From owner-freebsd-security Sat Sep 8 17:49: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 0634037B401 for ; Sat, 8 Sep 2001 17:49:01 -0700 (PDT) Received: from hades.hell.gr (patr530-b118.otenet.gr [195.167.121.246]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f890muA16303; Sun, 9 Sep 2001 03:48:57 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f88LUBg07098; Sun, 9 Sep 2001 00:30:11 +0300 (EEST) (envelope-from charon@labs.gr) Date: Sun, 9 Sep 2001 00:30:11 +0300 From: Giorgos Keramidas To: Alexander Langer Cc: D J Hawkey Jr , deepak@ai.net, freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909003011.B6949@hades.hell.gr> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908203935.B54535@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Sat, Sep 08, 2001 at 08:39:35PM +0200 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Alexander Langer Subject: Re: Kernel-loadable Root Kits Date: Sat, Sep 08, 2001 at 08:39:35PM +0200 > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > > altogether, it should be a build-time option, and it should have nothing > > to over-ride this. > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > > You'd have to remove the whole kld code then, including all > linker_file stuff. > > And, given that, you can still use /dev/mem to manipulate the kernel. Simple fix to all this is: sysctl kern.securelevel=1. The manpage (and the code of both kldload() syscall and linker_load_file()) explains it clearly: % man 8 init 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded. So, on securelevels >=1 neither modules can be loaded, nor /dev/mem and /dev/kmem tampered with. Guys, this has a simple and elegant solution. Raise your securelevel, if you are worried so much. You don't have to do some special kernel-hacker magic. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message