From owner-freebsd-security Thu Nov 15 0:39:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from maild.telia.com (maild.telia.com [194.22.190.101]) by hub.freebsd.org (Postfix) with ESMTP id 889FF37B416 for ; Thu, 15 Nov 2001 00:39:29 -0800 (PST) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maild.telia.com (8.11.6/8.11.6) with ESMTP id fAF8dSo01455 for ; Thu, 15 Nov 2001 09:39:28 +0100 (CET) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id JAA10202 for ; Thu, 15 Nov 2001 09:39:27 +0100 (CET) Received: (qmail 3515 invoked by uid 1001); 15 Nov 2001 08:39:22 -0000 Date: Thu, 15 Nov 2001 09:39:22 +0100 From: Erik Trulsson To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115093922.A99781@student.uu.se> Mail-Followup-To: Stefan Probst , freebsd-security@FreeBSD.ORG References: <5.1.0.14.2.20011115143223.04264050@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20011115143223.04264050@MailServer> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? It shouldn't be too difficult to modify ls(1) to show wrong data for some specific files. Changing the kernel to give wrong data for some files would be more difficult, and require a reboot to use the modified kernel, but it is not impossible. File modification dates are trivially changed with touch(1) so those should never be trusted. > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? No. Those files might well be identical, but there is nothing that says that an intruder didn't change both of them. If an intruder has gained root access on a machine then you can't trust *anything* on that machine. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message