education. I attended a school for emotionally disturbed teachers." -- Woody Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message