[nycbug-talk] BSD Chapter in HLE
nycbug at cyth.net
Fri Sep 15 18:27:18 EDT 2006
On Fri, Sep 15, 2006 at 06:05:41PM -0400, George R. wrote:
> Ray Lai wrote:
> > On Fri, Sep 15, 2006 at 01:58:37PM -0400, George R. wrote:
> >>> - /etc/ssh/sshd_config
> >> question of root enabled by default, although I think this has changed
> >> now with obsd.
> > Nope, still enabled.
> double negative time. . . I don't have a recent obsd box to look at, but
> I am stating that I think that obsd *now* enabled default root access as
> per sshd_conf.. . am i correct or wrong?
> I remember the arguments around this. . .
root has always been enabled in sshd.
> and dru, don't forget your mtree-as-poorman's-tripwire. . . but again,
> found both in linux and the bsds.
Example usage can be found in security(8):
Check for permission changes in special files and system
binaries listed in /etc/mtree/special. security also provides
hooks for administrators to create their own lists. These lists
should be kept in /etc/mtree/ and filenames must have the suffix
``.secure''. The following example shows how to create such a
list, to protect the home directory of user ``bob'':
# mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
# chown root:wheel /etc/mtree/bob.secure
# chmod 600 /etc/mtree/bob.secure
Note: These checks do not provide complete protection against
Trojan horsed binaries, as the miscreant can modify the tree
specification to match the replaced binary. For details on
really protecting yourself against modified binaries, see
More information about the talk