*BSD News Article 48057


Return to BSD News archive

Xref: sserve comp.unix.bsd.misc:147 comp.unix.bsd.bsdi.misc:533
Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!solaris.cc.vt.edu!news.duke.edu!godot.cc.duq.edu!newsfeed.pitt.edu!dsinc!jabber!candle!root
From: root@candle.pha.pa.us (Bruce Momjian)
Subject: Circumventing immutable file protections
X-Newsreader: TIN [UNIX 1.3 950726BETA PL0]
Organization: a consultant's basement
Message-ID: <DCvE8s.15A@candle.pha.pa.us>
Date: Sun, 6 Aug 1995 03:41:16 GMT
Lines: 33

I am running BSD/OS 2.0.1, which is based on BSD4.4 and has immutable
files.

I understand that the immutable/append-only files can only be
modified/truncated when in single user mode, when the security level is
zero.

According the the system boot messages, when starting the system from a
warm/cold boot into multi-user mode, all the startup scripts like
/etc/rc run at security level zero BEFORE the system goes goes into
multi-user mode and security level one.

If a hacker broke into a system, wouldn't he do his mischief, then add
entries to /etc/rc to truncate or modify the log files and then cause a
reboot.  He could also replace his modified versions with the real ones
too. 

It would seem very difficult to prevent a hacker who has gained root
access from forcing a reboot (perhaps making it look normal).  It would
also appear to be difficult to protect from modification /etc/rc and all
the programs it runs.

I know that all unplanned reboots should be looked at carefully, but is
there any other way to prevent this type of attack and cover-up.

Immutable files definitely add to system security by making things more
difficult for the hacker.  I was wondering if the method of cover-up
could be prevented.
-- 
Bruce Momjian                          |  830 Blythe Avenue
root@candle.pha.pa.us                  |  Drexel Hill, Pennsylvania 19026 
  +  If your life is a hard drive,     |  (610) 353-9879(w) 
  +  Christ can be your backup.        |  (610) 853-3000(h)