From owner-freebsd-security Sat Sep 8 8:28:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 7DFFB37B401 for ; Sat, 8 Sep 2001 08:28:17 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id A707B2D0487; Sat, 8 Sep 2001 10:28:16 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88FSGS78022; Sat, 8 Sep 2001 10:28:16 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 10:28:16 -0500 From: D J Hawkey Jr To: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908102816.B77764@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908181537.A840@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Sep 08, 2001 at 06:15:37PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 06:15 PM, Peter Pentchev wrote: > > On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote: > > On Sep 08, at 02:32 PM, Alexander Langer wrote: > > > > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > > > > This still lets you load own kernel modules. > > > > > > > > Not if you blow away the /modules directory (note that I haven't tried > > > > this). > > > > > > /me hands Dave a decent C compiler and some C h0h0magic. > > > > I didn't write "build the kernel without it". > > > > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > > even after seeing that the kernel doesn't need it? I'm meaning run-time > > here, not build-time. > > I believe that what Alex meant is that you can simulate kldload(8)'s > functionality in a little C program of your own. Even more than that, > kldload(8) itself allows you to specify a full path to a module, > not just a filename, so even if you blow away the /modules directory, > J. Random Luser can still 'kldload /var/tmp/rkit.kld'. > > Yes, you can remove /modules; no, that does not gain you any safety. Kris addressed this, too, and yes, you're both right. Q: Can the kernel be "forced" to load a module from within itself? That is, does a cracker need to be in userland? > G'luck, > Peter Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message