[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] "Chattr +i" on inetd.conf & the GUI
- Subject: [cobalt-users] "Chattr +i" on inetd.conf & the GUI
- From: Scott F <scott_falco@xxxxxxxxx>
- Date: Wed Aug 22 06:52:30 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>And what's the point? If the file is owned
>by root and not writable by users, then only
>root can change it anyhow, making it +i doesn't
>do anything else....
I have to disagree with your take on the chattr
command and think the importance of such commands in
regards to the layering of security needs to be
pointed out for anyone reading this that's serious
about their security and different approaches to
accomplish such tasks. - Security by Layers - Like
someone else mentioned previously regarding the use of
chattr - I use immutable files to protect against
remote exploits, and as the other user also noted,
against bad admin.
Obviously the chattr command is a good tool as I have
the proof with my GUI trying to change the file
without success... :-P
If you think deeply and especially for a script like
the one that manages the GUI, then you'll find that
sometimes this command on a file, owned by super-user
can find its importance.
Here I'll give you a simple example: Imagine that you
have a script running on the server for your users and
with super-user 'root' privilege. Then your user has
legitimate right to execute this script which runs
with 'root' privilege. But lets say this guy is smart
with some good knowledge in programming, he can try to
send special instructions to this script with 'root'
privilege to gain 'root' access to the server. But if
the script is protected with the chattr command, and
even with 'root' access to this file, he cannot
modify, delete, rename, link, write to it. This is
just a simple example and more complicate one exists
for sure.
Side note regarding my original post - Since I don't
have physical access to my systems, a little script
helped me remove the setting so the GUI would stop
bitching. Basically I had to take down the network
then issue the command to remove the chattr
bit, then bring back up the network. Worked like a
charm :-) Here's the script if anyone should ever
find themselves in my shoes trying to "undo" chattr on
a file.
Cheers!
Scott
1) Create a cron under your /etc/cron.hourly directory
and name it for example 'chattr.cron':
touch /etc/cron.hourly/chattr.cron
2) Change its permission mode to make it executable:
chmod 700 /etc/cron.hourly/chattr.cron
3) Make it owned by super-user 'root':
chown 0.0 /etc/cron.hourly/chattr.cron
4) Add the following lines to the 'chattr.cron' file:
vi /etc/cron.hourly/chattr.cron
# ------ Add these lines -------------
#!/bin/sh
/etc/rc.d/init.d/network stop
/usr/bin/chattr -i /etc/inetd.conf
/etc/rc.d/init.d/network start
5) Wait one hour for the script to be run by the
system, then the problem should be fixed then remove
the file from your /etc/cron.hourly directory.
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/