From owner-freebsd-current  Wed Nov  5 18:21:53 1997
Return-Path: <owner-freebsd-current>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA00828
          for current-outgoing; Wed, 5 Nov 1997 18:21:53 -0800 (PST)
          (envelope-from owner-freebsd-current)
Received: from usr03.primenet.com (tlambert@usr03.primenet.com [206.165.6.203])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA00822
          for <freebsd-current@FreeBSD.ORG>; Wed, 5 Nov 1997 18:21:40 -0800 (PST)
          (envelope-from tlambert@usr03.primenet.com)
Received: (from tlambert@localhost)
	by usr03.primenet.com (8.8.5/8.8.5) id TAA13397;
	Wed, 5 Nov 1997 19:21:27 -0700 (MST)
From: Terry Lambert <tlambert@primenet.com>
Message-Id: <199711060221.TAA13397@usr03.primenet.com>
Subject: Re: [Fwd: Malicious Linux modules - be worried !]
To: Matthew.Thyer@dsto.defence.gov.au (Matthew Thyer)
Date: Thu, 6 Nov 1997 02:21:25 +0000 (GMT)
Cc: freebsd-current@FreeBSD.ORG
In-Reply-To: <34611335.8601A3B@dsto.defence.gov.au> from "Matthew Thyer" at Nov 6, 97 11:15:41 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> I assume FreeBSD LKMs could do this kind of thing too.

Yesi, unlesss you run at secure level 2, which does not allow module
loading.

You can also do this on older SVR3/4 systems with device driver loading
and no system call or other module type loading.  There is nothing
that prevents patching the system call table from any loadable module.

In fact, techinically, you can write /dev/kmem to get this same
functionality, even if you have no module loader mechanism at all,
so your implied feeling of security from not having one is false.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.