Re: preventing /dev/kmem and /dev/mem writes?
On Mon, 26 Jul 2004 23:38, firstname.lastname@example.org wrote:
> > > I have a machine that has been the unfortunate victime of SuckIT
> > > r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> > > of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks
> > > X and some gdb functions, but does anyone know any other specific
> > > problems this might have?
> > Some boot loaders need to access /dev/mem or /dev/kmem for getting BIOS
> > data. Once your machine is in a bootable state you should not need
> > /dev/k?mem for that.
> but isn't that just read-only?
Yes. But if you can read /dev/mem then you can probably find a copy
of /etc/shadow and other useful stuff in there...
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page