Hi. On Mon, Sep 25, 2017 at 12:21:49PM -0400, Greg Wooledge wrote: > On Mon, Sep 25, 2017 at 07:10:10PM +0300, Reco wrote: > > A common misconception. Here's how a determined userspace can beat > > immutable bit: > > > > # mkdir testetc > > # touch testetc/resolv.conf > > # chattr +i testetc/resolv.conf > > # mv testetc/ testetc.orig > > # mkdir testetc > > # touch testetc/resolv.conf > > # echo evil dns > testetc/resolv.conf > > You'd have to replace all the other files in /etc as well, or the > system wouldn't work very well. But that's not the point. The point > isn't to harden the system against an attacker bent on subverting your > name lookups. It's to protect your locally modified configuration file > from being overwritten by well-meaning but stupid software programs.
If the program misbehaves and it cannot be changed - why bother keeping such program in your OS? I mean, it's Debian maillist, right? Everything that's misbehaves can be fed to 'apt-get purge' and replaced with something more sensible. > (And yes, there are other ways to achieve that, but I've already posted > the <https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/> URL > in this thread. Oops, I did it again.) An interesting link. It lacks my second favorite approach though (first one being read-only root filesystem): iptables -t nat -A OUTPUT -p udp ! -d <my_dns> --port 53 -j DNAT \ --to-destination <my_dns>:53 iptables -t nat -A OUTPUT -p tcp ! -d <my_dns> --port 53 -j DNAT \ --to-destination <my_dns>:53 ip6tables -A OUTPUT -p udp --dport 53 -j REJECT ip6tables -A OUTPUT -p tcp --dport 53 -j REJECT Let them overwrite my resolv.conf with all kinds of gibberish, but it will resolve the way *I* want it. Reco
