Date: Fri, 09 Feb 2001 21:34:04 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Wes Peters <wes@softweyr.com> Cc: freebsd-hackers@freebsd.org Subject: Re: /etc/security: add md5 to suid change notification? Message-ID: <20010209213404.A85235@mollari.cthul.hu> In-Reply-To: <3A84D3F7.1CCE62A3@softweyr.com>; from wes@softweyr.com on Fri, Feb 09, 2001 at 10:39:03PM -0700 References: <200102082355.f18NtfF89134@medusa.kfu.com> <nospam-3a8342fd530fe03@maxim.gbch.net> <3A84582E.3000702@quack.kfu.com> <3A84D3F7.1CCE62A3@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 09, 2001 at 10:39:03PM -0700, Wes Peters wrote: > Add a list of executables and their MD5's to the kernel, to be loaded at > boot time via the loader. Modify the kernel loader to refuse to exec > any executable whose MD5 is known but doesn't match. Ditto for shared > libraries and ld.so. There you have it, a system that cannot be=20 > upgraded except in single-user mode. Be sure not to allow any scripting languages to be executed. Getting away without /bin/sh might be tough, you can probably do a lot with builtins if you're creative. Kris --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hNLLWry0BWjoQKURAoGkAKCarhDAbKEOdnl7544mrJVaE4k/AACgv2e1 FG3SqJ3NrEylPm16Pa/ibok= =KzPG -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010209213404.A85235>