Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Oct 2000 02:27:58 -0700 (PDT)
From:      Dima Dorfman <dima@unixfreak.org>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        Alfred Perlstein <bright@wintelcom.net>, Kris Kennaway <kris@FreeBSD.ORG>, Dima Dorfman <dima@unixfreak.org>, Mike Silbersack <silby@silby.com>, security@FreeBSD.ORG
Subject:   Re: BSD chpass (fwd)
Message-ID:  <20001004092758.335931F0A@static.unixfreak.org>
In-Reply-To: <20001004021948.A76230@freefall.freebsd.org> from Kris Kennaway at "Oct 4, 2000 02:19:48 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> On Wed, Oct 04, 2000 at 02:16:59AM -0700, Alfred Perlstein wrote:
> > * Kris Kennaway <kris@FreeBSD.ORG> [001004 02:15] wrote:
> > > On Wed, Oct 04, 2000 at 02:14:26AM -0700, Kris Kennaway wrote:
> > > > On Tue, Oct 03, 2000 at 10:34:22PM -0700, Dima Dorfman wrote:
> > > > > > For those not subscribed to bugtraq, it's time to remove the suid bit on
> > > > > > chpass.
> > > > > 
> > > > > Unfortunatly it isn't that easy if you're running with securelevel > 0
> > > > > since chpass is installed with the schg (system immutable) flag on by
> > > > > default.  Oh well, guess it's time to reboot some hosts.  :-/
> > > > 
> > > > mv it into a mode 000 directory :-)
> > > 
> > > Oops, can't do that. Reboot :)
> > 
> > Can you mount something over it?
> 
> Hmm, now that null mounts work in -current you could, actually - make a
> copy of /usr/bin except for chpass in say /usr/bin2 and null mount
> it

Actually, I think you can do it without null mounts.  mv /usr/bin
/usr/bin2, chmod 000 /usr/bin2, then remake /usr/bin (without chpass,
of course).

> on /usr/bin. Except securelevel disallows mounts, I think :)

In securelevel >= 2, you can't open a disk for writing unless you're
mount(2).  I don't know much about null mounts, so I don't know if
that will prevent them from working.

-- 
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.

"War doesn't determine who's right, it determines who's left."
        -- Confuscious


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001004092758.335931F0A>