Re: Hardening, (was Re: chroot useful?)

["Marcus J. Ranum" <mjr () nfr net>]

Darren Reed wrote:
> Sigh.  Why does everyone pick on man pages ? 

Because man pages don't fight back!! :)  Seriously, though,
my view is that if you're stud enough to be messing around
on my box, you shouldn't need the man pages. If you do,
you're not stud enough, ipso facto.

> [...]
> > immediately setuid to a non-root user. Then, if you're
> > inclined, play kernel games:
> [...]
> Linux, modern BSD's all support the idea of immutable files
> which can achieve many of the points you list.  Problem is,
> nobody seems to use them in standard installations.  Maybe
> because of the inconvience to normal activities ? 

I think that's largely it. If you try to use them on "normal"
multiuser machines it is awkward. So people forget that they
are there at all. Also, normal people don't usually keep track
of changes in O/S' unless they directly affect how they
usually use the system. Few sysadmins have time to go around
messing with immutable files unless they NEED to. And, of
course, the system doesn't ship configured with them turned
on by default because the support line would be filled with
calls asking "why can't I delete this file?? what kind of POS
UNIX is this!?"

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr