From owner-freebsd-security  Wed Oct 10  2:42:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131])
	by hub.freebsd.org (Postfix) with ESMTP id 9B99537B408
	for <freebsd-security@freebsd.org>; Wed, 10 Oct 2001 02:42:45 -0700 (PDT)
Received: from [194.97.50.144] (helo=mx1.freenet.de)
	by mout0.freenet.de with esmtp (Exim 3.33 #1)
	id 15rFsu-0007xo-00; Wed, 10 Oct 2001 11:42:40 +0200
Received: from b82bc.pppool.de ([213.7.130.188] helo=Magelan.Leidinger.net)
	by mx1.freenet.de with esmtp (Exim 3.33 #3)
	id 15rFsr-0004C6-00; Wed, 10 Oct 2001 11:42:39 +0200
Received: from Leidinger.net (netchild@localhost [127.0.0.1])
	by Magelan.Leidinger.net (8.11.6/8.11.6) with ESMTP id f9A9hSK00843;
	Wed, 10 Oct 2001 11:43:29 +0200 (CEST)
	(envelope-from netchild@Leidinger.net)
Message-Id: <200110100943.f9A9hSK00843@Magelan.Leidinger.net>
Date: Wed, 10 Oct 2001 11:43:27 +0200 (CEST)
From: Alexander Leidinger <Alexander@Leidinger.net>
Subject: Re: Kernel-loadable Root Kits
To: cjclark@alum.mit.edu
Cc: Alexander Langer <alex@big.endian.de>, deepak@ai.net,
	freebsd-security@FreeBSD.ORG
In-Reply-To: <20011004023034.U8391@blossom.cjclark.org>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> I went in and made a very simple kernel-build option which disables
> the use of kldload(2) (and kldunload(2)) at all times. This is not as
> good as raising securelevel(8) since root can still write to
> /dev/mem. However, a lot of people in this thread still seem to want
> this ability. Since you can still write to /dev/mem, it is only raises
> the bar a bit for an attacker. But it does raise the bar enough to
> possibly foil a skr1pt k1ddi3 or two.

If my memory serves me right there was an effort on -audit in the last
months to remove the need for /dev/mem. If this work is finished, the
NO_KLD patch would be more useful. If you commit this, you didn't only
raise the bar a bit for an attacker, it also would harden the system
when /dev/mem isn't needed anymore (maybe before 5.0-RELEASE, maybe
not).

Bye,
Alexander.

-- 
      ...and that is how we know the Earth to be banana-shaped.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message