[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: preventing /dev/kmem and /dev/mem writes?

On Mon, 26 Jul 2004 22:54, campbellm@cia.com.au wrote:
> I have a machine that has been the unfortunate victime of SuckIT
> r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks X
> and some gdb functions, but does anyone know any other specific problems
> this might have?

Some boot loaders need to access /dev/mem or /dev/kmem for getting BIOS data.  
Once your machine is in a bootable state you should not need /dev/k?mem for 

klogd uses such access, probably for decoding Oops messages (it can probably 
operate fine without it for some loss of functionality).

vmware uses such access (and lots of other invasive access to kernel memory).

Many xdm type programs read kernel memory as a source of randomness.  This is 
bad because kernel memory is not random and it may leak some information from 
the kernel.  xdm in Fedora should be fixed to use /dev/random.

The X server needs such access if it's accessing the hardware directly.  If it 
uses the fbdev then it should not need such access.

The above is taken from the SE Linux policy.  Apart from the programs listed 
above in SE Linux nothing is granted such access.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: