Re: suid bit files + securing FreeBSD (new program: LockDown)

From: D J Hawkey Jr (hawkeyd_at_visi.com)
Date: 07/27/03

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD"
    Date: Sun, 27 Jul 2003 07:51:36 -0500
    To: Socketd <db@traceroute.dk>
    
    

    CC'ing security@ now, since you did.

    On Jul 27, at 02:36 PM, Socketd wrote:
    >
    > On Sun, 27 Jul 2003 06:29:33 -0500
    > D J Hawkey Jr <hawkeyd@visi.com> wrote:
    >
    > > Your plan is to incorporate this into/for rc.conf, and your program
    > > would be run at boot?
    >
    > It is meant to be installed from the port collection and then executed
    > once, but you can of course run it as many times you want (but if you
    > haven't changed the sytem, since the last time you ran it, this makes no
    > sense).

    Would you consider my above suggestion?

    It could certainly be installed from the ports collection, but it would
    be most useful to me (and p'raps others?) as a boot-time thang. Think of
    dedicated firewalls and routers, especially those that boot from custom
    CDs [and p'raps read floppies for "volatile" configuration].

    In my mind, the conf could be installed as /etc/rc.whatever, and the
    program could be installed as /usr/local/etc/rc.d/whatever. In this way,
    it'd be run on boot, and could be run anytime as
    "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too.

    I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a
    box and force a reboot to "kick it in". Your program, by enforcing the
    "rules" in the conf, could remove the exec bits on the trojan, or just
    blow the trojan away. I realize I might be widening the scope here...

    Were you to go this way, I could see where Core might consider adding
    your work into the base? I'd lobby for it. :-)

    > > What language do you think you'll use (hopefully,
    > > something supported by the base OS, e.g., not ruby, modula, or perl)?
    >
    > I use C++

    Oh. I was hoping you'd answer "shell script" (my preference, for quick
    'n easy modification), or "C".

    Just some suggestions,
    Dave

    -- 
      ______________________                         ______________________
      \__________________   \    D. J. HAWKEY JR.   /   __________________/
         \________________/\     hawkeyd@visi.com    /\________________/
                          http://www.visi.com/~hawkeyd/
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD"