From: drew@caesar.cs.colorado.edu (Drew Eckhardt) Subject: Re: viruses? Date: Mon, 28 Jun 1993 07:07:32 GMT
In article <20iogl$2i4@news.cs.tu-berlin.de> wong@cs.tu-berlin.de (Wolfgang Jung) writes:
>Joerg Pommnitz (jpo@kappa.informatik.tu-chemnitz.de) wrote:
>: mantel@adcalc.fnal.gov writes:
>
>: How the hell should a true virus do some damage under Linux ?
>: Linux goes into protected mode immediately after the booting.
>: After this, all the OS security checks are active!!!!!!
>: No evil program can access files it isn't allowed to (because
>: hardware access isn't allowed, BIOS doesn't exist ...).
>(There might by a way for setuid root Programs which want to access
>the /dev/hda* Parts, but as long as you know where the Source is
>and it won't need to be setuid root nothing harmful can happen.
>(more than jumping into System Bugs or filling up swapspace
>(Filling up all available Memory (This can be prevented by setting
>limits :-) ) and getting linux to han swapping/paging for
>free incore Page :-( (This should be fxed somehow (Or is it already:-?)
>
BSD 4.4 even addresses this issue with it's use of security levels.
At the highest security level, even root can't write directly to
the disk devices. Root can't override the immutable and append
only flags (as used on log files). And only pid 1, init can set
the security level back to something reasonable (in the
process killing off all user processes like the cracker's net login).
>: Bootsector viruses won't be able to affect Linux, because
>: a) they won't survive :) (all memory will be set to zero)
>
>They can survive if they are quick enough to catch alle
>interups and getting a timer to move them back again :-)
Nope. Once the processor is in protected mode, interrupts
are handled through the Interupt Descriptor Table (at an
arbitrary location in memory) rather than through the table at
0x0000.
>
>: b) Linux catches ALL interrupt vectors, so there is no way
>: one of the non-existant viruses could be activated
>
>If there is a Non Maskable Timer Interupt Linux can be
>catched :-(
There isn't a non maskable timer interrupt.
>: There is no way for a Linux virus to hide (all active processes
>: are registered in the process table, so ps will display all of
>: them). It is impossible for viruses to manipulate the memory
>: management to hide, they can't duplicate, if you write protect
>: your files.
>
> As long as they are NOSETUID root :-)
IMHO : Anybody who makes a program suid/sgid root/anybody (especially
a shell script on systems with them enabled) deserves what happes to
them.
I've done this on my systems, but only for unimportant things
like sgid games programs with group games writeable files off on their
own filesystem where it won't matter if some one cracks it and fills
it up, and if some cracker were to remove the users games it wouldn't
be the end of the world (I would miss my cbzone fix...)
>: There might be some security holes, that would allow some
>: worms or trojan horses to run on your system, but they won't
>: be able to do much damage if you are restrictive in using your
>: root account.
>
Agreed. Prudent system administration (ie, use npasswd, crack the
password file if for some reason you can't and make (l)users with
guessable passwords change them, run perl COPS to look for bad suid
things, world writeable files, directories, etc, don't use .rhosts
ESPECIALLY for ROOT (this means using a pull-type distribution
system (ie, ftp run out of cron) rather than a push-type like rdist,
not using rsh in shell scripts and instead using a socket-based
clienet/server set of programs with some other authentication mechanism,
etc)....
-- Boycott USL/Novell for their absurd anti-BSDI lawsuit. | Condemn Colorado for Amendment Two. | Drew Eckhardt Use Linux, the fast, flexible, and free 386 unix | drew@cs.Colorado.EDU Will administer Unix for food |