Date: Thu, 05 Oct 2000 12:35:15 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Michael Robinson <robinson@netrinsics.com>, freebsd-security@FreeBSD.ORG Subject: Re: Downgrading securelevel on remote servers Message-ID: <4.3.2.20001005120823.00d3b6c0@207.227.119.2> In-Reply-To: <200010051627.e95GRBX07405@netrinsics.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:27 AM 10/6/00 +0800, Michael Robinson wrote: >The solution I came to for this problem was to use Gnu Privacy Guard to >sign scripts in /usr/local/etc/secure, and a script that verified the >signatures and executed them prior to the securelevel being set in /etc/rc. > >If you needed to do something like change the suid bit on chpass, you would >write a script to do that, sign it, install it, reboot, and remove the script. >The server only kept a copy of the public key (the keyring was noschg, of >course). With some thought this should work well. >I don't need to do that anymore, though, because now I have an OOB Cisco 2509 >connected to the console ports on our colocated servers. And the somewhat easier, but slower way. Slower in the time involved to hand edit. See little point in using secure levels if one doesn't protect the mechanism. Dima pointed out the hassle involved, but then extra hassle is to be expected as the security increases. The question always is how far one wishes to go and the costs involved. YMMV Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20001005120823.00d3b6c0>