Firewall Wizards mailing list archives
Re: Hardening, (was Re: chroot useful?)
From: Darren Reed <darrenr () cyber com au>
Date: Mon, 24 Nov 1997 00:50:40 +1100 (EST)
In some mail I received from Marcus J. Ranum, sie wrote [...]
Now pour a pot of coffee and start tearing things up. Reboot periodically. When something breaks, revert, fix, and then checkpoint. Continue. Initial zaps would be broad-brush (man pages, /usr/contrib, etc...) eventually things would get more detailed.
Sigh. Why does everyone pick on man pages ? You don't get the text-based manuals for Unix anymore (unless you pay $$ extra), and if your firewall is running BSDI or Linux in an otherwise Solaris shop, you're not in the best situation. I also, personally, find it very annoying to not be able to do "man foo" when I want to checkup on foo's command line options and I need to do it in a window other than the one I'm working in. There are so many different versions of the unix commands out there today that trying to use them without the appropriate man pages installed is close to enough to drive you insane. Maybe if man pages were not owned by root or were group writable to some insecure group there might be an exposure from the macros, but I've yet to hear of someone being broken into because of a trojan'd man page, etc. [...]
immediately setuid to a non-root user. Then, if you're inclined, play kernel games:
[...] Linux, modern BSD's all support the idea of immutable files which can achieve many of the points you list. Problem is, nobody seems to use them in standard installations. Maybe because of the inconvience to normal activities ? Who knows. Darren
Current thread:
- Re: Hardening, (was Re: chroot useful?) Jim Raykowski (Nov 21)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Petri Virkkula (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 24)
- Test Systems - was Re: Hardening John Lines (Nov 24)
- Time for a new FWTK? chuck yerkes (Nov 24)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 24)
- Re: Time for a new FWTK? -= ArkanoiD =- (Nov 25)
- Re: Time for a new FWTK? Ge' Weijers (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Time for a new FWTK? Ted Doty (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)