1 |
On Friday 15 October 2004 12:43 pm, Dan Margolis wrote: |
2 |
>Joshua Brindle wrote: |
3 |
>>> Dan Margolis wrote: |
4 |
>>>>> Joshua Brindle wrote: |
5 |
>>>>>>> This isn't a weakness at all, presumably the attacker had root |
6 |
>>>>>>>and could have put these files anywhere, he just chose /dev/shm. |
7 |
>>>>> |
8 |
>>>>> According to Eric, it was a valid user. |
9 |
>>> |
10 |
>>> doesn't matter, for the rootkit to have done anything to the system it |
11 |
>>> would have to be running the escalated privleges. If it was running with |
12 |
>>> the users privs then who cares? |
13 |
> |
14 |
>True, but the point of TPE (or any other restrictions) is to be a |
15 |
>stopgap to prevent other exploits. If he was running an ancient kernel |
16 |
>with a ptrace vulnerability, granted, he should upgrade, but on the |
17 |
>other hand, preventing the execution of rootkits *can* prevent a |
18 |
>successful exploit. |
19 |
|
20 |
FWIW: My server's using the vanilla-sources-2.4.25. |
21 |
|
22 |
In retrospect: I should have at least used the hardened-sources. :( |
23 |
|
24 |
-- |
25 |
Eric P. |
26 |
|
27 |
-- |
28 |
gentoo-hardened@g.o mailing list |