Date: Thu, 15 Nov 2001 09:39:22 +0100 From: Erik Trulsson <ertr1013@student.uu.se> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115093922.A99781@student.uu.se> In-Reply-To: <5.1.0.14.2.20011115143223.04264050@MailServer> References: <5.1.0.14.2.20011115143223.04264050@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? It shouldn't be too difficult to modify ls(1) to show wrong data for some specific files. Changing the kernel to give wrong data for some files would be more difficult, and require a reboot to use the modified kernel, but it is not impossible. File modification dates are trivially changed with touch(1) so those should never be trusted. > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? No. Those files might well be identical, but there is nothing that says that an intruder didn't change both of them. If an intruder has gained root access on a machine then you can't trust *anything* on that machine. -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011115093922.A99781>