Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Sep 2001 18:15:37 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        D J Hawkey Jr <hawkeyd@visi.com>
Cc:        Alexander Langer <alex@big.endian.de>, deepak@ai.net, freebsd-security@FreeBSD.ORG
Subject:   Re: Kernel-loadable Root Kits
Message-ID:  <20010908181537.A840@ringworld.oblivion.bg>
In-Reply-To: <20010908074445.A77252@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 07:44:45AM -0500
References:  <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote:
> On Sep 08, at 02:32 PM, Alexander Langer wrote:
> > 
> > Thus spake D J Hawkey Jr (hawkeyd@visi.com):
> > 
> > > > This still lets you load own kernel modules.
> > > Not if you blow away the /modules directory (note that I haven't tried
> > > this).
> > 
> > /me hands Dave a decent C compiler and some C h0h0magic.
> 
> I didn't write "build the kernel without it".
> 
> As I wrote, I hadn't tried it. I take it one cannot remove that tree,
> even after seeing that the kernel doesn't need it? I'm meaning run-time
> here, not build-time.

I believe that what Alex meant is that you can simulate kldload(8)'s
functionality in a little C program of your own.  Even more than that,
kldload(8) itself allows you to specify a full path to a module,
not just a filename, so even if you blow away the /modules directory,
J. Random Luser can still 'kldload /var/tmp/rkit.kld'.

Yes, you can remove /modules; no, that does not gain you any safety.

G'luck,
Peter

-- 
This sentence every third, but it still comprehensible.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908181537.A840>