At 21:05 Uhr -0300 3.10.2001, Peter Cordes wrote:
Yep, you can load modules, and you can run mknod(2) to make your own /dev/hda, among other things. These are blockable by removing capabilities, though. (At least, the modules attack is.)
I think another one is creating a [k]mem device (haven't tried it). Afaik, LIDS people had to introduce/implement a new capability to block direct memory access, which implies that on a normal kernel you can't prevent root from escaping chroot.
Obscurity is not useless. It is no good as your only defence, but combined with solid security, obscurity makes an attackers job harder and more time consuming. If nothing else, it may well give you more time to see stuff going on in the logs before the attacker breaks into anything where they can do damage.
I guess it really depends on whether obscurity is used in a standard install (-> exploits are spread), or only in one particular install (that doesn't allow the use of some standard procedure).
Christian.