On Wed, 10 Oct 2001, Thanas wrote:

> # mv /safe/version/path/login /bin/login

> I just obtained the message 'Operation not permitted' ... How is it
> possible ? I had to use low level tools directly on the ext2
> filesystem to delete that file ...

man chattr(1):

chattr (1) - Change file attributes on a Linux second extended
file system

using the mode +i (immutable) even root can't change didly on a system.
this is not uncommon for attackers to do (either manually or in their
rootkit installation scripts) to protect their files.

there are some kernel patches, like LIDS, that, when used, can be used to
prevent even root (either authorized or unauthorized) from changing files
marked as immutable. it may be worth considering keeping the binaries you
have to trust (ie login, ls, ps, netstat, a staticly linked copy of
/bin/sh with hardcoded paths, etc ...) protected.

hope that helps,

____________________________
jose nazario josecwru.edu
                           PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]