[rescue] SGI fw_sshd and security

Dave McGuire mcguire at neurotica.com
Sun Mar 7 16:03:09 CST 2004

On Mar 7, 2004, at 2:45 PM, Jonathan C. Patschke wrote:
>>    I hate to point this out, but generally speaking, someone needs to
>> already own the box to overwrite libwrap.so.
> I am, indeed, aware of that.

   I'm sure you are...I didn't mean to sound like I thought you were 
stupid or something. :)

> However, on some OSes, particularly IRIX, there have been a -lot- of
> kinda-sorta exploits that let you overwrite local files.  On IRIX in
> particular, dylinking security libraries is a Bad Idea.  You could
> theoretically overwrite libwrap.so with a trojaned one, and the would 
> be
> a lot harder to detect than fudging entries in /etc/hosts.allow.

   Well in that case, something like tripwire would be your friend, but 
then if the perp could arbitrarily write to root-owned, write-protected 
files I suppose that'd be useless too.

   At Digex, we had a really great scheme going.  We did rdist verify 
passes every night, from our proto machines which were as locked-down 
as we could make them.  Now, if you're familiar with rdist, you know 
that in verify mode it sends each file down and then does a 
byte-for-byte compare.  That'd be a tremendously expensive operation to 
perform on, say, six hundred SPARCstations.  We made a nice little mod 
to rdist in which the MD5 checksum is sent down to the target machine 
and verified.  I think that may have actually made it into the main 
rdist source tree but I'm not sure.  It was *cool*.


Dave McGuire                      "My tummy hurts now, but my soul
Cape Coral, FL                   feels a little better."     -Ed

More information about the rescue mailing list