19 messages in org.freebsd.freebsd-securityRe: Parent Logging Patch for sh(1) | From | Sent On | Attachments |
|---|---|---|
| Omachonu Ogali | Jan 16, 2000 10:04 am | |
| Will Andrews | Jan 16, 2000 12:03 pm | |
| Omachonu Ogali | Jan 16, 2000 2:10 pm | |
| Will Andrews | Jan 16, 2000 2:29 pm | |
| Omachonu Ogali | Jan 16, 2000 3:11 pm | |
| Sheldon Hearn | Jan 17, 2000 2:57 am | |
| Adam | Jan 17, 2000 12:47 pm | |
| Omachonu Ogali | Jan 17, 2000 6:03 pm | |
| Keith Stevenson | Jan 17, 2000 8:20 pm | |
| Michael Robinson | Jan 17, 2000 9:24 pm | |
| Sheldon Hearn | Jan 17, 2000 10:09 pm | |
| Omachonu Ogali | Jan 18, 2000 4:02 am | |
| Sheldon Hearn | Jan 18, 2000 4:20 am | |
| Omachonu Ogali | Jan 18, 2000 7:35 am | |
| Cy Schubert - ITSD Open Systems Group | Jan 18, 2000 8:04 am | |
| Omachonu Ogali | Jan 18, 2000 8:15 am | |
| Sheldon Hearn | Jan 18, 2000 12:14 pm | |
| Cy Schubert | Jan 18, 2000 1:42 pm | |
| Robert Watson | Jan 18, 2000 3:59 pm |
| Subject: | Re: Parent Logging Patch for sh(1) | |
|---|---|---|
| From: | Omachonu Ogali (oog...@intranova.net) | |
| Date: | Jan 18, 2000 4:02:04 am | |
| List: | org.freebsd.freebsd-security | |
The first patch (sh-log.patch) didn't offer denying features, I then wrote a second one that did. My main focus was on BIND, I haven't seen someone yet who has smashed the stack and changed argv[0], and secondly, it reads the process name from the /proc filesystem, so if you do change the program name on the stack, the original still exists...
Omachonu Ogali Intranova Networking Group
On Tue, 18 Jan 2000, Sheldon Hearn wrote:
On Mon, 17 Jan 2000 21:04:07 EST, Omachonu Ogali wrote:
http://tribune.intranova.net/archives/sh-log+access.patch adds uid and username logging along with a deny list (/etc/sh.deny).
When you first posted, you neglected to mention that your patch included a deny list (/etc/sh.deny). This puts a different spin on things. :-)
While it sounds attractive on the surface, think how easy it is to work around -- the exploit code must simply change its progname to something which will never be in /etc/sh.deny (e.g. login).
So your patch scores something useful for a week, whereafter the script kiddies catch up and we're back to square one. :-)
No, if this is to be done, it's with per-process credentials. Someone is already working on such a system for FreeBSD. Since you seem interested in helping out with the process of hardening FreeBSD, I urge you to contact Robert Watson, who's spearheading the current hardening project.
You can reach him at Robert Watson <robert+free...@cyrus.watson.org>.
Thanks for your interest in a more secure FreeBSD. :-)
Ciao, Sheldon.
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message