On Wed, 7 Jun 2000, Keith Owens wrote:
> On Tue, 6 Jun 2000 21:57:19 -0400 (EDT),
> buddy@foobar.resnet.gatech.edu wrote:
> >I was wondering if anyone has considered modifying the linux kernel such
> >that the modules may be 'locked'.
>
> Repeatedly. And the answer is always the same - "how can you tell the
> difference between a good and a bad root user?". root can build,
> change, load and unload modules, whether on this session or on the next
> reboot. There is no way to distinguish between an authorised root user
> and an "unauthorised" root user, a root by any other name has the same
> power.
True. Having said that, there may be some use in having a "lock system
down" facility: after executing some command, it is no longer possible to
[un]load modules. Alternatively, you could also make /lib/modules/`uname
-r` immutable, and then just restrict module loading to subdirectories of
that?
There was one Linux breakin, IIRC, where the attackers used a kernel
module to disguise their presence. If it had been impossible to load this
kernel module in the first place, life would have been a bit harder for
them...
James.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:27 EST