conf/22102
Ryan Mooney
ryan at pcslink.com
Mon Aug 18 10:50:08 PDT 2003
The following reply was made to PR conf/22102; it has been noted by GNATS.
From: Ryan Mooney <ryan at pcslink.com>
To: Kris Kennaway <kris at obsecurity.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: conf/22102
Date: Mon, 18 Aug 2003 06:55:11 -1000
--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Kris,
I no longer have access to the systems that I was working on this on,
so this may not be 100% as accurate as I'd like :)
Basically the idea is that all the dirs in ${local_startup} are running
mostly 3rd party vendor scripts - which are by nature less trusted.
Since in /etc/rc the securelevel is not set until AFTER they run, if
they "do something bad" (hack apache startup, whatever) they could do
things to my system bypassing immutable files, etc... This COULD be
partially solved by making all the vendor stuff immutable to, but
when I started doing that, it ended up getting really ugly and I
had to hit all the libraries, etc etc... as well.
A simpler solution that elevated the security somewhat without any
noticable side effects (in most cases unless someones rc.* script
depended on an nfs client or a kerberos server running) was to simply
move the local_startup code after net3 and securelevel.
I don't know if anyone else is paranoid enough to care about this..
> Testing whether the email delivery problems persist.
>
> Kris
--
>-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-<
Ryan Mooney ryan at pcslink.com
<-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=->
--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diffs
*** rc Mon Aug 18 06:37:32 2003
--- rc.old Mon Aug 18 06:37:13 2003
***************
*** 685,712 ****
echo '.'
fi
- if [ -n "${network_pass3_done}" ]; then
- network_pass4
- fi
-
- # Late pass to set variables we missed the first time
- #
- if [ -r /etc/rc.sysctl ]; then
- sh /etc/rc.sysctl last
- fi
-
- # Raise kernel security level. This should be done only after `fsck' has
- # repaired local file systems if you want the securelevel to be greater than 1.
- #
- case ${kern_securelevel_enable} in
- [Yy][Ee][Ss])
- if [ "${kern_securelevel}" -ge 0 ]; then
- echo 'Raising kernel security level: '
- sysctl kern.securelevel=${kern_securelevel}
- fi
- ;;
- esac
-
# For each valid dir in $local_startup, search for init scripts matching *.sh
#
case ${local_startup} in
--- 685,690 ----
***************
*** 738,743 ****
--- 716,743 ----
done
IFS="${script_save_sep}"
echo '.'
+ ;;
+ esac
+
+ if [ -n "${network_pass3_done}" ]; then
+ network_pass4
+ fi
+
+ # Late pass to set variables we missed the first time
+ #
+ if [ -r /etc/rc.sysctl ]; then
+ sh /etc/rc.sysctl last
+ fi
+
+ # Raise kernel security level. This should be done only after `fsck' has
+ # repaired local file systems if you want the securelevel to be greater than 1.
+ #
+ case ${kern_securelevel_enable} in
+ [Yy][Ee][Ss])
+ if [ "${kern_securelevel}" -ge 0 ]; then
+ echo 'Raising kernel security level: '
+ sysctl kern.securelevel=${kern_securelevel}
+ fi
;;
esac
--45Z9DzgjV8m4Oswq--
More information about the freebsd-bugs
mailing list