From owner-freebsd-security  Thu Jul  2 08:38:51 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA11764
          for freebsd-security-outgoing; Thu, 2 Jul 1998 08:38:51 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged))
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11671
          for <security@FreeBSD.ORG>; Thu, 2 Jul 1998 08:38:30 -0700 (PDT)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id RAA02602;
	Thu, 2 Jul 1998 17:35:48 +0200 (CEST)
To: rotel@indigo.ie
cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, dg@root.com,
        security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net,
        abc@ralph.ml.org, tqbf@secnet.com
Subject: Re: bsd securelevel patch question 
In-reply-to: Your message of "Thu, 02 Jul 1998 14:31:18 -0000."
             <199807021331.OAA00656@indigo.ie> 
Date: Thu, 02 Jul 1998 17:35:48 +0200
Message-ID: <2600.899393748@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Eh?  If ssh/smtp/inetd bind to the port you won't be able to, no
>matter how often you try.  And you won't be able to steal keys
>by hijacking sshd.

correct.

>I still agree with you for other reasons though, if an attacker
>creates a new service people might use it even though it isn't a
>legitimate service setup my the sysadmin.

Right, but if the attacker has hacked your system enough to bind
to a socket < 1024, he >OWNS< it.  Any further attempt at adding
security is bogus, and can at best OPEN the window more because
you will be adding more complexity, rather than subtract from it.

The one fix that gives you most mileage is to add kernel code such
that above some particular securelevel, you cannot open sockets < 1024
anymore.

The downside is you have to reboot to restart deamons and the R* family
stops working...

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message