From owner-freebsd-hackers  Mon Aug 24 14:43:40 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA11552
          for freebsd-hackers-outgoing; Mon, 24 Aug 1998 14:43:40 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from indigo.ie (ts03-104.dublin.indigo.ie [194.125.148.114])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11529
          for <hackers@FreeBSD.ORG>; Mon, 24 Aug 1998 14:43:31 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id WAA00657;
	Mon, 24 Aug 1998 22:36:25 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199808242136.WAA00657@indigo.ie>
Date: Mon, 24 Aug 1998 22:36:24 +0000
In-Reply-To: <199808240620.BAA04415@dyson.iquest.net>; "John S. Dyson" <dyson@iquest.net>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: dyson@iquest.net, joelh@gnu.org
Subject: Re: I want to break binary compatibility.
Cc: imp@village.org, dkelly@hiwaay.net, rabtter@aye.net, hackers@FreeBSD.ORG
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Aug 24,  1:20am, "John S. Dyson" wrote:
} Subject: Re: I want to break binary compatibility.
> Joel Ray Holveck said:
> > >>> I have a problem with some hackers that are obsessed with making my
> > >>> ISP's life miserable (they've already hacked our SGI). I've slapped
> > >>> together a FreeBSD box to throw their webpages on it, turned off all
> > >>> services except http.
> > >> While you are at it and breaking binary compatibility for security 
> > >> reasons, make sure you remove stuff a webserver doesn't need such as
> > >> /usr/include, compilers, manpages, etc. Maybe PicoBSD would be the 
> > >> place to start?
[snip]
> I posted this through another mechanism by mistake, and so I apologize
> if this message is a repeat for you:
> 
> Try modifying your system so that one of the flags bits is required to
> run a program.  It would the require both the flags bit and the executable
> bit.  Make sure the system cannot allow anyone but root set the chosen
> flags bit.  Maybe you could use the immutable flag, for this so that you
> get theoretical immutability along with the ability to run code.  You
> might want to relax the restriction for root, but maybe not (depending
> on how your admin scheme is setup.)

None of these hacks achieve security.   You, of all people, should
know better.  The original poster should figure out how they are
breaking in and close the hole, obfuscation schemes like the above
are a waste of time.


Niall

-- 
Niall Smart, rotel@indigo.ie.
Amaze your friends and annoy your enemies:
echo '#define if(x) if (!(x))' >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message