--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Boyd Stephen Smith Jr. wrote:What about hardlinking the suid-root binaries to a hidden location, waiting for a security hole to be found/fixed, and then running the old binary to exploit the hole?
This is why compromised systems can't be trusted ever again. Taht said, there are utilities and methods for finding rogue SUID binaries. Tripwire comes to mind, there are many others too.
IIRC, a hard link is the same file called two different names. If dpkg/apt change the file in one location (security update), the other one will be changed as well [1]...
That only holds true of edit-in-place. Something that most packaging systems do not do, the reason being is that with the way modern systems/kernels execute code, this would modify running code (They generally mmap the code, readonly, into the processes address space).
FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error. However, you can't create a hard link on a file you don't own, you can't do it across drives, and I don't think your hardlinked copy retains SUID bits....The last bit I could be wrong though.
You'd have to *copy* the hard linked file, but that would still not allow you to copy it back later or to retain it's suid properties. Am I missing something? Johannes [1] http://en.wikipedia.org/wiki/Hard_link -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklw0fkACgkQC1NzPRl9qEXaKACfX8VfBxpZsSH7Lf0HAGC9JL4b 298AoIAqW+BtPtRZ6wZvT37t4zujq3a0 =rOKy -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler