Date: Wed, 4 Oct 2000 03:08:59 -0700 (PDT) From: Dima Dorfman <dima@unixfreak.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: Dima Dorfman <dima@unixfreak.org>, Alfred Perlstein <bright@wintelcom.net>, Mike Silbersack <silby@silby.com>, security@FreeBSD.ORG Subject: Re: BSD chpass (fwd) Message-ID: <20001004100859.33A4A1F0A@static.unixfreak.org> In-Reply-To: <20001004023249.B76230@freefall.freebsd.org> from Kris Kennaway at "Oct 4, 2000 02:32:49 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, Oct 04, 2000 at 02:27:58AM -0700, Dima Dorfman wrote:
>
> > Actually, I think you can do it without null mounts. mv /usr/bin
> > /usr/bin2, chmod 000 /usr/bin2, then remake /usr/bin (without chpass,
> > of course).
>
> I think you're right. Which is a good reason why your /usr/bin should
> be schg too ;-)
Then it'd become: mv /usr /usr2, cp everything from /usr2 to /usr
except for bin, etc. You get the idea. It does deter them a little
bit, though. I usually set /bin, /sbin, /modules (or /boot/kernel in
-current), and /boot schg and not worry too much about /usr/[s]bin.
IMO, the bottom line is, schg can only prevent an attacker if they
don't have a good understanding of the system (which accounts for most
of the script kid population). A really clever attacker would modify
your securelevel settings in rc.conf, reboot the machine making it
look like a panic or power surge (if they know you exclusivly access
it remotly), fool around, then change it back. Tripwire on a r/o disk
would tell you about it, but you can't do that remotly unless you plan
on never touching any system binaries. Or am I missing something?
--
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.
"I had a terrible education. I attended a school for emotionally disturbed
teachers."
-- Woody Allen
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001004100859.33A4A1F0A>