Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Mar 2000 16:41:46 +0100
From:      Harold Gutch <logix@foobar.franken.de>
To:        "Daniel C. Sobral" <dcs@newsguy.com>, Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>
Cc:        security@FreeBSD.ORG
Subject:   Re: New article
Message-ID:  <20000324164146.A18107@foobar.franken.de>
In-Reply-To: <38DB2B63.82552C96@newsguy.com>; from Daniel C. Sobral on Fri, Mar 24, 2000 at 05:46:27PM %2B0900
References:  <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> <38DB2B63.82552C96@newsguy.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Mar 24, 2000 at 05:46:27PM +0900, Daniel C. Sobral wrote:
> Olaf Hoyer wrote:
> > Imagine some attacker exchanging some kernel module against own code, and
> > causing that module to be loaded (say, some driver for access to certain
> > filesystems, or zip drive etc...), or waiting for the module to be loaded
> > (say, for regular, scheduled activities like backups or batch jobs or so)
> 
> So??? If the hacker compromised root, he can just replace the whole
> kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*.
> Really. No, I mean it. There is no such thing as "making things easier"
> once root was compromised. You lost, and any attempt to "make things
> difficult" is an exercise in self-delusion.


I'd say that depends on how paranoid you were when chflag-ing
various files and directories, like /kernel, /boot, /etc/rc.*,
/lkm etc..  Of course that won't buy you anything unless you're
running in secure level 1 or higher.  security(7) is a nice
introduction to this.
I have to agree though that I wouldn't trust a (root-)compromised
machine anymore and would re-install it.  Nevertheless I still
somehow doubt that an attacker could inject arbitrary code into
the kernel on an otherwise correctly configured box, which then
also implies "chflags -R /usr/src/sys schg" for example (and I'm
sure I've forgotten a couple of other things here as well).

bye,
  Harold

-- 
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
              Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000324164146.A18107>