Re: suid bit files + securing FreeBSD (new program: LockDown)
From: D J Hawkey Jr (hawkeyd_at_visi.com)
Date: Sun, 27 Jul 2003 07:51:36 -0500 To: Socketd <firstname.lastname@example.org>
CC'ing security@ now, since you did.
On Jul 27, at 02:36 PM, Socketd wrote:
> On Sun, 27 Jul 2003 06:29:33 -0500
> D J Hawkey Jr <email@example.com> wrote:
> > Your plan is to incorporate this into/for rc.conf, and your program
> > would be run at boot?
> It is meant to be installed from the port collection and then executed
> once, but you can of course run it as many times you want (but if you
> haven't changed the sytem, since the last time you ran it, this makes no
Would you consider my above suggestion?
It could certainly be installed from the ports collection, but it would
be most useful to me (and p'raps others?) as a boot-time thang. Think of
dedicated firewalls and routers, especially those that boot from custom
CDs [and p'raps read floppies for "volatile" configuration].
In my mind, the conf could be installed as /etc/rc.whatever, and the
program could be installed as /usr/local/etc/rc.d/whatever. In this way,
it'd be run on boot, and could be run anytime as
"/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too.
I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a
box and force a reboot to "kick it in". Your program, by enforcing the
"rules" in the conf, could remove the exec bits on the trojan, or just
blow the trojan away. I realize I might be widening the scope here...
Were you to go this way, I could see where Core might consider adding
your work into the base? I'd lobby for it. :-)
> > What language do you think you'll use (hopefully,
> > something supported by the base OS, e.g., not ruby, modula, or perl)?
> I use C++
Oh. I was hoping you'd answer "shell script" (my preference, for quick
'n easy modification), or "C".
Just some suggestions,
-- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ firstname.lastname@example.org /\________________/ http://www.visi.com/~hawkeyd/ _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"