Date: Fri, 24 Mar 2000 16:41:46 +0100 From: Harold Gutch <logix@foobar.franken.de> To: "Daniel C. Sobral" <dcs@newsguy.com>, Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de> Cc: security@FreeBSD.ORG Subject: Re: New article Message-ID: <20000324164146.A18107@foobar.franken.de> In-Reply-To: <38DB2B63.82552C96@newsguy.com>; from Daniel C. Sobral on Fri, Mar 24, 2000 at 05:46:27PM %2B0900 References: <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> <38DB2B63.82552C96@newsguy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 24, 2000 at 05:46:27PM +0900, Daniel C. Sobral wrote: > Olaf Hoyer wrote: > > Imagine some attacker exchanging some kernel module against own code, and > > causing that module to be loaded (say, some driver for access to certain > > filesystems, or zip drive etc...), or waiting for the module to be loaded > > (say, for regular, scheduled activities like backups or batch jobs or so) > > So??? If the hacker compromised root, he can just replace the whole > kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*. > Really. No, I mean it. There is no such thing as "making things easier" > once root was compromised. You lost, and any attempt to "make things > difficult" is an exercise in self-delusion. I'd say that depends on how paranoid you were when chflag-ing various files and directories, like /kernel, /boot, /etc/rc.*, /lkm etc.. Of course that won't buy you anything unless you're running in secure level 1 or higher. security(7) is a nice introduction to this. I have to agree though that I wouldn't trust a (root-)compromised machine anymore and would re-install it. Nevertheless I still somehow doubt that an attacker could inject arbitrary code into the kernel on an otherwise correctly configured box, which then also implies "chflags -R /usr/src/sys schg" for example (and I'm sure I've forgotten a couple of other things here as well). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000324164146.A18107>