Date: Tue, 18 Jan 2000 08:09:56 +0200 From: Sheldon Hearn <sheldonh@uunet.co.za> To: Omachonu Ogali <oogali@intranova.net> Cc: Adam <bsdx@looksharp.net>, Will Andrews <andrews@TECHNOLOGIST.COM>, freebsd-security@FreeBSD.ORG Subject: Re: Parent Logging Patch for sh(1) Message-ID: <6196.948175796@axl.noc.iafrica.com> In-Reply-To: Your message of "Mon, 17 Jan 2000 21:04:07 EST." <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Jan 2000 21:04:07 EST, Omachonu Ogali wrote: > http://tribune.intranova.net/archives/sh-log+access.patch adds uid and > username logging along with a deny list (/etc/sh.deny). When you first posted, you neglected to mention that your patch included a deny list (/etc/sh.deny). This puts a different spin on things. :-) While it sounds attractive on the surface, think how easy it is to work around -- the exploit code must simply change its progname to something which will never be in /etc/sh.deny (e.g. login). So your patch scores something useful for a week, whereafter the script kiddies catch up and we're back to square one. :-) No, if this is to be done, it's with per-process credentials. Someone is already working on such a system for FreeBSD. Since you seem interested in helping out with the process of hardening FreeBSD, I urge you to contact Robert Watson, who's spearheading the current hardening project. You can reach him at Robert Watson <robert+freebsd@cyrus.watson.org>. Thanks for your interest in a more secure FreeBSD. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6196.948175796>