Subject: Making setuid files immutable
To: None <tech-security@netbsd.org>
From: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
List: tech-install
Date: 01/15/1999 14:48:49
Hi,

scanning my 1.3.3-system I noted that the SF_IMMUTABLE bit is not set on any
security relevant files (like /usr/bin/login or /usr/bin/su). Setting this bit
would greatly enhance system security as hackers could not stealthly modify
these files when the system runs at securelevel > 0.

Also, the SF_APPEND bit is not set on critical system log files.

I'd like to suggest to set the SF_IMMUTABLE bit on all security relevant files
(I have all setuid files in mind) and the SF_APPEND bit on critical system log
files.

I can see one problem here: especially -current users who like to often rebuild
their systems run into problems as `make install' will fail on immutable files.
They first would have to bring down their system in single user mode and clear
the SF_IMMUTABLE bit.

I have the following suggestion: we could write a command that sets/removes the
SF_IMMUTABLE and SF_APPEND bits as appropriate for a secure system. Sysinst
could use this command as a last step in the installation to turn the system
secure. -current users would bring the system to single-user and remove the
bits before rebuiling/installing using this command. Later, security could be
turned on again.

I would volunteer to write this command if there is consensus that it will be
committed. Thoughts?

[follow ups to tech-security suggested]



-- 
Dr. Alexandre Wennmacher
Institut fuer Geophysik und Meteorologie         wennmach@geo.Uni-Koeln.DE
Universitaet zu Koeln                            phone  +49 221 470 - 3387
D-50923 Koeln                                    fax    +49 221 470 - 5198