Return to BSD News archive
Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!vtc.tacom.army.mil!ulowell.uml.edu!europa.chnt.gtegsc.com!gatech!newsfeed.pitt.edu!dsinc!jabber!candle!root From: root@candle.pha.pa.us (Bruce Momjian) Subject: Re: Circumventing immutable file protections Followup-To: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc X-Newsreader: TIN [UNIX 1.3 950726BETA PL0] Organization: a consultant's basement Message-ID: <DDF9o5.1BL@candle.pha.pa.us> References: <DCvE8s.15A@candle.pha.pa.us> <4095br$3tj@kragar.kei.com> <409qef$t3n@Germany.EU.net> Date: Wed, 16 Aug 1995 21:14:29 GMT Lines: 23 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:161 comp.unix.bsd.bsdi.misc:610 Bernard Steiner (bs@Germany.EU.net) wrote: : : In article <4095br$3tj@kragar.kei.com>, ckd@loiosh.kei.com (Christopher Davis) writes: : |> BM> == Bruce Momjian <root@candle.pha.pa.us> : |> : |> BM> If a hacker broke into a system, wouldn't he do his mischief, then : |> BM> add entries to /etc/rc to truncate or modify the log files and then : |> BM> cause a reboot. : |> : Make /etc/rc run only commands and scripts that are either immutable or reside : on read-only filesystems. I was afraid this was the answer I would receive, that there is no way to prevent a reboot and /etc/rc from clearing a hackers tracks except to make /etc/rc and everything(!) it calls immutable. That is quite a job. Now, I am wondering why the kernel has to run /etc/rc at security level zero? If it did not, I would only have to protect only /boot and /bsd. -- Bruce Momjian | 830 Blythe Avenue root@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026 + If your life is a hard drive, | (610) 353-9879(w) + Christ can be your backup. | (610) 853-3000(h)