From owner-freebsd-bugs Wed Oct 18 19:10: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7C40D37B4E5 for ; Wed, 18 Oct 2000 19:10:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id TAA30392; Wed, 18 Oct 2000 19:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 1609137B4C5; Wed, 18 Oct 2000 19:01:31 -0700 (PDT) Message-Id: <20001019020131.1609137B4C5@hub.freebsd.org> Date: Wed, 18 Oct 2000 19:01:31 -0700 (PDT) From: ryanm@mhpcc.edu To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: conf/22102: Local scripts get run before securelevel is elevated Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22102 >Category: conf >Synopsis: Local scripts get run before securelevel is elevated >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Oct 18 19:10:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Ryan Mooney >Release: 4.1.1-RELEASE >Organization: MHPCC >Environment: FreeBSD xxxx.xxx.edu 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE #1: Wed Oct 18 10:47:43 HST 2000 ryanm@mhpcc.edu:/usr/src/sys/compile/mykernel i386 >Description: While hardening some systems I was examining the flow of control through /etc/rc in regards to how that might potentially compromise my useage of chflags schg on various system binaries/config files. I have made /etc/rc* and /etc/*conf immutable as well as various system binaries (/bin, /sbin, etc.). The problem arose in that the scripts in ${local_startup} are run before the securelevel is increased. Unless all of those directories (and files therein) are also immutable this opens a window of opportunity in that a clever hacker could use those initialization scripts to undo the immutable flags on my other files, modify them and I would be no wiser. I started examining the potential of making all the ${local_startup} directories/files immutable, but it quickly became evident that that would be somewhat of a slippery slope to travel down. Moving the ${network_pass3_done} and ${kern_securelevel_enable} code above the ${local_startup} doesn't seem to have (?any?) side affects and solves this problem quite nicely. There may be a better solution and if so I'd love to hear it :-) >How-To-Repeat: >Fix: Obviously this diff won't apply after I've cut/pasted, but the result should be obvious enough... *** rc.orig Wed Oct 18 15:45:06 2000 --- rc Wed Oct 18 15:45:17 2000 *************** *** 564,569 **** --- 564,585 ---- echo '.' fi + if [ -n "${network_pass3_done}" ]; then + network_pass4 + fi + + # Raise kernel security level. This should be done only after `fsck' has + # repaired local file systems if you want the securelevel to be greater than 1 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message