On Wed, Oct 10, 2001 at 02:44:25PM -0400, Nicolas Bock wrote:
> > using the mode +i (immutable) even root can't change didly on a system.
> > this is not uncommon for attackers to do (either manually or in their
> > rootkit installation scripts) to protect their files.
>
> My appologies already if this is a stupid question, but how does chattr -i
> prevent root from doing anything to a file? I can see that while the immutable
> attribute is set, root can't do anything, but root can run chattr and delete
> this attribute, right? Doesn't that mean then that an attacker who is able to
> put a file into /bin is also able to execute chattr and delete any immutable
> attributes that the admin might have set to protect his trusted shells and so
> on?
IIRC, there's a sysctl or something that disallows the removal of the immutable
file attribute. I don't remember that well, but I think that once you changed
the sysctl, you couldn't change it back, and therefore all immutable files
were protected.

Also, to clear up any confusion, the immutable flag only prevents file contents
from being _removed_. The files can still be appended to. If you use the
immutable attribute on your logs, you'll probably have to do something to
logrotate to get it to work correctly...

>
> Just something I was always wondering about....nick

        --xsdg

-- 
|---------------------------------------------------|
| <MarcN> In the UK there used to be a vacuum       |
|   cleaner named VAX -- 'Nothing sucks like a VAX' |
|   was their slogan.  True story.                  |
|---------------------------------------------------|
| http://xsdg.hypermart.net   xsdgopenprojects.net |
|---------------------------------------------------|

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]