*BSD News Article 49010


Return to BSD News archive

Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!vtc.tacom.army.mil!ulowell.uml.edu!europa.chnt.gtegsc.com!gatech!newsfeed.pitt.edu!dsinc!jabber!candle!root
From: root@candle.pha.pa.us (Bruce Momjian)
Subject: Re: Circumventing immutable file protections
Followup-To: comp.unix.bsd.misc,comp.unix.bsd.bsdi.misc
X-Newsreader: TIN [UNIX 1.3 950726BETA PL0]
Organization: a consultant's basement
Message-ID: <DDF9o5.1BL@candle.pha.pa.us>
References: <DCvE8s.15A@candle.pha.pa.us> <4095br$3tj@kragar.kei.com> <409qef$t3n@Germany.EU.net>
Date: Wed, 16 Aug 1995 21:14:29 GMT
Lines: 23
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:161 comp.unix.bsd.bsdi.misc:610

Bernard Steiner (bs@Germany.EU.net) wrote:
: 
: In article <4095br$3tj@kragar.kei.com>, ckd@loiosh.kei.com (Christopher Davis) writes:
: |> BM> == Bruce Momjian <root@candle.pha.pa.us>
: |> 
: |>  BM> If a hacker broke into a system, wouldn't he do his mischief, then
: |>  BM> add entries to /etc/rc to truncate or modify the log files and then
: |>  BM> cause a reboot.
: |> 
: Make /etc/rc run only commands and scripts that are either immutable or reside
: on read-only filesystems.

I was afraid this was the answer I would receive, that there is no way
to prevent a reboot and /etc/rc from clearing a hackers tracks except to
make /etc/rc and everything(!) it calls immutable.  That is quite a job.

Now, I am wondering why the kernel has to run /etc/rc at security level
zero?  If it did not, I would only have to protect only /boot and /bsd.
-- 
Bruce Momjian                          |  830 Blythe Avenue
root@candle.pha.pa.us                  |  Drexel Hill, Pennsylvania 19026 
  +  If your life is a hard drive,     |  (610) 353-9879(w) 
  +  Christ can be your backup.        |  (610) 853-3000(h)