On Tue, 17 Dec 1996, Todd Graham Lewis wrote:
: If a hacker gains root on your firewall, haven't you, uhh, already lost?
That depends. If the firewall box doesn't have special privileges on the
rest of your network (it shouldn't!), like password-less remote-logins
from the firewall box aren't accepted elsewhere, you may still be on
the winning side.
If everything related to system configuration (firewall proxy settings,
packet filters, logfiles, statistics scripts, crontabs, ...) on the
firewall box are immutable and the system is running in secure mode,
even 'root' can't do much damage. Sure, he can reboot the system, but
it will come back in single-user mode, so someone has to walk up to
the system console.
I'll give you a demo on FreeBSD... in the example I am 'root' and I am
setting "rdist" immutable and then try to set the suid-root bit on it:
0. # ls -l /usr/bin/rdist
-r-xr-xr-x 1 root bin 45056 May 1 15:50 /usr/bin/rdist
1. make immutable
# chflags simmutable /usr/bin/rdist
2. set kernel security level to '1' (was '0')
# sysctl -w 'kern.securelevel=1'
kern.securelevel: 0 -> 1
3. attempt to set suid-root bit
# chmod u+s /usr/bin/rdist
chmod: /usr/bin/rdist: Operation not permitted
4. attempt to unset immutable
# chflags nosimmutable /usr/bin/rdist
chflags: /usr/bin/rdist: Operation not permitted
5. attempt to lower kernel security level:
# sysctl -w 'kern.securelevel=0'
kern.securelevel: Operation not permitted
What I learned in this thread is that Linux ext2fs has extra 'flags'
in the inode too (can anybody tell me as of which version?)...
--[ Edwin ]--
Edwin H. Kremer, systems- and network administrator. <edwin .
Dept. of Computer Science, Utrecht University, The Netherlands [WHOIS: ehk3]
-------------------- http://www.cs.ruu.nl/people/edwin/ -----------------------