19 messages in org.freebsd.freebsd-securityRe: Parent Logging Patch for sh(1) | From | Sent On | Attachments |
|---|---|---|
| Omachonu Ogali | Jan 16, 2000 10:04 am | |
| Will Andrews | Jan 16, 2000 12:03 pm | |
| Omachonu Ogali | Jan 16, 2000 2:10 pm | |
| Will Andrews | Jan 16, 2000 2:29 pm | |
| Omachonu Ogali | Jan 16, 2000 3:11 pm | |
| Sheldon Hearn | Jan 17, 2000 2:57 am | |
| Adam | Jan 17, 2000 12:47 pm | |
| Omachonu Ogali | Jan 17, 2000 6:03 pm | |
| Keith Stevenson | Jan 17, 2000 8:20 pm | |
| Michael Robinson | Jan 17, 2000 9:24 pm | |
| Sheldon Hearn | Jan 17, 2000 10:09 pm | |
| Omachonu Ogali | Jan 18, 2000 4:02 am | |
| Sheldon Hearn | Jan 18, 2000 4:20 am | |
| Omachonu Ogali | Jan 18, 2000 7:35 am | |
| Cy Schubert - ITSD Open Systems Group | Jan 18, 2000 8:04 am | |
| Omachonu Ogali | Jan 18, 2000 8:15 am | |
| Sheldon Hearn | Jan 18, 2000 12:14 pm | |
| Cy Schubert | Jan 18, 2000 1:42 pm | |
| Robert Watson | Jan 18, 2000 3:59 pm |
| Subject: | Re: Parent Logging Patch for sh(1) | |
|---|---|---|
| From: | Sheldon Hearn (shel...@uunet.co.za) | |
| Date: | Jan 17, 2000 10:09:34 pm | |
| List: | org.freebsd.freebsd-security | |
On Mon, 17 Jan 2000 21:04:07 EST, Omachonu Ogali wrote:
http://tribune.intranova.net/archives/sh-log+access.patch adds uid and username logging along with a deny list (/etc/sh.deny).
When you first posted, you neglected to mention that your patch included a deny list (/etc/sh.deny). This puts a different spin on things. :-)
While it sounds attractive on the surface, think how easy it is to work around -- the exploit code must simply change its progname to something which will never be in /etc/sh.deny (e.g. login).
So your patch scores something useful for a week, whereafter the script kiddies catch up and we're back to square one. :-)
No, if this is to be done, it's with per-process credentials. Someone is already working on such a system for FreeBSD. Since you seem interested in helping out with the process of hardening FreeBSD, I urge you to contact Robert Watson, who's spearheading the current hardening project.
You can reach him at Robert Watson <robert+free...@cyrus.watson.org>.
Thanks for your interest in a more secure FreeBSD. :-)
Ciao, Sheldon.
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message