Subject: Making setuid files immutable
To: None <tech-security@netbsd.org>
From: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
List: tech-security
Date: 01/15/1999 14:48:49
Hi,
scanning my 1.3.3-system I noted that the SF_IMMUTABLE bit is not set on any
security relevant files (like /usr/bin/login or /usr/bin/su). Setting this bit
would greatly enhance system security as hackers could not stealthly modify
these files when the system runs at securelevel > 0.
Also, the SF_APPEND bit is not set on critical system log files.
I'd like to suggest to set the SF_IMMUTABLE bit on all security relevant files
(I have all setuid files in mind) and the SF_APPEND bit on critical system log
files.
I can see one problem here: especially -current users who like to often rebuild
their systems run into problems as `make install' will fail on immutable files.
They first would have to bring down their system in single user mode and clear
the SF_IMMUTABLE bit.
I have the following suggestion: we could write a command that sets/removes the
SF_IMMUTABLE and SF_APPEND bits as appropriate for a secure system. Sysinst
could use this command as a last step in the installation to turn the system
secure. -current users would bring the system to single-user and remove the
bits before rebuiling/installing using this command. Later, security could be
turned on again.
I would volunteer to write this command if there is consensus that it will be
committed. Thoughts?
[follow ups to tech-security suggested]
--
Dr. Alexandre Wennmacher
Institut fuer Geophysik und Meteorologie wennmach@geo.Uni-Koeln.DE
Universitaet zu Koeln phone +49 221 470 - 3387
D-50923 Koeln fax +49 221 470 - 5198