Re: preventing /dev/kmem and /dev/mem writes?

To: campbellm@cia.com.au
Cc: debian-security@lists.debian.org
Subject: Re: preventing /dev/kmem and /dev/mem writes?
From: Russell Coker <russell@coker.com.au>
Date: Tue, 27 Jul 2004 00:25:00 +1000
Message-id: <[🔎] 200407270025.00417.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20040726133833.GZ20829@cia.net.au>
References: <[🔎] 20040726125452.GY20829@cia.net.au> <[🔎] 200407262327.32091.russell@coker.com.au> <[🔎] 20040726133833.GZ20829@cia.net.au>

On Mon, 26 Jul 2004 23:38, campbellm@cia.com.au wrote:
> > > I have a machine that has been the unfortunate victime of SuckIT
> > > r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> > > of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks
> > > X and some gdb functions, but does anyone know any other specific
> > > problems this might have?
> >
> > Some boot loaders need to access /dev/mem or /dev/kmem for getting BIOS
> > data. Once your machine is in a bootable state you should not need
> > /dev/k?mem for that.
>
> but isn't that just read-only?

Yes.  But if you can read /dev/mem then you can probably find a copy 
of /etc/shadow and other useful stuff in there...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- preventing /dev/kmem and /dev/mem writes?
  - From: campbellm@cia.com.au
- Re: preventing /dev/kmem and /dev/mem writes?
  - From: Russell Coker <russell@coker.com.au>
- Re: preventing /dev/kmem and /dev/mem writes?
  - From: campbellm@cia.com.au

Prev by Date: Re: preventing /dev/kmem and /dev/mem writes?
Next by Date: Re: preventing /dev/kmem and /dev/mem writes?
Previous by thread: Re: preventing /dev/kmem and /dev/mem writes?
Next by thread: Re: preventing /dev/kmem and /dev/mem writes?
Index(es):
- Date
- Thread