l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2001 Dec 30 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] What anti-virus tools available that run on Linux?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] What anti-virus tools available that run on Linux?



> > page. Most require root access, but some may allow a user to infect binary
> > files if they have write access to them - no need to be root if the user
> > has group membership to write to a binary file with group write
> > permissions in their group!

On Wed, 27 Jun 2001, Peter Jay Salzman wrote:
> that's a big if...

Not so big with some of the older RedHat and early slackware. Many distros
are getting better at making default ownerships to only include ownership
and permissions on what is necessary instead of being too giving. With
more focus on security, this issue is less common on default
installations. (Sun for example seems to make new tools for their OS, and
find trouble setting the programs to work with minimal security, so they
make the tools SUID root.

Coder1: "Hey, this application wont let me talk directluy to /dev/kmem,
         what is the deal?"
Coder2: "Oh, I dunno, but when I ran it as root, there weren't any
         problems."
Supervisor: "We are 2 months behind in getting this tool out! What are you
two just sitting around jibber-jabbering about? Is it ready?"
Coder1 or 2: "Uh..." (changing to chown root.root and chmod 4755) "yeah,
it is ready to go!"

(Sorry, this is hypothetical. I do not know of this as a specific example
coming from Sun, but many of their tools are setuid root and they should
not need to be.)

Earlier distros included packages with apps that were setuid root and set
with chmod 770 to limit whoat users could run it by group. However, with
the 770 instead of 750, all group members can also write. :-/

Better for special "protected" bins would be 550 and then use of the
chattr as root to set immutable flag (linux with ext2) and if you are
really set, mount the dir from a cd-rom of binary files (could use umsdos
with Joliet FS on iso9660, or better yet an image in file format stored on
std iso9660 mounted via loopback. Once file read into memory, a large
memory system could cache most of the file for later.) Yet another
possible choice is to find a drive that supports the "read only" hardware
jumper. :-)

One of the "winners" of the CTF contest last year at the con was a Linux
system that booted from CD-ROM with users home dir mounted without execute
perms on a local hd. Exploits against files on the cd-rom proved to be
rather useless in many cases since the files were not actually changed,
and any memory changes would be lost (state) when the machine was
rebooted. (Many thought this was a cheat, since the over-head for CD-ROM
based filesystems are frequently too slow for "real" servers, but it was
still a good demo nonetheless. (Suggesting a possible RAMDisk filesystem
might prove useful to preload a CD...)

> > I will admit that the present risk for infection in Linux systems is low
> > based on *history*. Howver, Linux as an OS is not immune to viruses. "Wild
> > type" viruses for Linux are rather *uncommon* (Sorry! How about very rare
> > and close to endangered?. ;-) Quite rare at present
> 
> rare implies that at least one person has been infected who didn't desire
> to be infected.  is that true?

Ah. Well, here comes a point where being disallowed to discuss businesses
that may or may not have had employees who may or may not have been
unhappy with their job and said employee may or may not have infected
files on one machine and see them spread to others they do not control in
the same company. Bad publicity about the internal workings and
dealings of a company can tarnish thier name and lead to small crashes
in stock value - esp with todays dot-com market. So, "no comment".

As far as cross Internet infection (or outside a campus/company), I do not
have any examples, but this is not my area of focus, just a hobby. My
major points are:
1- They do exist for Linux
2- Propagation of them is possible with many service still running as root
under code that possesses security holes like explotable buffer
overruns. (I Expect one witll use this technique within the next 2 years
against either Windows Servers or Mac OS X servers or *nix servers or a
mix of them.)

When I attend the Con this year, I can query other fellow admins on
hot-boxes and see if they know of public stories on this. Luckily my boxes
are low profile and uninterresting. Best they can do is offer a node for
spidering.

-ME



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!