Date: Fri, 6 Oct 2000 00:27:11 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: freebsd-security@freebsd.org Subject: Downgrading securelevel on remote servers Message-ID: <200010051627.e95GRBX07405@netrinsics.com>
next in thread | raw e-mail | index | archive | help
>Then they'd go change /etc/rc. You could set most of your root >filesystem, including /etc, schg, which may help, but then you'd be >making your machine almost unmanagable without console access. For >example, how would you fix this chpass bug if you couldn't access the >console and had no way to lower the securelevel, even with a reboot? The solution I came to for this problem was to use Gnu Privacy Guard to sign scripts in /usr/local/etc/secure, and a script that verified the signatures and executed them prior to the securelevel being set in /etc/rc. If you needed to do something like change the suid bit on chpass, you would write a script to do that, sign it, install it, reboot, and remove the script. The server only kept a copy of the public key (the keyring was noschg, of course). I don't need to do that anymore, though, because now I have an OOB Cisco 2509 connected to the console ports on our colocated servers. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010051627.e95GRBX07405>