> -----Original Message-----
> From: Pavel Machek [mailto:pavel@suse.cz]
> So what? I can not execute setuid shell, but I can freely do anything
> I could do with the shell. I'll add myself to
> ~root/.ssh/authorized_keys instead of running root shell. This is
> called security by obscurity.
>
> (Still it can be a little bit usefull.)
> Pavel
> --
> I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care."
> Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org
>
---It's only a piece of the puzzle -- you came in via what route? A daemon running with LUID=daemon? Ooooo....LUID daemon is editing files in /root. I'd guess that would be a big-time redflag. Or say you managed to do an 'su' from user mrevil -- RT-Audit daemon (user-provided) detects that LUID=george is editing a root file, user mrevil is not in group 'wheel', or 'sysadmins' or is not in a known memory resident list of sysadmins -- bad mrevil...action:signal(SIGKILL).
If you are looking for one solution that will solve all your problems I have nothing to offer. Think of security features like extra bits in an encryption key. The more layers (bits) you add the more difficult it is to crack system security. The only 100% secure system is one to which no one has access and nothing will cause the machine to go out of "secure state" (secure state=off). Not too useful. Using a GOOGLE-PLEX (10^(10^100) bit encryption key wouldn't be too useful neither since it'd take forever to generate. But even 512 bit keys are now vulnerable to cracking with an optoelectronic device (TWINKLE, ref. http://cryptome.org/twinkle.eps) -- meaning 1024 bit keys are next on the horizon.
I'm just wanting to get Linux *verified*/*certified* as having basic levels of security common in all large systems manufacturers -- things that are or will be required for us to enter certain marketplaces.
-linda
-- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed May 31 2000 - 21:00:28 EST