On Fri, 2007-09-07 at 01:21 +0200, Trond Myklebust wrote:
quoted text
> On Thu, 2007-09-06 at 11:11 -0400, J. Bruce Fields wrote:
> > On Thu, Sep 06, 2007 at 01:59:50PM +0530, Satyam Sharma wrote:
> > > Oh and btw, note that we're talking of the (lack of) security of a
> > > "running kernel" here -- because across reboots, there is /really/
> > > *absolutely* no such thing as "kernelspace security" because the superuser
> > > will simply switch the vmlinuz itself ...
> > 
> > Well, the machine could be booting from cdrom, and could live in a
> > locked machine room.  Or people with root on a virtual host don't
> > necessarily have the ability to replace the kernel for that host.
> 
> mount -t tmpfs none /my_tmpfs
> cd /my_tmpfs
> cp -a /bin bin
> cp -p my_keylogging_pam_module.so lib
> pivot_root . /old-root

Sorry. Of course, you have to copy the entire /lib, etc. onto the tmpfs,
but you get the gist....

The point is that it is easy to subvert userspace if you have enough
privileges. In the above example it may not be entirely undetectable,
but who here is running a script on every login to check that / is
indeed uncompromised?

Trond

-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/