Carolyn P. Meinel Hall of Shame
Technical Wonder: 'immutable'


[relevant portions of the mail included..]

Date: 14 Oct 1997 02:49:15 -0000
From: "Carolyn P. Meinel" 
To: hh-chat@happy-hacker.ml.org
Subject: [HH-CHAT] Re: Attacks on Bronc Buster

There is an exploit going around that makes Unix files so they cannot be
altered or deleted. The only cure I know of is to reformat the disk first.
So just in case anyone on this list wondered for even a moment about the
truthfulness of that ridiculous hacked stuff you could get when fingering
Bronc, and why it persisted there, no, it was just a lame hack using
software that attacker happened to get his hands on.

[Technical details: This was said after an attacker hacked succeed.net
 and set the immutable flag on a few files. On a unix platform, the 
 'immutable' flag makes it so only the superuser (root) may delete or 
 modify the file, AFTER removing the flag. So, not only is it NOT an
 exploit, it is a common system utility. The "cure" is to change the
 flag with a system utility (listed below), THEN delete/modify the file.
 The software is not a 'hacker exploit', but a system utility found on
 most default unix installations.

 The util that does this..
 On BSDish systems:   chflags 
 On SYSVish systems:  chattr

 According to "man chattr" on a Linux machine: "chattr - change file 
 attributes on a Linux second extended file system". According to 
 "man chflags" on a FreeBSD machine: "chflags - change file flags".

 More from the "man chattr" on a Linux machine: "The letters `ASacdisu' 
 select the new attributes for the files: don't update atime (A), 
 synchronous updates (S), append only (a), compressed (c), immutable (i),
 no  dump  (d),  secure deletion (s), and undeletable (u).

 More from the "man chflags" on a FreeBSD machine: "The chflags utility 
 modifies the file flags of the listed files as specified by the flags 
 operand."

 So I reply to her and let her know the above, and she follows up with:

Date: 14 Oct 1997 13:16:03 -0000
From: "Carolyn P. Meinel" 
To: hh-chat@mail.secureservers.net
Subject: Re: [HH-CHAT] Re: Attacks on Bronc Buster

Sorry, jericho, this exploit doesn't let chattr fix the problem. TMy hat is
off to whomever first figured out how to code this exploit. 

The people working on this problem know more about it than ignorant
bystanders. Calling us names does not improve your knowledge of the
situation at all. But what do you expect of an unmoderated hacker list? You
will find out soon enough why they all go to dev/null within  months.


[?! Its in the man pages!]