| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Eric Pretorious wrote: |
| 5 |
> Hello, All: |
| 6 |
> |
| 7 |
> I recently discovered that my Gentoo servers were compromised (despite having |
| 8 |
> followed the Gentoo Security Guide's recommendations) when users installed |
| 9 |
> root kits in /dev/shm. |
| 10 |
> |
| 11 |
> Is this a widely-known exploit? If so: Why isn't it addressed in the Gentoo |
| 12 |
> Security Guide? |
| 13 |
> |
| 14 |
|
| 15 |
Eric, |
| 16 |
|
| 17 |
Following on your previous e-mail to the documentation editors, I would |
| 18 |
appreciate it if you'd file a bug at |
| 19 |
http://bugs.gentoo.org/enter_bug.cgi?product=Docs-user&format=guided. |
| 20 |
|
| 21 |
As for this being widely known, it is not something I ever considered, |
| 22 |
but it also is not, in and of itself, an exploit. Presumably the |
| 23 |
attacker first used some other vulnerability to gain access to your server. |
| 24 |
|
| 25 |
Further, if I were to set up a server where I did not want to allow |
| 26 |
users to execute anything but my own chosen binaries, I would probably |
| 27 |
use GRSecurity's Trusted Path Execution, which allows a whitelist |
| 28 |
approach (i.e. allow only root owned binaries in /bin or /usr/local/bin) |
| 29 |
rather than trying to make sure our partitions are all mounted correctly. |
| 30 |
|
| 31 |
That said, this is certainly a lapse in the Security Guide, and if you |
| 32 |
file a bug I am sure it will be corrected shortly (if by nobody else, |
| 33 |
than, soon as I have the time, I will write an update). |
| 34 |
|
| 35 |
Cheers, |
| 36 |
|
| 37 |
- -- |
| 38 |
Dan ("KrispyKringle") |
| 39 |
Gentoo Linux Security Coordinator |
| 40 |
-----BEGIN PGP SIGNATURE----- |
| 41 |
Version: GnuPG v1.2.4 (Darwin) |
| 42 |
|
| 43 |
iQEVAwUBQW9AtbDO2aFJ9pv2AQKE7Af8DJ8OOV6/y1/SyPeoPCnwNhKeXUdKWVr2 |
| 44 |
HA+TL8AoUdZ3CbWfL9hY66S0izqb2QhcuUk/ZMJC0296t3DZkLRKSe5bTmgyYya1 |
| 45 |
ISGum7JMyXez/AoZIMipBVoHwrrjgaSUSHsSuqrD1jsegskxt6b7dYJOa2l4hBUk |
| 46 |
MTfheSzD3Y9JHlvNve8CW8nb2GLq9RuTnS5JdGKfKLjjv9LXBuy/t8Fzac66rZgL |
| 47 |
qSKjn7MUwYWL/jRx0tI+NdVl6Acjtys9zFAW0e17MCnr3goAPFz21Lon3xGedfX4 |
| 48 |
xVvH1KMfL4hbZ1KUTuTSgyD/qDEb8yroMICKVleq3tCtRzQptXoI5w== |
| 49 |
=Is6N |
| 50 |
-----END PGP SIGNATURE----- |
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-hardened@g.o mailing list |
Archives