From owner-freebsd-hackers Fri Feb 9 12:52: 2 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from phobos.talarian.com (mailhost.talarian.com [207.5.32.17]) by hub.freebsd.org (Postfix) with ESMTP id EE73837B6B0; Fri, 9 Feb 2001 12:51:45 -0800 (PST) Received: from quack.kfu.com (beast.talarian.com [10.4.10.6] (may be forged)) by phobos.talarian.com (8.9.0/8.9.0) with ESMTP id MAA15912; Fri, 9 Feb 2001 12:51:13 -0800 (PST) Message-ID: <3A84582E.3000702@quack.kfu.com> Date: Fri, 09 Feb 2001 12:50:54 -0800 From: Nick Sayer User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.2-RELEASE i386; en-US; 0.7) Gecko/20010123 X-Accept-Language: en MIME-Version: 1.0 To: Greg Black Cc: kris@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: /etc/security: add md5 to suid change notification? References: <200102082355.f18NtfF89134@medusa.kfu.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Greg Black wrote: > Nick Sayer wrote: > >> Would it generally be viewed as helpful to add the option of reporting >> the md5 for the files listed in /var/log/setuid.*? > > > I don't see the benefit in this if either the md5 binary or the > comparison file are on writable storage (which is almost always > going to be true). Then why bother checking at all? Someone can trojan ls, or even easier, arrange to trojan suid binaries without changing the things that show up in that listing. Besides, security conscious folks could set the immutable flag for md5 and/or the comparison file (and probably sh and ls while they're at it) if they like. For the point kris made, I'm not sure he understood what I was suggesting -- I'm not suggesting just printing the md5 of the files when you notice they've changed, but adding the md5 as another trigger for deciding which files have changed. Adding it as a field in /var/log/setuid.* would achieve this end. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message