netfilter firewalling problems and solutions

Archaic archaic at indy.rr.com
Fri Feb 20 11:49:02 PST 2004


On Thu, Feb 19, 2004 at 11:01:54PM -0500, Robert Connolly wrote:
> 
> LFS wasn't designed to have its binaries copied to several machines.

Agreed totally.

> As for package systems, I would like a human readable cataloge/database of the 
> entire system for accounting reasons.
<snip rest of description>

The closest thing I know of is install-log.

> chattr +i might be overkill

Don't knock the power of that command. Too bad it's limited to ext2/3.
Many script kiddies, by definition, are likely to not know that command,
so if they should root you, they will be limited to what they can do.

>More logic for files in /etc too. 

The problem with this is that if you modify a file in /etc, it will show
up on the rescan as being newer. The a config file for apache is sitting
in the proftpd install log.

> When a package is reinstalled, it should be deinstalled first.

With careful note to wipe any hardlinks as well, though a kernel patch
can stop the link attack, and tripwire will tell you if the link count
has changed, but I just wanted to keep this thought in mind.

> like libc the system should boot an initrd to upgrade, so the deinstall 
> doesn't break running the system. A framework like this can still be used by 
> rpm, apt-get, etc, or just simple tarballs and a few commands.

I like the initrd idea. What did you have in mind to protect someone
from rebooting to the initrd or modifying it?

> I've also considered installing chap5 to /stage1, and chap6 tools to /tools. 
> So the compilers can be unmounted, or network mounted. This could work well 
> with crosscompiling too. And if non-root users build packages, it might help 
> to let user lfs own /tools on the finished system, while root still owns the 
> real system.

What purpose would it serve? If someone rooted, it doesn't matter who
owns the compiler bins. If someone gains user lfs privs you're equally
at risk. If they are owned by root, they can only be attacked by the root
user leaving a smaller avenue of attack. Of course, I may not be seeing
the whole picture...

-- 
Archaic

A right is not what someone gives you; it's what no one can take from
you.

- Ramsey Clark




More information about the hlfs-dev mailing list