Date: Tue, 24 Jul 2001 21:24:44 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Ben Smithurst <ben@FreeBSD.org> Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724212444.A19217@ringworld.oblivion.bg> In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com>; from ben@FreeBSD.org on Tue, Jul 24, 2001 at 07:06:07PM %2B0100 References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> <20010724190607.F20105@strontium.shef.vinosystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 24, 2001 at 07:06:07PM +0100, Ben Smithurst wrote: > Peter Pentchev wrote: > > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > hmm, so if an intruder replaced a file without changing it's link count, > size, or modification time, I wouldn't be alerted? Perhaps we should > change the security script to print the files ctime instead of mtime, > since the ctime can't be forged? 'Replacing' would not be enough - removing the file or moving something over it (the way install(1) does) would change its inode number. It is trivial to replace a file without changing its inode number, but fortunately, almost none of the ready-made toolkits do that, and very few crackers know that they should watch out for this, too. The ctime, too, can be changed, but that would require modifying the inode contents by writing to the raw device. Again, not something most crackers (and any script kiddies) know how to do. G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724212444.A19217>