From owner-freebsd-hackers Mon Jul 12 19:52:27 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id F1A2F15065 for ; Mon, 12 Jul 1999 19:52:23 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from mercury (mercury [129.127.36.44]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA03931; Tue, 13 Jul 1999 12:22:11 +0930 (CST) Received: from localhost by mercury; (5.65v3.2/1.1.8.2/27Nov97-0404PM) id AA12270; Tue, 13 Jul 1999 12:22:10 +0930 Date: Tue, 13 Jul 1999 12:22:09 +0930 (CST) From: Kris Kennaway To: Greg Lehey Cc: crypt0genic , Mark Newton , hackers@freebsd.org, Karl Pielorz Subject: Re: Compromising a FreeBSD from inside (was: (forw)) In-Reply-To: <19990713111341.S21403@freebie.lemis.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 13 Jul 1999, Greg Lehey wrote: > In fact, the most interesting thing about this (rather large) document > is that it's the best documentation I've seen on klds. I don't know > why anybody would want to use it for compromising security, since it's > a *lot* of work, and to even get as far as installing it you have to > be root already, so you would have plenty of easier alternatives. It's more for hiding yourself once you're already in; if you load a module at boot-time which hides the fact that it was loaded, hides the module itself from being listed by the filesystem syscalls, and hides whatever else you want, you could presumably stay hidden a lot easier. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message