[lug] Weird permission changing
stimits at idcomm.com
Thu Jan 24 12:35:06 MST 2002
Chip Atkinson wrote:
> It's Redhat 7.1. I should probably blow that thing away anyway.
> On a related note, I was thinking of ways to make that machine more secure
> without crippling performance. I thought of mounting /bin /usr/bin /sbin
> and /usr/sbin read only, but also though of burning a cd with all that on
> it and mounting the cd instead. It seems reasonable to me since many
> things would be in buffer cache after a little bit.
Anyone who can get root access can probably remount normal HD's
read/write. The idea of running on a CD is good, you can't alter the
files, but you could possibly alter the image in memory (compromise it
until re-reading the file or rebooting). It might be interesting to
create a partition on the system and use CD tools to burn an iso9660
system on to the partition; the kernel has no write ability for iso9660,
no matter how you compile it. I wonder if the cracker would be smart
enough to know how to burn a new iso onto the hard drive? I doubt that
would be too easy, sort of like doing brain surgery on one's own self.
You can't edit (at least not without some rather sophisticated
approaches) pieces of an iso9660 system, generally you destroy the whole
thing and rewrite it. Doing this on hard drive and mounting it via
loopback would likely be much better performance than a CD, and you
could break it down to more partitions without adding extra CD hardware.
A similar thing could be done with NTFS, but it has some ability to
write if the kernel is recompiled (although it is dangerous to use write
on NTFS, I doubt that would deter a cracker).
D. Stimits, stimits at idcomm.com
> On Wed, 23 Jan 2002, ljp wrote:
> > On Wednesday 23 January 2002 10:32 pm, you wrote:
> > > Greetings all,
> > >
> > > I'm getting some strange behavior and was wondering if anyone has seen
> > > anything similar. I seem to have file permissions changing now and then.
> > > For example, the .ssh/identity file changed mode from 600 oto 644.
> > > There are other files that have changed permissions too, but it doesn't
> > > appear that there are trojan version of any files, that I can see.
> > >
> > > I'm just looking for any hints to save some time at this point.
> > >
> > Sounds like the blasted 'linuxconf'. I hate the program. Might be some other
> > app like that, depending on what distribution you are using.
> > ljp
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG