[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RE: The nasty RaQ hack...
- Subject: Re: [cobalt-security] RE: The nasty RaQ hack...
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: 24 Jan 2003 21:00:24 +0300
- Organization:
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 2003-01-24 at 20:27, Larry Smith wrote:
> > > You might want to chmod 700 gcc for a bit of extra security -that
> > > RaQFuCk.sh script (or was it the SSL exploit) needs to get hold of gcc to
> > > do it's thing.
> >
> > Yup, that's a neat idea. Many UNIX exploits/worms rely on the C
> > compiler, so closing access to it will thwart them. I guess I'd add it
> > to my "quick security guide"...
>
> Just from my "personal" point of view, I chmod 444 the gcc program since any
> exploit that gets "root" level would still have access to gcc under mode 700.
> Under mode 444 is it not "executable" and therefore won't work for anyone
> without changing the mode first, but then again I am "paranoid" (see
> hosts.allow.conf)
If the intruder already have root access, he does not need to compile
anything anyway. It seems that a number of exploit scenarios involve
getting non-root access, compiling a piece of code and using it to get
root access.
Not that disabling gcc is a real defence, just a thwart for some
ready-to-use exploit scripts.
Eugene