[nycbug-talk] security advisory

[Charles Sprickman]

On Thu, 19 Jan 2006, Ray Lai wrote:

> On Thu, Jan 19, 2006 at 03:46:44PM -0500, Charles Sprickman wrote:
>> On Thu, 19 Jan 2006, Isaac Levy wrote:
>>> On Jan 19, 2006, at 3:10 PM, Charles Sprickman wrote:
>>>> I'm logging into all my jail boxes and running "chflags -R noschg /",
>>>> since securelevels are now officially useless.
>>>>
>>>> Onion, shmonion!
>>
>> I'm just having fun with Theo's "securelevels are useless" response.  They
>> may not be a perfect solution, but to just discard the whole idea (flaws
>> and all), you lose a layer of security.  Layers are good.
>
> Securelevels are not file flags.

But file flags aren't much fun if you can change a file from "schg" to 
"noschg", and without securelevels, you can do that.

An example:

root at jailhost[/jails/jail1/etc]# chflags schg login.conf.db

root at jail1[/etc]# id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)

root at jail1[/etc]# cp /tmp/login.conf.db login.conf.db
cp: login.conf.db: Operation not permitted

root at jail1[/etc]# chflags noschg login.conf.db
chflags: login.conf.db: Operation not permitted

While this is some jail trickery that's emulating securelevel file flag 
behaviour in the jail, it illustrates a use that I feel at least helps 
make the barrier to entry for an attacker a little higher.

Additionally, setting the schg on a directory seems to stop someone from 
layering something on top of it:

root at jailhost[/jails/jail1/etc/pam.d]# chflags schg .

root at jail1[/etc]# mkdir /tmp/pam.d
root at jail1[/etc]# touch /tmp/pam.d/sshd 
root at jail1[/etc]# mount_nullfs /tmp/pam.d pam.d
mount_nullfs: Operation not permitted

Charles


> -Ray-
>