Subject: Re: verified executable kernel modification committed
To: matthew green <mrg@eterna.com.au>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 10/30/2002 08:53:23
>   ...and it also can't tell you if the raw disk was frobbed out from
>   underneath you.  chflags protects things at the ffs layer.  if you go
>   below that, all bets are off.
>
>i dunno.  chflags isn't useful (*) without securelevel > 1 anyway,
>at which point you can't frob the raw disk without physical (console)
>access...

make that securelevel > 0, since at securelevel 1, you can no longer
clear sappnd or schg.

>i guess my point is if i can modify the raw disk i can pretty much
>do whatever i like already, regardless of vexec - i can probably 
>change the vexec-ok list and cause a reboot - sure, you will notice
>this but to attack the machine protected with chflags would need as
>much force - a shutdown to single user or more.

true, but that's more complex than merely changing the binary.

>this is not to say i don't find vexec useful.  i know several
>systems that i will definately use it on.  i just don't think it
>necessarily is inherently more secure than chflags protection.

well, it's certainly not less.

>(*) for security, that is.  "uappnd" flags are *always* useful IMO. :)

of course!

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."