From owner-freebsd-security@FreeBSD.ORG  Mon Aug 11 00:01:03 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9728F37B401
	for <security@freebsd.org>; Mon, 11 Aug 2003 00:01:03 -0700 (PDT)
Received: from mx1.tekgenesis.net (server1.cluster1.tekgenesis.net
	[64.235.250.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31D3243F3F
	for <security@freebsd.org>; Mon, 11 Aug 2003 00:01:03 -0700 (PDT)
	(envelope-from wiz@mx1.tekgenesis.net)
Received: by mx1.tekgenesis.net (Postfix, from userid 1000)
	id 36AA2B8B6; Sun, 10 Aug 2003 21:01:03 -1000 (HST)
Date: Sun, 10 Aug 2003 21:01:03 -1000
From: Jason Dambrosio <jason@wiz.cx>
To: Bruce M Simpson <bms@spc.org>
Message-ID: <20030811070103.GB85000@tekgenesis.net>
References: <200308110257.h7B2v6YJ061278@freefall.freebsd.org>
	<20030811063316.GA85000@tekgenesis.net> <20030811064438.GG31845@spc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030811064438.GG31845@spc.org>
User-Agent: Mutt/1.4i
cc: FreeBSD Security Advisories <security@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 07:01:03 -0000

On Mon, Aug 11, 2003 at 07:44:38AM +0100, Bruce M Simpson wrote:
> On Sun, Aug 10, 2003 at 08:33:16PM -1000, Jason Dambrosio wrote:
> >     Wouldn't a possible workaround be, to load a kld module that would
> > replace the ptrace(2) system call with a patched one? I remember doing
> > such a trick for modifying other system calls using kld modules...
> 
> That isn't really a solution; more of a band-aid.

    That's exactly why I called it a workaround and not a solution.

    The primary idea of a workaround being to avoid having downtime for
a reboot to patch the kernel until your next scheduled maintence window.

> Besides, if someone compromises the system in some other way, they can
> just remove your module or unload it. Unless you're a big securelevels fan.

    If someone compromises the system via some other method, why would
they care about unloading a module if they already have root?

    My point was simply that the advisory said there was no workaround,
but I believe you could use this method as a workaround.

Jason