Date: Sun, 10 Aug 2003 21:01:03 -1000 From: Jason Dambrosio <jason@wiz.cx> To: Bruce M Simpson <bms@spc.org> Cc: FreeBSD Security Advisories <security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal Message-ID: <20030811070103.GB85000@tekgenesis.net> In-Reply-To: <20030811064438.GG31845@spc.org> References: <200308110257.h7B2v6YJ061278@freefall.freebsd.org> <20030811063316.GA85000@tekgenesis.net> <20030811064438.GG31845@spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 11, 2003 at 07:44:38AM +0100, Bruce M Simpson wrote:
> On Sun, Aug 10, 2003 at 08:33:16PM -1000, Jason Dambrosio wrote:
> > Wouldn't a possible workaround be, to load a kld module that would
> > replace the ptrace(2) system call with a patched one? I remember doing
> > such a trick for modifying other system calls using kld modules...
>
> That isn't really a solution; more of a band-aid.
That's exactly why I called it a workaround and not a solution.
The primary idea of a workaround being to avoid having downtime for
a reboot to patch the kernel until your next scheduled maintence window.
> Besides, if someone compromises the system in some other way, they can
> just remove your module or unload it. Unless you're a big securelevels fan.
If someone compromises the system via some other method, why would
they care about unloading a module if they already have root?
My point was simply that the advisory said there was no workaround,
but I believe you could use this method as a workaround.
Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030811070103.GB85000>