From owner-freebsd-security  Thu Dec 12 11:40:54 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id LAA00705
          for security-outgoing; Thu, 12 Dec 1996 11:40:54 -0800 (PST)
Received: from redmare.com (brian@lin-pm2-013.inetnebr.com [206.222.209.13])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA00698
          for <freebsd-security@freebsd.org>; Thu, 12 Dec 1996 11:40:51 -0800 (PST)
Received: from localhost (brian@localhost) by redmare.com (8.7.4/8.7.3) with SMTP id NAA03617; Thu, 12 Dec 1996 13:35:48 -0600 (CST)
X-Authentication-Warning: redmare.com: brian owned process doing -bs
Date: Thu, 12 Dec 1996 13:35:47 -0600 (CST)
From: Brian Mitchell <brian@saturn.net>
X-Sender: brian@redmare.com
To: Brian Tao <taob@io.org>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system)
In-Reply-To: <Pine.BSF.3.95.961212140716.27209B-100000@nap.io.org>
Message-ID: <Pine.BSI.3.95.961212133458.3607C-100000@redmare.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 12 Dec 1996, Brian Tao wrote:

> On Wed, 11 Dec 1996, Brian Mitchell wrote:
> > 
> > If you disable it, remember to take lkm out with it.
> 
>     How do you disable lkm?  I don't see any option in the LINT config
> to do so.  I could delete /lkm and mod{load,unload,stat}, but they can
> be easily replaced by an intruder.

In securelevel 2, (k)mem is not writable; I'm guessing this will cripple
lkm, although I am not possitive.

Brian Mitchell / brian@saturn.net