Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!vtc.tacom.army.mil!ulowell.uml.edu!europa.chnt.gtegsc.com!usenet.eel.ufl.edu!news.mathworks.com!udel!gatech!howland.reston.ans.net!Germany.EU.net!Dortmund.Germany.EU.net!not-for-mail From: bs@Germany.EU.net (Bernard Steiner) Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc Subject: Re: Circumventing immutable file protections Date: 17 Aug 1995 11:06:21 +0200 Organization: EUnet Deutschland GmbH, Dortmund, Germany Lines: 29 Message-ID: <40v0qd$nh3@Germany.EU.net> References: <DCvE8s.15A@candle.pha.pa.us> <4095br$3tj@kragar.kei.com> <409qef$t3n@Germany.EU.net> <DDF9o5.1BL@candle.pha.pa.us> NNTP-Posting-Host: qwerty.germany.eu.net Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:155 comp.unix.bsd.bsdi.misc:554 In article <DDF9o5.1BL@candle.pha.pa.us>, root@candle.pha.pa.us (Bruce Momjian) writes: |> Bernard Steiner (bs@Germany.EU.net) wrote: |> : |> : In article <4095br$3tj@kragar.kei.com>, ckd@loiosh.kei.com (Christopher Davis) writes: |> : |> BM> == Bruce Momjian <root@candle.pha.pa.us> |> : |> BM> If a hacker broke into a system, wouldn't he do his mischief, then |> : |> BM> add entries to /etc/rc to truncate or modify the log files and then |> : |> BM> cause a reboot. |> : Make /etc/rc run only commands and scripts that are either immutable or reside |> : on read-only filesystems. |> I was afraid this was the answer I would receive, that there is no way |> to prevent a reboot and /etc/rc from clearing a hackers tracks except to |> make /etc/rc and everything(!) it calls immutable. That is quite a job. |> |> Now, I am wondering why the kernel has to run /etc/rc at security level |> zero? If it did not, I would only have to protect only /boot and /bsd. It doesn't. You should be able to fix your kernel to always run run level 1. Alas, don't forget to keep a copy of a run-level 0 kernel for system maintanance. Oh - BTW - if the first command in /etc/rc is running fsck (which would have to be immutable), the second command mounting all local filesystems and the thirs command was to check each and every file executed from /etc/rc furter down for its MD5 checksum against an immutable checksum, I don't quite see why you'd have to make *everything* immutable. Just a thought (haven't tried that:) Bernard