conf/22102

Ryan Mooney ryan at pcslink.com
Mon Aug 18 10:50:08 PDT 2003


The following reply was made to PR conf/22102; it has been noted by GNATS.

From: Ryan Mooney <ryan at pcslink.com>
To: Kris Kennaway <kris at obsecurity.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: conf/22102
Date: Mon, 18 Aug 2003 06:55:11 -1000

 --45Z9DzgjV8m4Oswq
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Kris,
 
 I no longer have access to the systems that I was working on this on,
 so this may not be 100% as accurate as I'd like :)
 
 Basically the idea is that all the dirs in ${local_startup} are running 
 mostly 3rd party vendor scripts - which are by nature less trusted.  
 Since in /etc/rc the securelevel is not set until AFTER they run, if
 they "do something bad" (hack apache startup, whatever) they could do 
 things to my system bypassing immutable files, etc... This COULD be
 partially solved by making all the vendor stuff immutable to, but
 when I started doing that, it ended up getting really ugly and I
 had to hit all the libraries, etc etc... as well.  
 
 A simpler solution that elevated the security somewhat without any
 noticable side effects (in most cases unless someones rc.* script 
 depended on an nfs client or a kerberos server running) was to simply
 move the local_startup code after net3 and securelevel.
 I don't know if anyone else is paranoid enough to care about this..
 
 > Testing whether the email delivery problems persist.
 > 
 > Kris
 
 -- 
 >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-<
 Ryan Mooney          				 ryan at pcslink.com 
 <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> 
 
 --45Z9DzgjV8m4Oswq
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename=diffs
 
 *** rc	Mon Aug 18 06:37:32 2003
 --- rc.old	Mon Aug 18 06:37:13 2003
 ***************
 *** 685,712 ****
   	echo '.'
   fi
   
 - if [ -n "${network_pass3_done}" ]; then
 - 	network_pass4
 - fi
 - 
 - # Late pass to set variables we missed the first time
 - #
 - if [ -r /etc/rc.sysctl ]; then
 - 	sh /etc/rc.sysctl last
 - fi
 - 
 - # Raise kernel security level.  This should be done only after `fsck' has
 - # repaired local file systems if you want the securelevel to be greater than 1.
 - #
 - case ${kern_securelevel_enable} in
 - [Yy][Ee][Ss])
 - 	if [ "${kern_securelevel}" -ge 0 ]; then
 - 		echo 'Raising kernel security level: '
 - 		sysctl kern.securelevel=${kern_securelevel}
 - 	fi
 - 	;;
 - esac
 - 
   # For each valid dir in $local_startup, search for init scripts matching *.sh
   #
   case ${local_startup} in
 --- 685,690 ----
 ***************
 *** 738,743 ****
 --- 716,743 ----
   	done
   	IFS="${script_save_sep}"
   	echo '.'
 + 	;;
 + esac
 + 
 + if [ -n "${network_pass3_done}" ]; then
 + 	network_pass4
 + fi
 + 
 + # Late pass to set variables we missed the first time
 + #
 + if [ -r /etc/rc.sysctl ]; then
 + 	sh /etc/rc.sysctl last
 + fi
 + 
 + # Raise kernel security level.  This should be done only after `fsck' has
 + # repaired local file systems if you want the securelevel to be greater than 1.
 + #
 + case ${kern_securelevel_enable} in
 + [Yy][Ee][Ss])
 + 	if [ "${kern_securelevel}" -ge 0 ]; then
 + 		echo 'Raising kernel security level: '
 + 		sysctl kern.securelevel=${kern_securelevel}
 + 	fi
   	;;
   esac
   
 
 --45Z9DzgjV8m4Oswq--


More information about the freebsd-bugs mailing list