Securelevels and [Re: Immutable flag and packages]
bear@coyotesong.com wrote:
> > It would be
> > extremely annoying to have to remove the immutable attribute every
> > time I wanted to make a change somewhere in the filesystem.
>
> 2. It is a simple way to improve security, since many cracker techniques
> can't change the immutable bit before attempting to overwrite a file.
> It won't stop a cracker with a root shell, but it might be enough
> to stop some crackers armed only with a list of SMTP etc. flaws.
>
> There's one other place where the immutable bit may make sense, although
> I'm not sure if it's worth the hassles. That's in the /etc directory.
> If you access files like /etc/passwd, /etc/export, /etc/ttysecure, etc.,
> by hand then the immutable bit would be a pain. On the other hand, you
> could argue that these files *especially* should be protected by that
> flag, since that's where a malicious hacker will attack.
If this was the default behavior, wouldn't it be fairly painless for
debian to provide a way for administrators to change securelevels?
This would be IMO a good thing both for security and debian PR.
Carl
--mummert@cs.wcu.edu-----------
The sun's not eternal
That's why there's the blues...
-- Ginsburg
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: