Re: file hiding under Linux

> Ok so I've been working on filehiding for the

...

> This technique only works for executing binaries, listing

This isn't a terribly robust definition of 'hide'. Yes, of course 'ls' would find them, as would 'find' or any other program that can read directories.

Using your definition, consider programs that are needed mainly by root and administrators and not normal users. These are typically stored in /sbin or /usr/sbin, and those dirs are not put in normal user's $PATH env var. However any user can easily run them by changing $PATH, or using the full pathname (/sbin/ifconfig) for example.

To actually 'hide' files, you need to imploy standard Linux permissions. For example if you don't want people using ifconfig, then you can put it into /sbin/hidden/ifconfig and make /sbin/hidden mode 700 owned by root. This will, of course, break a ton of startup scripts and the like which expect ifconfig to live in /sbin, but let's ignore that for now.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

However this still doesn't solve your problem. If I have login access to the machine, I can upload a copy of ifconfig from my machine and run it. Even if you disable uploads, sftp, or even old *modem protocols, if I have shell access, I can create a file one way or another, even if I need to resort to something like

	home$ uuencode /sbin/ifconfig ifconfig
	(copy output)

	server$ cat >./ifconfig.uu <
> So basically I'm building on this, I'd love some feedback and maybe how to


If 'hide' means 'prevent users from running certain programs' then
the answer is 


  make sure users have a restricted shell which doesn't allow
	  programs to be run unless they're in $PATH, even if they
	  provide a full pathname to it

  
  use an advanced linux security patch which can hide files
	  from users (lids HIDDEN target, for example) and still force
	  users to have a restricted shell or they can upload/create
	  programs anyway.


--
Brian Hatch                  A person who smiles
   Systems and                in the face of
   Security Engineer          adversity probably
http://www.ifokr.org/bri/     has a scapegoat.

Every message PGP signed
application/pgp-signature attachment: stored
Received on Tue Jun 24 19:53:09 2003