Date: Thu, 29 Jan 1998 15:43:01 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: freebsd-security@freebsd.org Subject: Secure Linux patch (fwd) Message-ID: <Pine.BSF.3.96.980129153911.6140A-100000@cyrus.watson.org>
next in thread | raw e-mail | index | archive | help
It would be nice to have some of these features (see bottom of email) available on FreeBSD. I don't have the experience/knowledge to do most of this, or I would do it myself :). Most of these are really security work-arounds, and succeed in blocking a number of traditional attacks, although they do not fix the sources of the attack :). Better application writing is the only long-term solution, I suspect. We also have securelevel already, but I am not sure that the features they have match ours. BTW, in -current, has their been any thought to requiring that time monotonically increase (as BSDI has done) while in securelevel > 0? With appropriate use of single-user mode, xntpd, and ntpdate, this can be very useful. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Thu, 29 Jan 1998 19:31:39 -0300 From: Solar Designer <solar@FALSE.COM> To: BUGTRAQ@NETSPACE.ORG Subject: Secure Linux patch Hello, > mkdir /tmp/foo (no sticky bit on foo) > ln /etc/passwd /tmp/foo > mv /tmp/{foo/,}passwd Thanks for reporting this. A stupid problem, I should have thought a bit more of things like this. ;-) I wonder why noone reported it earlier... I wasn't going to release my new patch right now, but since I would have to release a fix anyway, ...here goes the full thing. You can get my new Secure Linux patch at: http://www.false.com/security/linux/secure-linux.tar.gz ftp://ftp.dataforce.net/pub/solar/secure-linux.tar.gz Features: * Non-executable user stack area * Link-in-/tmp fix (fixed;-) * Restricted /proc (extra functionality compared to original route's patch) * Improved securelevel support (finally really secure, and extra features) * Unofficial bugfixes (hope I'll be able to remove them when 2.0.34 is out) Signed, Solar Designer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980129153911.6140A-100000>