Web lists-archives.com

Re: Can't find the DNS Servers




On Mon, Sep 25, 2017 at 07:10:10PM +0300, Reco wrote:
> A common misconception. Here's how a determined userspace can beat
> immutable bit:
> 
> # mkdir testetc
> # touch testetc/resolv.conf
> # chattr +i testetc/resolv.conf
> # mv testetc/ testetc.orig
> # mkdir testetc
> # touch testetc/resolv.conf
> # echo evil dns > testetc/resolv.conf

You'd have to replace all the other files in /etc as well, or the
system wouldn't work very well.  But that's not the point.  The point
isn't to harden the system against an attacker bent on subverting your
name lookups.  It's to protect your locally modified configuration file
from being overwritten by well-meaning but stupid software programs.

(And yes, there are other ways to achieve that, but I've already posted
the <https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/> URL
in this thread.  Oops, I did it again.)