From owner-freebsd-hackers  Fri Feb  9 13:17:21 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from gw.gbch.net (gw.gbch.net [203.24.22.66])
	by hub.freebsd.org (Postfix) with SMTP id 0B2F937B699
	for <freebsd-hackers@freebsd.org>; Fri,  9 Feb 2001 13:16:58 -0800 (PST)
Received: (qmail 76480 invoked by uid 1001); 10 Feb 2001 07:16:55 +1000
X-Posted-By: GJB-Post 2.12 07-Feb-2001
X-Operating-System: FreeBSD 4.1-RELEASE i386
X-URL: http://www.gbch.net/gjb/
X-Image-URL: http://www.gbch.net/gjb/img/gjb-auug048.gif
X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B  C249 1CE1 493B 2B5A CE30
X-PGP-Public-Key: http://www.gbch.net/gjb/gjb-pgpkey.asc
Message-Id: <nospam-3a845e474312a95@maxim.gbch.net>
Date: Sat, 10 Feb 2001 07:16:55 +1000
From: Greg Black <gjb@gbch.net>
To: Nick Sayer <nsayer@quack.kfu.com>
Cc: kris@freebsd.org, freebsd-hackers@freebsd.org
Subject: Re: /etc/security: add md5 to suid change notification? 
References: <200102082355.f18NtfF89134@medusa.kfu.com> <nospam-3a8342fd530fe03@maxim.gbch.net> <3A84582E.3000702@quack.kfu.com> 
In-reply-to: <3A84582E.3000702@quack.kfu.com> 
	of Fri, 09 Feb 2001 12:50:54 PST
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Nick Sayer wrote:

> Greg Black wrote:
> 
> > Nick Sayer wrote:
> > 
> >> Would it generally be viewed as helpful to add the option of reporting
> >> the md5 for the files listed in /var/log/setuid.*?
> > 
> > I don't see the benefit in this if either the md5 binary or the
> > comparison file are on writable storage (which is almost always
> > going to be true).
> 
> Then why bother checking at all? Someone can trojan ls, or even easier, 
> arrange to trojan suid binaries without changing the things that show up 
> in that listing.

This is in fact my point.  The automated checks are just an
indicator of changes that have happened on a normally running
system -- they do nothing to guarantee that nothing has been
tampered with by black hats and adding the md5 checks won't
change that.  They add to the cost of the checks without proving
anything.  The existing stuff warns me when an authorised admin
has replaced a setuid program so that I can take any appropriate
steps if I want to.  But I have to employ other strategies (with
tools like tripwire and off-line or read-only storage) if I want
to make serious checks on vulnerable systems.

> Besides, security conscious folks could set the immutable flag for md5 
> and/or the comparison file (and probably sh and ls while they're at it) 
> if they like.

Unless things have changed, the use of elevated security levels
(which are necessary if those flags are to have any force) has
side effects that make them useless on lots of systems (e.g.,
inability to run X).

Greg


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message