From owner-freebsd-security Mon Jan 17 22:12: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 7884D15227 for ; Mon, 17 Jan 2000 22:11:51 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.11 #1) id 12ARq0-0001bx-00; Tue, 18 Jan 2000 08:09:56 +0200 From: Sheldon Hearn To: Omachonu Ogali Cc: Adam , Will Andrews , freebsd-security@FreeBSD.ORG Subject: Re: Parent Logging Patch for sh(1) In-reply-to: Your message of "Mon, 17 Jan 2000 21:04:07 EST." Date: Tue, 18 Jan 2000 08:09:56 +0200 Message-ID: <6196.948175796@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Jan 2000 21:04:07 EST, Omachonu Ogali wrote: > http://tribune.intranova.net/archives/sh-log+access.patch adds uid and > username logging along with a deny list (/etc/sh.deny). When you first posted, you neglected to mention that your patch included a deny list (/etc/sh.deny). This puts a different spin on things. :-) While it sounds attractive on the surface, think how easy it is to work around -- the exploit code must simply change its progname to something which will never be in /etc/sh.deny (e.g. login). So your patch scores something useful for a week, whereafter the script kiddies catch up and we're back to square one. :-) No, if this is to be done, it's with per-process credentials. Someone is already working on such a system for FreeBSD. Since you seem interested in helping out with the process of hardening FreeBSD, I urge you to contact Robert Watson, who's spearheading the current hardening project. You can reach him at Robert Watson . Thanks for your interest in a more secure FreeBSD. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message