From owner-freebsd-security  Tue Jan 18  4: 5:23 2000
Delivered-To: freebsd-security@freebsd.org
Received: from intranova.net (blacklisted.intranova.net [209.3.31.70])
	by hub.freebsd.org (Postfix) with SMTP id DE9CB14C9F
	for <freebsd-security@FreeBSD.ORG>; Tue, 18 Jan 2000 04:05:18 -0800 (PST)
	(envelope-from oogali@intranova.net)
Received: (qmail 52174 invoked from network); 18 Jan 2000 07:07:27 -0000
Received: from hydrant.intranova.net (user2955@209.201.95.10)
  by blacklisted.intranova.net with SMTP; 18 Jan 2000 07:07:27 -0000
Date: Tue, 18 Jan 2000 07:02:26 -0500 (EST)
From: Omachonu Ogali <oogali@intranova.net>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: Adam <bsdx@looksharp.net>,
	Will Andrews <andrews@TECHNOLOGIST.COM>, freebsd-security@FreeBSD.ORG
Subject: Re: Parent Logging Patch for sh(1) 
In-Reply-To: <6196.948175796@axl.noc.iafrica.com>
Message-ID: <Pine.BSF.4.10.10001180657470.99197-100000@hydrant.intranova.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The first patch (sh-log.patch) didn't offer denying features, I then wrote
a second one that did. My main focus was on BIND, I haven't seen someone
yet who has smashed the stack and changed argv[0], and secondly, it reads
the process name from the /proc filesystem, so if you do change the
program name on the stack, the original still exists...

Omachonu Ogali
Intranova Networking Group

On Tue, 18 Jan 2000, Sheldon Hearn wrote:

> 
> 
> On Mon, 17 Jan 2000 21:04:07 EST, Omachonu Ogali wrote:
> 
> > http://tribune.intranova.net/archives/sh-log+access.patch adds uid and
> > username logging along with a deny list (/etc/sh.deny).
> 
> When you first posted, you neglected to mention that your patch included
> a deny list (/etc/sh.deny).  This puts a different spin on things. :-)
> 
> While it sounds attractive on the surface, think how easy it is to work
> around -- the exploit code must simply change its progname to something
> which will never be in /etc/sh.deny (e.g. login).
> 
> So your patch scores something useful for a week, whereafter the script
> kiddies catch up and we're back to square one. :-)
> 
> No, if this is to be done, it's with per-process credentials.  Someone
> is already working on such a system for FreeBSD.  Since you seem
> interested in helping out with the process of hardening FreeBSD, I urge
> you to contact Robert Watson, who's spearheading the current hardening
> project.
> 
> You can reach him at Robert Watson <robert+freebsd@cyrus.watson.org>.
> 
> Thanks for your interest in a more secure FreeBSD. :-)
> 
> Ciao,
> Sheldon.
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message