[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RE: The nasty RaQ hack...
- Subject: Re: [cobalt-security] RE: The nasty RaQ hack...
- From: Larry Smith <lesmith@xxxxxxxxx>
- Date: Fri, 24 Jan 2003 12:14:49 -0600
- Organization: ECSIS.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
INRE Re: [cobalt-security] RE: The nasty RaQ hack...:
> > Just from my "personal" point of view, I chmod 444 the gcc program since
> > any exploit that gets "root" level would still have access to gcc under
> > mode 700. Under mode 444 is it not "executable" and therefore won't work
> > for anyone without changing the mode first, but then again I am
> > "paranoid" (see hosts.allow.conf)
>
> If the intruder already have root access, he does not need to compile
> anything anyway. It seems that a number of exploit scenarios involve
> getting non-root access, compiling a piece of code and using it to get
> root access.
>
> Not that disabling gcc is a real defence, just a thwart for some
> ready-to-use exploit scripts.
Yes, but at mode 444 they cannot compile _anything_ whether root or not....
so the non-root access (if it requires compiling something to get to root)
will also not work. They end up with non-root access.....
--
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx