From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 17:50:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F1B16A511 for ; Fri, 8 Sep 2006 17:50:54 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30313.mail.mud.yahoo.com (web30313.mail.mud.yahoo.com [209.191.69.75]) by mx1.FreeBSD.org (Postfix) with SMTP id A2BD043D5F for ; Fri, 8 Sep 2006 17:50:47 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 71797 invoked by uid 60001); 8 Sep 2006 17:50:46 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=P77Af2s7Yf5IZu5Vfg+YSzKnyJEMo+hWaq1RZELfArklkrtEZRfxPZeWA1DFnZ4KVeNZDNtifVZrXU1qNmdhoM3uyldnf1uRY9im916SA7dy2kDxD04EBHwtnabVDqT+F9PNkKVjgOqQHwQRCOuWiFw0H8iXlym1D95vqDTOe9g= ; Message-ID: <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com> Received: from [213.54.83.205] by web30313.mail.mud.yahoo.com via HTTP; Fri, 08 Sep 2006 10:50:45 PDT Date: Fri, 8 Sep 2006 10:50:45 -0700 (PDT) From: "R. B. Riddick" To: Bigby Findrake In-Reply-To: <20060908101441.V90396@home.ephemeron.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 17:50:54 -0000 --- Bigby Findrake wrote: > On Wed, 6 Sep 2006, Travis H. wrote: > > Wouldn't it be better to detect /and/ prevent an attempt to change the > > system binaries? > > That's how I interpret that passage from the handbook - that you should > detect *and* prevent. I'm not clear on how anyone is interpreting that > passage to suggest that unequal weight should be given to one side or the > other (detection vs. prevention). The above passage all but says, "don't > do X because that will interfere with Y." I just don't see that advice as > advocating imbalance. > Hmm... I think, this "schg flag"-thing should be done to all files, but invisible to a potential attacker... <-- PROTECTION When some attacker tries to get write access to that file or to move that file around or so, it should result in a log message (like "BAD SU on ...")... <-- DETECTION (I think one of the first messages in this thread suggested that already...) And removing that flag shouldn't be possible so easy, too. Maybe just from the physically safe console... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com