Re: Linuxtag

From: Russell Coker (russell@coker.com.au)
Date: Sun Apr 28 2002 - 02:43:49 CEST


On Sun, 28 Apr 2002 01:50, Joerg Jaspert wrote:
> > Someone who breaks it will only be able to run "ls" and can't write to
> > any file. The only raised priviledge level of the FTP server is the
> > ability to log to syslog.
>
> Hmm, muddleftpd is out then. It has its own logging :)

I could easily change the policy to allow it to create files under /var/log,
have them automatically transition to a new type that is only writable by the
FTP server and then only allow it append access (not write, truncate, or
delete). That would be about 5 minutes work.

> > One of my future plans is to write some sample exploitable programs and
> > exploit programs for them, then I can demonstrate how such programs allow
> > root exploits on unprotected systems but don't allow anything on SE
> > systems.
>
> Hmm, sounds nice.
> This Linuxtag has a very good site: I get a full configured Debian SE
> System. (And i kill you if you rm -rf / that on 9. Juni ! ) :))

;)

If I wanted to be nasty I'd leave you with only the root password, without a
password for the sysadm_r role you can't do anything (root on SE Linux has
less privs than a regular user on a regular Linux machine). ;)

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

-- To UNSUBSCRIBE, email to debian-events-eu-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



This archive was generated by hypermail 2.1.3 : Sun Apr 28 2002 - 02:47:51 CEST