Date: Sun, 09 Jul 2000 22:52:26 +0900 From: "Daniel C. Sobral" <dcs@newsguy.com> To: Adam <bsdx@looksharp.net> Cc: Alfred Perlstein <bright@wintelcom.net>, arch@FreeBSD.ORG Subject: Re: making the snoop device loadable. Message-ID: <3968839A.2A70D91F@newsguy.com> References: <Pine.BSF.4.21.0007090912080.407-100000@turtle.looksharp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Adam wrote:
>
> There are alot of people who have root that couldn't craft such a kernel
> module if they wanted to, and even if they could, I'd venture to say
> they'd need a whole bunch of motivation and a considerable amount of
> time. I cannot tell from the init manpage which securelevel is needed to
> prevent loading kernel modules but I'm pretty sure it would make things a
> pain in the butt for admins trying to do Real Work remotely such as
> upgrading the kernel. I think it would be nice to prevent easy snooping
> without making life hard for the admin. The kernel has all the power over
> the computer, I dont think this is an issue that should require
> engineering to prevent, I would like my kernel to just say NO. If I have
> to hack it so the snoop module wouldnt work if loaded or something, thats
> a pain for me since I couldnt code hello world from a blank editor if I
> wanted to. If I had to tell someone else they had to hack the kernel to
> prevent this or have the kernel get alot more anal in general about
> permissions, I don't think it would go over well, especially to someone
> less experienced than me.
This argument is completely flawed. Hackers use tools, which are
available elsewhere. One of the best guides to kld programming is a
guide to hacking FreeBSD. It's pretty simple: if there isn't an easier
way of doing it, hackers will have a snooping kld available. All this
stuff is done automatically, and the hacker needs know the first thing
about Unix (if you want proof, go check the recent series on hacking
that ran on both Slashdot and Daily DaemonNews).
You gain nothing by not having such a module coming by default. Nothing.
And I should remind you... if a hacker is able to load a module, he has
gained root already. I garantee you that any hacker who has gained root
already, unless your security is laughable, has access to the resources
that provide such nifty modules/{ls,netstat,inet,etc}
replacements/rooting tools.
I'll say it again: DO NOT DEPEND ON SNOOP NOT BEING A LOADABLE MODULE.
It is *POSSIBLE*, so you can pretty much rest assured that the hackers
either have that, or something easier.
--
Daniel C. Sobral (8-DCS)
dcs@newsguy.com
dcs@freebsd.org
capo@the.great.underground.bsdconpiracy.org
<jkh> _DES: The Book of Bruce has only one sentence in it, and it says
"the actual directives of my cult are left as an exercise for the
reader. Good luck."
<EE> jkh: does it really include the 'good luck' part?
<jkh> EE: OK, I made that part up.
<jkh> EE: I figured it should sound a bit more cheery than how Bruce
initially dictated it to me.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3968839A.2A70D91F>