From owner-freebsd-security  Fri Mar 24  7:41:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
	by hub.freebsd.org (Postfix) with ESMTP id 1607A37B52D
	for <security@FreeBSD.ORG>; Fri, 24 Mar 2000 07:41:34 -0800 (PST)
	(envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.8.8/8.8.5) id QAA18170;
	Fri, 24 Mar 2000 16:41:46 +0100 (CET)
Message-ID: <20000324164146.A18107@foobar.franken.de>
Date: Fri, 24 Mar 2000 16:41:46 +0100
From: Harold Gutch <logix@foobar.franken.de>
To: "Daniel C. Sobral" <dcs@newsguy.com>,
	Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>
Cc: security@FreeBSD.ORG
Subject: Re: New article
References: <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> <38DB2B63.82552C96@newsguy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <38DB2B63.82552C96@newsguy.com>; from Daniel C. Sobral on Fri, Mar 24, 2000 at 05:46:27PM +0900
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Mar 24, 2000 at 05:46:27PM +0900, Daniel C. Sobral wrote:
> Olaf Hoyer wrote:
> > Imagine some attacker exchanging some kernel module against own code, and
> > causing that module to be loaded (say, some driver for access to certain
> > filesystems, or zip drive etc...), or waiting for the module to be loaded
> > (say, for regular, scheduled activities like backups or batch jobs or so)
> 
> So??? If the hacker compromised root, he can just replace the whole
> kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*.
> Really. No, I mean it. There is no such thing as "making things easier"
> once root was compromised. You lost, and any attempt to "make things
> difficult" is an exercise in self-delusion.


I'd say that depends on how paranoid you were when chflag-ing
various files and directories, like /kernel, /boot, /etc/rc.*,
/lkm etc..  Of course that won't buy you anything unless you're
running in secure level 1 or higher.  security(7) is a nice
introduction to this.
I have to agree though that I wouldn't trust a (root-)compromised
machine anymore and would re-install it.  Nevertheless I still
somehow doubt that an attacker could inject arbitrary code into
the kernel on an otherwise correctly configured box, which then
also implies "chflags -R /usr/src/sys schg" for example (and I'm
sure I've forgotten a couple of other things here as well).

bye,
  Harold

-- 
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
              Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message