Nick Sayer wrote:
>
> Greg Black wrote:
>
> > Nick Sayer wrote:
> >
> >> Would it generally be viewed as helpful to add the option of reporting
> >> the md5 for the files listed in /var/log/setuid.*?
> >
> >
> > I don't see the benefit in this if either the md5 binary or the
> > comparison file are on writable storage (which is almost always
> > going to be true).
>
> Then why bother checking at all? Someone can trojan ls, or even easier,
> arrange to trojan suid binaries without changing the things that show up
> in that listing.
>
> Besides, security conscious folks could set the immutable flag for md5
> and/or the comparison file (and probably sh and ls while they're at it)
> if they like.
>
> For the point kris made, I'm not sure he understood what I was
> suggesting -- I'm not suggesting just printing the md5 of the files when
> you notice they've changed, but adding the md5 as another trigger for
> deciding which files have changed. Adding it as a field in
> /var/log/setuid.* would achieve this end.
Add a list of executables and their MD5's to the kernel, to be loaded at
boot time via the loader. Modify the kernel loader to refuse to exec
any executable whose MD5 is known but doesn't match. Ditto for shared
libraries and ld.so. There you have it, a system that cannot be
upgraded except in single-user mode.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
[EMAIL PROTECTED] http://softweyr.com/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
