Re: 'lock' modules?

From: James Sutherland (jas88@cam.ac.uk)
Date: Wed Jun 07 2000 - 11:04:47 EST

Next message: Alan Cox: "Re: PATCH 2.4.0.1.ac10: a KISS memory pressure callback"
Previous message: I Lee Hetherington: "2.4.0-test1-ac and aic7xxx"
In reply to: John Alvord: "Re: 'lock' modules?"
Next in thread: Adam: "Re: 'lock' modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 7 Jun 2000, John Alvord wrote:
> On Wed, 7 Jun 2000, James Sutherland wrote:
> > On Wed, 7 Jun 2000, Keith Owens wrote:
> > > On Tue, 6 Jun 2000 21:57:19 -0400 (EDT),
> > > buddy@foobar.resnet.gatech.edu wrote:
> > > >I was wondering if anyone has considered modifying the linux kernel such
> > > >that the modules may be 'locked'.
> > >
> > > Repeatedly. And the answer is always the same - "how can you tell the
> > > difference between a good and a bad root user?". root can build,
> > > change, load and unload modules, whether on this session or on the next
> > > reboot. There is no way to distinguish between an authorised root user
> > > and an "unauthorised" root user, a root by any other name has the same
> > > power.
> >
> > True. Having said that, there may be some use in having a "lock system
> > down" facility: after executing some command, it is no longer possible to
> > [un]load modules. Alternatively, you could also make /lib/modules/`uname
> > -r` immutable, and then just restrict module loading to subdirectories of
> > that?
> >
> > There was one Linux breakin, IIRC, where the attackers used a kernel
> > module to disguise their presence. If it had been impossible to load this
> > kernel module in the first place, life would have been a bit harder for
> > them...
>
> Would it help to build a system without module support?

This would have blocked that aspect of the attack, yes - with hindsight.
However, this isn't always possible; some features, IIRC, are only
available as modules (PPP/SLIP components?)

A better option, IMO, would be a facility to lock the machine down and
block kernel load/unload after the machine has booted. Or, better still,
some way of preventing any changes to /lib/modules/`uname -r`, then
restrict module loading to that directory only.

James.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: PATCH 2.4.0.1.ac10: a KISS memory pressure callback"
Previous message: I Lee Hetherington: "2.4.0-test1-ac and aic7xxx"
In reply to: John Alvord: "Re: 'lock' modules?"
Next in thread: Adam: "Re: 'lock' modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:29 EST