> Ok so I've been working on filehiding for the > linux operating system (www.linux.org) that you can download for free > and is very popular. But you probably all know this. I was wondering, > would it be possible to abuse the linux enviroment to make legitemit users > think a certain file was not present. ... > This technique only works for executing binaries, listing > the directory will still find it. > > So for hiding the binaries in /usr/bin an example would be: > > $ export PATH="/tmp" > $ ls > -bash: ls: command not found > $ echo "hid all files in /usr/bin" > hid all files in /usr/bin > $ whereis echo > -bash: whereis: command not found > $ This isn't a terribly robust definition of 'hide'. Yes, of course 'ls' would find them, as would 'find' or any other program that can read directories. Using your definition, consider programs that are needed mainly by root and administrators and not normal users. These are typically stored in /sbin or /usr/sbin, and those dirs are not put in normal user's $PATH env var. However any user can easily run them by changing $PATH, or using the full pathname (/sbin/ifconfig) for example. To actually 'hide' files, you need to imploy standard Linux permissions. For example if you don't want people using ifconfig, then you can put it into /sbin/hidden/ifconfig and make /sbin/hidden mode 700 owned by root. This will, of course, break a ton of startup scripts and the like which expect ifconfig to live in /sbin, but let's ignore that for now. However this still doesn't solve your problem. If I have login access to the machine, I can upload a copy of ifconfig from my machine and run it. Even if you disable uploads, sftp, or even old *modem protocols, if I have shell access, I can create a file one way or another, even if I need to resort to something like home$ uuencode /sbin/ifconfig ifconfig (copy output) server$ cat >./ifconfig.uu <<EOM (paste) server$ uudecode ifconfig > So basically I'm building on this, I'd love some feedback and maybe how to > implement this technique in other scenarios. If 'hide' means 'prevent users from running certain programs' then the answer is * make sure users have a restricted shell which doesn't allow programs to be run unless they're in $PATH, even if they provide a full pathname to it * use an advanced linux security patch which can hide files from users (lids HIDDEN target, for example) and still force users to have a restricted shell or they can upload/create programs anyway. -- Brian Hatch A person who smiles Systems and in the face of Security Engineer adversity probably http://www.ifokr.org/bri/ has a scapegoat. Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 16:40:39 PDT