Date: Sat, 8 Sep 2001 10:53:08 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Alexander Langer <alex@big.endian.de>, deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908105308.A78138@sheol.localdomain> In-Reply-To: <20010908183728.D840@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Sep 08, 2001 at 06:37:28PM %2B0300 References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 08, at 06:37 PM, Peter Pentchev wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, > nothing more, nothing userspace-magical. > All a kernel routine needs to do is either invoke that syscall, or > call the internal kernel functions that kldload(2) calls, like e.g. > linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading altogether, it should be a build-time option, and it should have nothing to over-ride this. Or am I still being too simplistic? I haven't been using KLD- or LKM- aware systems very long (~one year), but so far I've had little use for them (the modules). I get a box, I configure the kernel to it, and that's that. If the box changes, I build a new kernel. At least for the servers I've set up, this works fine. Now, a development or users' box, well... > G'luck, > Peter You too, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908105308.A78138>