Subject: Re: Making setuid files immutable
To: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
From: Alex Rolfe <arolfe@MIT.EDU>
List: tech-security
Date: 01/15/1999 09:23:50
You'd probably want more than just setuid files as immutable.  On my
system, the following are immutable :
-all of /bin
-all of /usr/bin
-all of /sbin
-all of /usr/sbin
-all of /usr/lib
-everything called from inetd 
-everything called from the rc files
-all rc files and inetd.conf

Making all of /bin, /usr/bin, etc immutable probably isn't critical;
however, you will need more than just the setuid files immutable.  (I
did it all on my system since it doesn't change much).
Anything called as root must be immutable, especially if it's called
from the rc files before the system switches to secure level 1 (or 2).
Otherwise, someone could alter the file and reboot the machine so the
altered program could unmark immutable files and change them before the
system is in secure mode.

Alex Rolfe

 > scanning my 1.3.3-system I noted that the SF_IMMUTABLE bit is not set on any
 > security relevant files (like /usr/bin/login or /usr/bin/su). Setting this b
 > would greatly enhance system security as hackers could not stealthly modify
 > these files when the system runs at securelevel > 0.
 > I'd like to suggest to set the SF_IMMUTABLE bit on all security relevant fil
 > (I have all setuid files in mind) and the SF_APPEND bit on critical system l
 > files.