Date: Fri, 06 Oct 2000 06:01:59 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Hank Leininger <hlein@progressive-comp.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: BSD chpass (fwd) Message-ID: <200010061302.e96D2k345593@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 05 Oct 2000 02:23:42 EDT." <200010050623.CAA05646@mailer.progressive-comp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200010050623.CAA05646@mailer.progressive-comp.com>, Hank Leininger writes: > I've a feeling I'm (re)stating the obvious, but IMHO securelevels can't > really permanently preserve a system's known-good state in the face of root > compromise unless literally everything you'd ever access w/o securelevels > raised, is fully protected when they are (in which case you'll effectively > have everything interesting RO -- just set the RO jumper on the drive while > you're at it). Otherwise there will always(?) be some extra-mile way to > circumvent them. Of course we can devise countermeasures ad-nauseum -- for > instance, set all dirs in root's path to schg and only set sappnd on the > "last" one, and never change the order (silly). Or from every directory > "higher" in the path than a path'ed command, create a symlink to the right > place (unspeakably ugly, but works ;) Though you'll still have the 'sl', > 'ls-l', etc trojan possibilities either way. I think your first point is the only solution -- every R/O file would need the schg flag. Some co-workers and I had discussed this very issue about 2-3 years ago. The only solution we could arrive at was to burn the O/S onto a CDROM or set the R/O jumper on the drive, both of which would be administrative nightmares when the team administering the system is a ferry or helijet ride away, making managing such a system a very expensive proposition. Wouldn't setting schg on every binary and every config file on the system and running at securelevel 2 be equally effective? Then again there's the possibility of a bug in the system that would allow any attacker to reduce the securelevel. So once again were faced with your first point as the only solution. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010061302.e96D2k345593>