Return to BSD News archive
Xref: sserve comp.unix.bsd.misc:147 comp.unix.bsd.bsdi.misc:533 Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!solaris.cc.vt.edu!news.duke.edu!godot.cc.duq.edu!newsfeed.pitt.edu!dsinc!jabber!candle!root From: root@candle.pha.pa.us (Bruce Momjian) Subject: Circumventing immutable file protections X-Newsreader: TIN [UNIX 1.3 950726BETA PL0] Organization: a consultant's basement Message-ID: <DCvE8s.15A@candle.pha.pa.us> Date: Sun, 6 Aug 1995 03:41:16 GMT Lines: 33 I am running BSD/OS 2.0.1, which is based on BSD4.4 and has immutable files. I understand that the immutable/append-only files can only be modified/truncated when in single user mode, when the security level is zero. According the the system boot messages, when starting the system from a warm/cold boot into multi-user mode, all the startup scripts like /etc/rc run at security level zero BEFORE the system goes goes into multi-user mode and security level one. If a hacker broke into a system, wouldn't he do his mischief, then add entries to /etc/rc to truncate or modify the log files and then cause a reboot. He could also replace his modified versions with the real ones too. It would seem very difficult to prevent a hacker who has gained root access from forcing a reboot (perhaps making it look normal). It would also appear to be difficult to protect from modification /etc/rc and all the programs it runs. I know that all unplanned reboots should be looked at carefully, but is there any other way to prevent this type of attack and cover-up. Immutable files definitely add to system security by making things more difficult for the hacker. I was wondering if the method of cover-up could be prevented. -- Bruce Momjian | 830 Blythe Avenue root@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026 + If your life is a hard drive, | (610) 353-9879(w) + Christ can be your backup. | (610) 853-3000(h)