Date: Thu, 1 Jan 1998 13:41:08 -0800 (PST) From: Steve Reid <sreid@sea-to-sky.net> To: Michael Graffam <mgraffam@mhv.net> Cc: questions@FreeBSD.ORG Subject: Re: HACKED (again) Message-ID: <Pine.LNX.3.95.980101131050.29016B-100000@alpha.sea-to-sky.net> In-Reply-To: <Pine.LNX.3.96.980101153230.28029C-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> > BSD-derived Unixes have features to prevent such cloaking, by preventing > > everyone (even root) from changing important data. > > Yeah, this might be true (I havent looked into the mechanisms of this, > are we sure that an attacker can't modify the files through an indirect > means?) There are indirect ways of doing it, but they can be prevented... An attacker could unmount the filesystem, change it by messing with the disk device, then re-mount it. This only works when securelevel is 1. When securelevel is 2, the disk devices are read-only whether mounted or not. More likely, the attacker would find a system binary or script that is used _before_ securelevel is set, and modify it so that the trojans take over the system as soon as it is rebooted. This is only possible if the sysadmin forgets to "chflags schg" something. Another possibility is that the attacker would trick the system into lowering the securelevel. This means finding a hole in the kernel or init, which is probably a lot harder than finding a hole in a setuid program. All in all, securelevel is a very well thought-out feature of 4.4 BSD. > However, I dont see how this will necessarily help you against files > that need to get changed, just as log files and utmp Log files can be set append-only. I'm not sure about wtmp/utmp. > This is a good point though, it might be wise to start shipping FreeBSD > with important files locked up as the default. It has been a while since I last used FreeBSD; I'm stuck with wimpos95 for the moment. Last time I used it (2.0.5 - 2.1.7), it _did_ have a lot of binaries set immutable, but left securelevel at 0 by default. (OpenBSD on the other hand, sets securelevel to 1 by default, but doesn't set anything immutable. *shrug*) Anyone interested in setting up non-zero securelevel (I think the variable's full name is kern.securelevel, set by sysctl) should read the man pages for init, chflags, sysctl, and probably others. There are probably other sources of info around the web. The freebsd-security list archives might have some info. Securelevel is a good reason to choose *BSD over Linux in any environment where security is a concern. As far as I know, Linux doesn't have any equivalent security features.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.95.980101131050.29016B-100000>