[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: preventing /dev/kmem and /dev/mem writes?

On Mon, 26 Jul 2004 23:38, campbellm@cia.com.au wrote:
> > > I have a machine that has been the unfortunate victime of SuckIT
> > > r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> > > of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks
> > > X and some gdb functions, but does anyone know any other specific
> > > problems this might have?
> >
> > Some boot loaders need to access /dev/mem or /dev/kmem for getting BIOS
> > data. Once your machine is in a bootable state you should not need
> > /dev/k?mem for that.
> but isn't that just read-only?

Yes.  But if you can read /dev/mem then you can probably find a copy 
of /etc/shadow and other useful stuff in there...

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: