Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
Hi,
David Barroso wrote:
>
> * Marcin Owsiany (porridge@debian.org) wrote:
> > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote:
> > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote:
> > > > In a server enviroment, where there no need to load modules at run-time,
> > > > could be a "usable workaorund", but, in a workstation machine, i don't
> > > > think thats a great idea.
> > >
> > > In a server environment it is preferable not to
> > > compile with modules at all.
> >
> > Why?
>
> One reason is security:
> it's relatively easy for an intruder to install a kernel module based
> rootkit, and then hide her processes, files or connections.
i have an "old" kernel with modules and didn't updated it, because of the ptrace bug.
this is the reason why:
www1:~# grep CAP_SYS_MODULE /etc/lids/lids.cap
-16:CAP_SYS_MODULE
www1:~# grep CAP_SYS_PTRACE /etc/lids/lids.cap
-19:CAP_SYS_PTRACE
For fun i tried the exploit, it didn't worked, it needs access to /proc.
I gave that user access to /proc and tried it again.
The user got logged out, i got an email.
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Mail rd@mesos.de
Reply to: