Date: Sat, 6 Oct 2001 04:16:02 -0400 From: Dave Chapeskie <freebsd@ddm.wox.org> To: Jeff Palmer <scorpio@drkshdw.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kern Secure Level Message-ID: <20011006041601.A7815@ddm.wox.org> In-Reply-To: <20011006022008.R66168-100000@Scorpio.drkshdw.org>; from scorpio@drkshdw.org on Sat, Oct 06, 2001 at 02:36:41AM -0400 References: <Pine.GSO.4.21.0110052303250.18017-100000@bergman.umail.ucsb.edu> <20011006022008.R66168-100000@Scorpio.drkshdw.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote: > A lot of newbie (please, no flames if this includes anyone reading this > list) a lot of newbie admins will read about securelevels, and make > the entire /bin /sbin and other directories immutable. This is a BAD > THING! Bzzzt! Thanks for playing! You have it backwards. There is no security (other than from typos) in making files in /sbin immutable if /sbin itself is not immutable. For example try this on your setup: $ chflags schg /sbin/init # just to be sure $ ls -lo /sbin/init # notice schg $ cp -R /sbin /.sbin.new $ mv /sbin /... && mv /.sbin.new /sbin $ ls -lo /sbin/init # notice no schg For /usr/sbin/* you must make BOTH /usr/sbin and /usr immutable to avoid the same problem. -- Dave Chapeskie OpenPGP Key KeyId: 3D2B6B34 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011006041601.A7815>