Date: Fri, 6 Oct 2000 09:24:05 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Hank Leininger <hlein@progressive-comp.com>, freebsd-security@FreeBSD.ORG Subject: Re: BSD chpass (fwd) Message-ID: <Pine.NEB.3.96L.1001006092113.63939A-100000@fledge.watson.org> In-Reply-To: <200010061302.e96D2k345593@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Oct 2000, Cy Schubert - ITSD Open Systems Group wrote: > Wouldn't setting schg on every binary and every config file on the > system and running at securelevel 2 be equally effective? Then again > there's the possibility of a bug in the system that would allow any > attacker to reduce the securelevel. So once again were faced with your > first point as the only solution. You also have to set schg on directories, as recent changes in the kernel cause it to agressively search /boot and other locations for configuration files that may not exist by default. Either you need to create all of them and schg them, or schg the directories to prevent the creation of these files. The agressiveness of the kernel in searching out files, especially loadable kernel modules, these days is quite astounding, and probably one strong reason when schg on files will now never be sufficient. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1001006092113.63939A-100000>