Date: Wed, 1 Mar 2000 21:02:09 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Andrey Novikov <scriber@webclub.ru> Cc: freebsd-security@freebsd.org Subject: Re: schg flag Message-ID: <Pine.NEB.3.96L.1000301205759.53787C-100000@fledge.watson.org> In-Reply-To: <00022921443000.05868@novikov.web2000.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm. mocking:/tmp# mkdir bin mocking:/tmp# cp /bin/* bin/ mocking:/tmp# chflags schg bin/* mocking:/tmp# mv bin binold mocking:/tmp# mkdir bin mocking:/tmp# cp trojan bin/ls Nope. :-) Looks like you really need to protect your hierarchy also :-). mocking:/tmp# cp /bin/* bin mocking:/tmp# chflags schg bin/* bin mocking:/tmp# mv bin binold mv: rename bin to binold/bin: Operation not permitted mocking:/tmp# I.e., other than /, each directory leading to the files that need to be protected. Without doing this, the directories may easily be replaced by rearranging the dir tree, leaving your schg'd binaries safely unmodified, but with users (boot sequence, etc) using the replacements. Robert On Tue, 29 Feb 2000, Andrey Novikov wrote: > Hello, > > It seems to me that it will be more secure for my > public server to say at least: > > chflags schg /bin/* > chflags schg /sbin/* > chflags schg /usr/bin/* > chflags schg /usr/sbin/* > chflags schg /usr/local/bin/* > chflags schg /usr/local/sbin/* > > to prevent any troyans in my system binaries, am I wrong? > Would it confuse future makeworlds on that system? > > ------------------------------------------------------------ > Program source is just a special case of a patch > > Andrey Novikov <novikov.web2000.ru> NAG-RIPN > Web2000 Ltd. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000301205759.53787C-100000>