Re: suid bit files + securing FreeBSD (new program: LockDown)

From: Socketd (db_at_traceroute.dk)
Date: 07/27/03

  • Next message: Paul Chvostek: "ssh and X11Forwarding" 
    Date: Sun, 27 Jul 2003 18:55:32 +0200
To: hawkeyd@visi.com, security@freebsd.org

    On Sun, 27 Jul 2003 10:29:23 -0500
    D J Hawkey Jr <hawkeyd@visi.com> wrote:

    > > LockDown could search for ALL suid and gid files and set the
    > > permissions accordingly to the conf file, the files not listed there
    > > would be disabled (or set to a user specified default)...
    >
    > Now you're thinking along the lines I'm thinking. Something of a
    > system hyper- or super-visor.

    Well I don't know if we are thinking along the same lines. LockDown is
    not meant to be an IDS or system monitor program, just a quick secure
    setup helper.

    > I do like the idea of checking /etc... maybe... using cksum(1), or
    > something like that. I currently use local periodic(8) scripts,
    > similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and
    > /etc/namedb.

    By /etc support I meant options like rc_conf, login_class and openssh
    for "all" files in /etc

    > NOTE: I'm not a committer! I only mention the possibility; I can't
    > make it so.

    Hehe, I know :-)

    > I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could
    > pro'lly write what you envision in a shell script. I wouldn't want to
    > re-write a C++ program though; I'm not well versed in C++'s "nuances".

    The program is really easy to write since it only change file
    permissions and add text to some files in /etc (and other easy to write
    stuff)

    br
    socketd
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Paul Chvostek: "ssh and X11Forwarding"

    Relevant Pages

    • Re: File names with spaces driving me insane!!!
      ... modes, depending on file type. ... method to change the permissions of certain file types, which is reliable for the majority of files. ... Of course, if you have a shell script and no #!/bin/bash as the first line, the file command just recognizes it as a text file. ... file had 100% success in finding executables. ...
      (comp.unix.shell)
    • Re: Mac OS X Security - Not Quite as Strong as you Thought
      ... user's directory you are not allowed (assuming standard permissions). ... Moving his shell script ... the execute bit is always shut off. ... The installer elevates the script to root, ...
      (comp.sys.mac.advocacy)
    • Re: /dev/dsp - I dont want to fight with it ... (permissions)
      ... > I have a shell script that records from line in. ... > I call shell script from cron. ... > I tried doing a similar thing with fedora. ... resets the permissions on the sound dev. ...
      (Fedora)
    • Re: Mac OS X Security - Not Quite as Strong as you Thought
      ... user's directory you are not allowed (assuming standard permissions). ... Moving his shell script by emailing to another machine... ... But would anyone owning a Mac that receives an anonymous email open up an unknown .dmg package? ... You have to log out and log in as root or at least an su if setup. ...
      (comp.sys.mac.advocacy)
    • Re: Mac OS X Security - Not Quite as Strong as you Thought
      ... user's directory you are not allowed (assuming standard permissions). ... nor is it a shell script anymore. ... The installer elevates the script to root, ...
      (comp.sys.mac.advocacy)