[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Securelevels and [Re: Immutable flag and packages]

bear@coyotesong.com wrote:
> > It would be
> > extremely annoying to have to remove the immutable attribute every
> > time I wanted to make a change somewhere in the filesystem.
> 
> 2. It is a simple way to improve security, since many cracker techniques
>    can't change the immutable bit before attempting to overwrite a file.
>    It won't stop a cracker with a root shell, but it might be enough
>    to stop some crackers armed only with a list of SMTP etc. flaws.
> 
> There's one other place where the immutable bit may make sense, although
> I'm not sure if it's worth the hassles.  That's in the /etc directory.
> If you access files like /etc/passwd, /etc/export, /etc/ttysecure, etc., 
> by hand then the immutable bit would be a pain.  On the other hand, you 
> could argue that these files *especially* should be protected by that
> flag, since that's where a malicious hacker will attack.

If this was the default behavior, wouldn't it be fairly painless for
debian to provide a way for administrators to change securelevels?
This would be IMO a good thing both for security and debian PR.

Carl
--mummert@cs.wcu.edu-----------
                                      
The sun's not eternal
   That's why there's the blues...
     -- Ginsburg


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: