netfilter firewalling problems and solutions

Archaic archaic at indy.rr.com
Fri Feb 20 14:34:42 PST 2004


On Fri, Feb 20, 2004 at 05:30:19PM -0500, Robert Connolly wrote:
> 
> If everything is immutable then nothing will be modified. /var/log can be 
> ignored because logs don't need to be deinstalled. I don't think I want 
> anything installing to /etc automaticly. The install log, and /etc files 
> would need to be checked by hand after make install. Uniq can check install 
> logs to make sure no two logs have the same entery.

That could be considered a big hassle to reset immutability each time
you need to modify something. Granted, once it's set properly it
shouldn't need changing often. Also, chattr is only for ext2/3.

> There is an old post, maybe to security@ from decemberish. I think there is a 
> way to hardlink to an suid binary, so if its deinstalled and reinstalled, the 
> user can run the old binary, which might be lacking security fixes that are 
> in the new one. I've also seen this attack described on the coreutils ml.

That's what I was referring to. A person couldn't do that with the
openwall patch and the appropriate option set in menuconfig. I've tried.
Kernel refuses to follow the link (under certain circumstances).

> The same method that prevents a non-pax or non-selinux kernel from booting. 
> The admin needs to keep those kernels off the computer. But, if a user is 
> able to reboot your machine, they're also able to overwrite the kernel 
> (usually).

Off computer requires physical access. We need to stay away from that if
at all possible.

> I can't think of a good reason why lfs needs write permission to /tools after 
> chap6. And I can't think of a good reason root should be installing /tools. 
> But if chattr +i is being used between installs, root would have to do that, 
> along with chown; but switching back and forth is messy. If user lfs doesn't 
> have a password, and root has to su down to login as lfs, then I dont think 
> it opens up much vulnerabilities.

If you're going to chattr +i them (requiring ext2/3) then why have user lfs
at all? If it requires rooting a box, then you may as well have them
root owned. There is no extra security, only extra work for the admin.

-- 
Archaic

To announce that there must be no criticism of the President or that we
are to stand by the President, right or wrong, is not only unpatriotic
and servile but it is morally treasonable to the American public.

- Theodore Roosevelt, May 7, 1918




More information about the hlfs-dev mailing list