Re: Locking down ssh config in large env

From: Atro Tossavainen (atossava_at_cc.helsinki.fi)
Date: 09/29/04

  • Next message: Alexander Krasnostavsky: "A Banner."
    To: secureshell@securityfocus.com
    Date: Wed, 29 Sep 2004 09:29:42 +0300 (EEST)
    
    

    Michael Shirk (Shirkdog) wrote:

    > What about the immutable bit "chmod +i .ssh".
    > If it is root owned, and the immutable bit set, no one can change it.
    > Root has to unset the bit first. However, it will not be able to update
    > for new sshd hosts, but that it is a security feature.
    > Atro, test this on your box and let me know.

    root@thisbox /home/username 4 # uname -a
    Linux thisbox 2.4.27 #1 Mon Aug 16 15:45:29 EEST 2004 i686 unknown
    root@thisbox /home/username 5 # mount
    /dev/hda7 on / type reiserfs (rw)
    ...
    root@thisbox /home/username 2 # mkdir pelle
    root@thisbox /home/username 3 # chmod +i pelle
    chmod: invalid mode

    You mean chattr, and according to its manual page, it only works on ext2.

    The attribute is set and recorded on reiserfs too (can be viewed with
    lsattr), but does not prevent the user from renaming the root-owned
    supposedly immutable directory "pelle" in the user's home directory.

    Even if it worked across all Linux file systems, which it seems not to
    be doing, it is at any rate not portable across UNIX systems and there-
    fore not a solution either. I couldn't find anything on Solaris 8 or
    HP-UX 10.20 that would do the same (but maybe I wasn't looking hard
    enough). IRIX 6.5 has the capabilities system and OSF1 (Tru64) has
    the Extended File Attributes which might be applicable.

    -- 
    Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
    Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
    +358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
    < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
    

  • Next message: Alexander Krasnostavsky: "A Banner."

    Relevant Pages

    • RE: Locking down ssh config in large env
      ... > If it is root owned, and the immutable bit set, no one can change it. ... Even if it worked across all Linux file systems, ... it is at any rate not portable across UNIX systems and there- ... CryptoMail provides free end-to-end message encryption. ...
      (SSH)
    • Re: What the logic to group ownership?
      ... say only root can *write* to the root/sys 755 files. ... The group (sys) ... there that groups were more widely used on early Unix systems ... in file permissions is another. ...
      (comp.unix.solaris)
    • Re: / owned by bin causes sshd to complain bad ownership
      ... A SUID with bin has less power than a SUID with uid=root ... SUID root, why not convert most binaries to uid=bin, thenmost binaries ... are 2 bits away from jackpot, more safety in event of a blunder too. ... UID which all unix systems agree on. ...
      (FreeBSD-Security)
    • Re: Excellent news.. Malware for OS X!
      ... If you'll note that some files ownerships are 'root' 'wheel' and then printers on some unix systems are 'lp' 'root'. ... Sometimes you can make changes on some files with admin rights and other times you cannot. ... Try and do a chmod +w or -x on those bin files. ...
      (comp.sys.mac.advocacy)
    • Re: root password
      ... rather than login in as a user, and su to root. ... Direct root logins are a security hazard, ... known to exist in all UNIX systems, so all an attacker needs to guess ... accounts, even on UNIX systems, and root GUI logins on their Compaq ...
      (comp.os.linux.setup)