Date: Thu, 11 Jun 1998 16:46:25 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: jbryant@unix.tfs.net, Niall Smart <njs3@doc.ic.ac.uk>, freebsd-hackers@FreeBSD.ORG Subject: Re: [Fwd: Secure Ping 1.0] Message-ID: <Pine.BSF.3.96.980611163515.378K-100000@fledge.watson.org> In-Reply-To: <3902.897596586@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 Jun 1998, Jordan K. Hubbard wrote: > Perhaps the kind of idiot who also knows that it makes about as much > sense to "secure" a system that way as it does to install a locking > door on a cardboard shack. :-) > > There are enough free shell accounts given out on the net that any > reasonably determined newbie cracker can compile something somewhere > else or just use the copy of PERL which is invariably found somewhere > to do socket manipulation. You can't really control the creation or Or better yet, sh and telnet, and cat /dev/zero? > importation of strange executables onto your system, but what you can > control is the execute bit itself. My first intro to this was what > Paul Vixie first did on gatekeeper.dec.com - joblow could log in and > FTP over all the ICMP killers they wanted, but any attempts to chmod > them executable would just be silently ignored - it was blocked at the > syscall level. I also believe there it was a kernel variable he could > just set and unset with the debugger to turn this off when he himself > needed to install something, but FreeBSD could probably more > effectively key off the secure level and have "no new execs" as a > kernel option to go along with a securelevel > 1, or something. I personally like the LKM someone wrote here at TIS that replaces all open() syscalls with filenames that are .gif files with opens to a specific gif file that is a picture of dilbert. Makes most web pages look great. :) Interpretters make the no new exec behavior not-so-useful in the real world, unfortunately. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980611163515.378K-100000>