Date: Sat, 8 Sep 2001 16:44:27 +0100 (BST) From: freebsd-security@rikrose.net To: D J Hawkey Jr <hawkeyd@visi.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <Pine.LNX.4.21.0109081628070.5270-100000@pkl.net> In-Reply-To: <20010908102211.A77764@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > You lost me with the last bit; a lock to determine or do what, prevent > userland 'kldload's? This would seem to be a Good Thing(tm), but how do > [snippage] > requirements, too, else it may load a trojan in the course of uptime. > Either that, or build 'em into the kernel. I came from the Linux world not so long ago, and I used to use the LIDS kernel patch (www.lids.org). They seemed to have solved the problem under Linux (or, at least something similar...) Amongst the particularly cunning things it provided was a way of stopping modules from being loaded, unless you were authenticated to the system. This was done with another password hash (a doubly hashed RIPE-MD160, iirc). Once you had authenticated, you could then claim back certain priviledges, such as the ability to hcange the close, the routing table, the firewall rules, or to insert modules into the kernel. These abilites wer bestowed upon the login shell you ran the command-line tool from, and all of its decendants, until either you used to the tool to close the session (it was termed a LIDS Free Session), or you shut the shell down. At the time I used it, it was not possible to change the capability set of programs that were already running. If you strted a program in a LIDS Free Session, then whatever capbilities it had when you started it stayed with it. Another nice feature was that you could prtoect certain files (or the contents of a whole directory) from being changed. A sort of noschg. The twist was that you could also instruct the kernel not to run any programs that were unprotected. Again, one of the capabilities that you could get in a LIDS Free Sessions was the ability to change/overwrite the protected files and the protected files list. This would be handy for, say installing a new kernel (something I actually don't know how to do on a remote machine not running in runlevel -1 or 0. Good job all my machines are local right now. Can someone tell me how in a message not to the list, please?). It was a great tool, but a bit of a PITA to set up. That's just due to lack of development, and more trying to achieve functionality, and.. uh.. not writing documentation <attempts to whistle innocently> :) rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0109081628070.5270-100000>