Subject: Re: Making setuid files immutable
To: Alex Rolfe <arolfe@MIT.EDU>
From: Jan B. Koum <email@example.com>
Date: 01/15/1999 07:26:43
On Fri, Jan 15, 1999 at 09:23:50AM -0500, Alex Rolfe <arolfe@MIT.EDU> wrote:
> You'd probably want more than just setuid files as immutable. On my
> system, the following are immutable :
> -all of /bin
> -all of /usr/bin
> -all of /sbin
> -all of /usr/sbin
> -all of /usr/lib
> -everything called from inetd
> -everything called from the rc files
> -all rc files and inetd.conf
> Making all of /bin, /usr/bin, etc immutable probably isn't critical;
> however, you will need more than just the setuid files immutable. (I
> did it all on my system since it doesn't change much).
> Anything called as root must be immutable, especially if it's called
> from the rc files before the system switches to secure level 1 (or 2).
> Otherwise, someone could alter the file and reboot the machine so the
> altered program could unmark immutable files and change them before the
> system is in secure mode.
> Alex Rolfe
> > scanning my 1.3.3-system I noted that the SF_IMMUTABLE bit is not set on any
> > security relevant files (like /usr/bin/login or /usr/bin/su). Setting this b
> > would greatly enhance system security as hackers could not stealthly modify
> > these files when the system runs at securelevel > 0.
> > I'd like to suggest to set the SF_IMMUTABLE bit on all security relevant fil
> > (I have all setuid files in mind) and the SF_APPEND bit on critical system l
> > files.
I have a couple of BSD boxes running with securelevel 3 - I sleep a bit
better, but admin of the boxes is a pain: think single user mode only :)