Re: Root is God? (was: Mutt & tmp files)

To: debian-security@lists.debian.org
Subject: Re: Root is God? (was: Mutt & tmp files)
From: Ralf Dreibrodt <ralf@dreibrodt.de>
Date: Fri, 16 Nov 2001 17:48:49 +0100
Message-id: <[🔎] 3BF54371.B75617AC@dreibrodt.de>
References: <[🔎] 20011115191101.B21932@axon-e.de> <[🔎] 20011115102833.A22221@crdic.ath.cx> <[🔎] 20011115234631.A7910@pandora.plagegeister.de> <[🔎] 20011116041316.J634@plato.local.lan> <[🔎] 20011116143630.A24998@stinky.trash.net> <[🔎] 3BF51B98.4E99D3B7@dreibrodt.de> <[🔎] 20011116150654.A26516@stinky.trash.net> <[🔎] 20011116082327.I18021@riseup.net> <[🔎] 20011116173943.B8261@stinky.trash.net>

Hi,

Mathias Gygax wrote:
> 
> On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:
> 
> > No, you can't. No matter how you cut it, root can install a new
> > kernel, sans LIDS and write to his/her home dir.
> 
> how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
> binary? DENY. how do you wanna replace system binaries when LIDS is
> activated and the memory and any critical file/dir is protected?

you have just another definition of root.
you mean the user with the id 0. this user is really not able to do
this.
but root after my definition can hit the reset-button, put in a cdrom
and boot from the cdrom.

> > Sure you may have /boot mounted read-only, but that is a
> > simple remount,
> 
> no, it's not. it's not mounted, it's DENIed by the kernel. every access
> on this directory is blocked by the kernel. before anything further
> happen's.
> 
> remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS,
> you can't mount or umount anything. even as root. everything is blocked.

as long as you booted the "normal" way.

> use crypo filesystems to secure storage.

btw: is there anything similar to the international kernel patch for
linux 2.4.x?

> of course it's root. who else should it be?

you can simply change the user id of the user root instead, that's
easier ;-)

bye
Ralf

Reply to:

Follow-Ups:
- Re: Root is God? (was: Mutt & tmp files)
  - From: Mathias Gygax <mg@trash.net>
- Re: Root is God? (was: Mutt & tmp files)
  - From: John Galt <galt@inconnu.isu.edu>

References:
- Mutt & tmp files
  - From: Florian Bantner <f.bantner@axon-e.de>
- Re: Mutt & tmp files
  - From: Craig Dickson <crdic@yahoo.com>
- Root is God? (was: Mutt & tmp files)
  - From: "Mark Weinem" <mark.weinem@uni-duisburg.de>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Ethan Benson <erbenson@alaska.net>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Mathias Gygax <mg@trash.net>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Ralf Dreibrodt <ralf@dreibrodt.de>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Mathias Gygax <mg@trash.net>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Micah Anderson <micah@riseup.net>
- Re: Root is God? (was: Mutt & tmp files)
  - From: Mathias Gygax <mg@trash.net>

Prev by Date: Re: Root is God? (was: Mutt & tmp files)
Next by Date: Re: Root is God? (was: Mutt & tmp files)
Previous by thread: Re: Root is God? (was: Mutt & tmp files)
Next by thread: Re: Root is God? (was: Mutt & tmp files)
Index(es):
- Date
- Thread