From owner-freebsd-security Tue Mar 20 4: 1:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cliff.mfn.org (cliff.mfn.org [204.238.179.8]) by hub.freebsd.org (Postfix) with ESMTP id A6FCF37B719 for ; Tue, 20 Mar 2001 04:01:42 -0800 (PST) (envelope-from measl@mfn.org) Received: from greeves.mfn.org (greeves.mfn.org [204.238.179.3]) by cliff.mfn.org (8.11.1/8.9.3) with ESMTP id f2KBvNj15839 for ; Tue, 20 Mar 2001 05:57:24 -0600 (CST) (envelope-from measl@mfn.org) Date: Tue, 20 Mar 2001 05:57:23 -0600 (CST) From: "J.A. Terranson" To: security@freebsd.org Subject: chflags/symlinks Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Good Morning/Afternoon/Etc., I believe there is an issue WRT the above pair. Background: all our FBSD boxen run under securelevel 3; our main news server (inn 2.3.1) takes in a full feed (200gb+ daily); in order to keep up with this feed, it is necessary to distribute IO load as much as is humanly possible. Due to an internal kludge, it is necessary (temporarily, while a real fix is being engineered) for us to use symlinks to force certain files to certain filesystems. Problem: There is no way to secure (schg, etc) the link. I can secure the files to which they point, but not the links themselves. Theoretically, an attack can be launched by deleting the symlinks and creating new ones, rather than altering the files directly (as they are safe under securelevel 3). For us, the issue has been nighty cleanup routines killing the symlinks, and thereby breaking *everything* :-( I there is something I have missed here, I would *love* to know... -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message