Re: remounts (was: Re: adding "noschg" to ssh and friends)
Dan Pelleg wrote: > > "Karsten W. Rohrbach" <[EMAIL PROTECTED]> wrote: > > there are some real high-impact tweaks to be a little bit safer from > > rootkits. one of them is mounting /tmp noexec. drawback: you got to > > remount it exec for make installworld. > > I always wondered... Why are remounts permitted in all securelevels? I > mean, in a locked-down system where it's acceptable to force a reboot in > order to upgrade (or run a rootkit), I should be able to enforce read-only > mounts. Currently anyone (well, root) can just mount -u -w them. > > Is this an implementation problem in mount(2)? (I haven't looked at the > code). Or is this going to break things for people (amd? in high > securelevels?). What am I missing? I wrote a very simple patch that disallows mount(2) calls at elevated securelevel some time ago. Check the -security archives for December or so. Also look for a long thread on the whole question of turning off mount(2) at high securelevel. As for breaking things, yes, it will. You cannot mount stuff. But that's the whole idea. ;) OK, found it in the archive, http://docs.freebsd.org/mail/archive/2000/freebsd-security/20001224.freebsd-security.html Look at the 'Read-Only Filesystems' thread. -- Crist J. ClarkNetwork Security Engineer [EMAIL PROTECTED]Globalstar, L.P. (408) 933-4387FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: adding "noschg" to ssh and friends
On 30-May-2001, Karsten W. Rohrbach wrote: > there are some real high-impact tweaks to be a little bit safer from > rootkits. one of them is mounting /tmp noexec. drawback: you got to > remount it exec for make installworld. An alternate approach (which I use) is: # make TMPDIR=/some/other/dir installworld -- |David McNett |To ensure privacy and data integrity this message has| |[EMAIL PROTECTED]|been encrypted using dual rounds of ROT-13 encryption| |Austin, TX USA|Please encrypt all important correspondence with PGP!| PGP signature
remounts (was: Re: adding "noschg" to ssh and friends)
"Karsten W. Rohrbach" <[EMAIL PROTECTED]> wrote: > there are some real high-impact tweaks to be a little bit safer from > rootkits. one of them is mounting /tmp noexec. drawback: you got to > remount it exec for make installworld. I always wondered... Why are remounts permitted in all securelevels? I mean, in a locked-down system where it's acceptable to force a reboot in order to upgrade (or run a rootkit), I should be able to enforce read-only mounts. Currently anyone (well, root) can just mount -u -w them. Is this an implementation problem in mount(2)? (I haven't looked at the code). Or is this going to break things for people (amd? in high securelevels?). What am I missing? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: adding "noschg" to ssh and friends
:I guess in general, that may be correct. But wouldn't you want some :reassurance that your only "secure" connection to the machine is not :tamered with? That is, if your machine is compromised, and the only :way you can connect to it is via a trojaned service, then you're :really hosed. I think ssh should be protected from this type of :attack. Well, lets see... what if someone modified /etc/ssh/config ? Or what if someone added a command= directive to your public key in ~/.ssh/authorized_keys ? Or what if someone modified pam (which ssh uses) ? Or what if someone changed the ldconfig path? etc etc etc. So the answer is no. :In any case, what about my other question? If I "schg" the ssh :related executables and libs, will installworld croak or does it know :to noschg all files first? I can't see that it does it even for the :binaries that are schg in the system already (like rsh). I've no idea on that one. -Matt To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
