Re: newbie: how to prevent troyan horses?

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 05/13/03


Date: Tue, 13 May 2003 19:02:01 GMT

Rita Bijlsma <bijr@oce.nl> said:
> I'm a newbie when it comes to security.
> I want to ask how can I protect myself against troyan horses
> and still try programs from any source.
>
> What I plan to do is:
>
> - Execute the potentially dangerous programs only while being
> logged in as a user that does not own any important files
> and that belongs to a single group, which contains only that
> user. To ensure that this user has no rights anywhere else
> on the system.

The program might have legitimate needs to write f.ex. in /tmp and
/var/tmp.

> - Remove world execute permission of any suid programs, especially
> suid root programs. To ensure that programs run by the limitted
> rights user can not make use of security holes in suid programs.

Also, the program might have legitimate needs to call setuid/setgid
programs.

> Will this do or is this wrong?

It already takes you some way towards your goal, but note that the
program might well behave differently when running under different
users -- f.ex. it might check whether it's running as root - and
only perform nastily when run as root.

Furhter, you might wish to monitor the network traffic to/from the host
where you're running the program (or be very restrictive about the
network traffic you allow in and out of the host during testing).

However, if you really want to be certain, you'd need to go through
the source code of the suspect programs -- and make sure your compiler
and libraries are clean.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)


Relevant Pages