[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] hacked raq + chattr command

Subject: RE: [cobalt-users] hacked raq + chattr command
From: flash22@xxxxxxx
Date: Wed Feb 28 00:10:58 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Tue, 27 Feb 2001, GPS wrote:
> >
> >What are the benefits of using the chattr command if it can be undone using
> >the same command with a different flag?
> >+ Add attribute
> >- Remove attribute
> >
> >So wouldn't actually be "chattr +i /bin/login" to enable, and "chattr -i
> >/bin/login" to disable? But I still don't see the point if the attributes can
> >be removed.

> It's not a fool-proof measure...just an extra precaution. Since it seems that 
> it's not a widely known or used file protection it is effective because it immediately
> throws the less-experianced for a loop. (myself included!) 

No, that would be an attempt at security through obscurity, which is
pointless (as shown by the fact the hackers seem to know more about this
command than the users)

The idea here is that *after* you have all the files that you want to
protect set immutable or append only, you tell the kernel to disable the
chattr command, once disabled, it can not be reenabled except by
rebooting, if you  have a command in the boot scripts that disables it
during boot, it becomes impossible to disable immutability without having
a boot floppy to start the machine from....

The magic is in /proc/sys/kernel/securelevel  btw, you cat cat this
'magic' file and it will tell you the current status of secure level
(0=disabled, allow changes, 1=secure, disable changes) Note 2 important
things, if you set this, you can't install anything that needs to replace
protected files (none of th current package managers pays any attention to
chattr , and they will get quite upset if they can't replace files they
are installing) and 2) Older kernels don't have working securelevel,
eg: the 2.0.34 kernel on the raq2 can tell you what this setting is , but
it doesn't lock properly, all of the chattr stuff has been experimental
for some time, and some of it is quite DANGEROUS, so i don't recomment
playing unless you have an easy way to recover your machine ;)

ps: extended attributes also do other things besides lock files, there's a
on-the-fly disk compression flag, an undelete flag (somewhat broken) , and
some options to improve performance by allowing the filesystem to
selective not do some expensive things, like setting the last access date
on all the directories in a tree when a file is accessed....

gsh

References:
- RE: [cobalt-users] hacked raq + chattr command
  - From: GPS

Prev by Date: [cobalt-users] Web Stats Stuck
Next by Date: Re: [cobalt-users] #! is not interpreted
Previous by thread: RE: [cobalt-users] hacked raq + chattr command
Next by thread: [cobalt-users] Ugh..

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index