| 1 |
On Friday 15 October 2004 12:43 pm, Dan Margolis wrote: |
| 2 |
>Joshua Brindle wrote: |
| 3 |
>>> Dan Margolis wrote: |
| 4 |
>>>>> Joshua Brindle wrote: |
| 5 |
>>>>>>> This isn't a weakness at all, presumably the attacker had root |
| 6 |
>>>>>>>and could have put these files anywhere, he just chose /dev/shm. |
| 7 |
>>>>> |
| 8 |
>>>>> According to Eric, it was a valid user. |
| 9 |
>>> |
| 10 |
>>> doesn't matter, for the rootkit to have done anything to the system it |
| 11 |
>>> would have to be running the escalated privleges. If it was running with |
| 12 |
>>> the users privs then who cares? |
| 13 |
> |
| 14 |
>True, but the point of TPE (or any other restrictions) is to be a |
| 15 |
>stopgap to prevent other exploits. If he was running an ancient kernel |
| 16 |
>with a ptrace vulnerability, granted, he should upgrade, but on the |
| 17 |
>other hand, preventing the execution of rootkits *can* prevent a |
| 18 |
>successful exploit. |
| 19 |
|
| 20 |
FWIW: My server's using the vanilla-sources-2.4.25. |
| 21 |
|
| 22 |
In retrospect: I should have at least used the hardened-sources. :( |
| 23 |
|
| 24 |
-- |
| 25 |
Eric P. |
| 26 |
|
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives