Re: suid bit files + securing FreeBSD (new program: LockDown)

From: D J Hawkey Jr (hawkeyd_at_visi.com)
Date: 07/27/03

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD"
    Date: Sun, 27 Jul 2003 07:51:36 -0500
    To: Socketd <db@traceroute.dk>
    
    

    CC'ing security@ now, since you did.

    On Jul 27, at 02:36 PM, Socketd wrote:
    >
    > On Sun, 27 Jul 2003 06:29:33 -0500
    > D J Hawkey Jr <hawkeyd@visi.com> wrote:
    >
    > > Your plan is to incorporate this into/for rc.conf, and your program
    > > would be run at boot?
    >
    > It is meant to be installed from the port collection and then executed
    > once, but you can of course run it as many times you want (but if you
    > haven't changed the sytem, since the last time you ran it, this makes no
    > sense).

    Would you consider my above suggestion?

    It could certainly be installed from the ports collection, but it would
    be most useful to me (and p'raps others?) as a boot-time thang. Think of
    dedicated firewalls and routers, especially those that boot from custom
    CDs [and p'raps read floppies for "volatile" configuration].

    In my mind, the conf could be installed as /etc/rc.whatever, and the
    program could be installed as /usr/local/etc/rc.d/whatever. In this way,
    it'd be run on boot, and could be run anytime as
    "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too.

    I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a
    box and force a reboot to "kick it in". Your program, by enforcing the
    "rules" in the conf, could remove the exec bits on the trojan, or just
    blow the trojan away. I realize I might be widening the scope here...

    Were you to go this way, I could see where Core might consider adding
    your work into the base? I'd lobby for it. :-)

    > > What language do you think you'll use (hopefully,
    > > something supported by the base OS, e.g., not ruby, modula, or perl)?
    >
    > I use C++

    Oh. I was hoping you'd answer "shell script" (my preference, for quick
    'n easy modification), or "C".

    Just some suggestions,
    Dave

    -- 
      ______________________                         ______________________
      \__________________   \    D. J. HAWKEY JR.   /   __________________/
         \________________/\     hawkeyd@visi.com    /\________________/
                          http://www.visi.com/~hawkeyd/
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Peter Rosa: "Re: suid bit files + securing FreeBSD"

    Relevant Pages

    • 98 upgrade to xp
      ... circle. ... first says boot in normal/safe/last good conf. ...
      (microsoft.public.windowsxp.general)
    • Re: Oh dear...
      ... about the one on the Unipod. ... *conf. ... However '*configure boot' gives 'option not recognised' ... StevePotts at blastzone DOT demon STOP co DOT uk ...
      (comp.sys.acorn.hardware)
    • Re: Oh dear...
      ... to find an IDE drive on the internal ADFS controller and doesn't know ... about the one on the Unipod. ... *conf. ... However '*configure boot' gives 'option not recognised' ...
      (comp.sys.acorn.hardware)
    • Mounting/Unmounting devices on boot/reboot
      ... partitions during boot and also unmount them automatically (via conf ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Ilomo trojan-regscan- how do I zap this thing?
      ... 64bit drivers for the computer internal hardware. ... may try triple boot with XPpro, ... gotten rid of it or not. ... the Trojan gets installed again and opens the ...
      (microsoft.public.win2000.general)