On Tue, 3 Feb 2004, Colm MacCarthaigh wrote:
> There are *no* serious difficulties. Once you have a root users
> account, you're there. Replace their shell, replace their binaries,
> invade their memory, LD_PRELOAD, whatever you like. There are zero
> barriers to you getting access to everything they do.
I agree that in the vast majority of cases, having access to a root
user's account will lead to root (PTRACE primarily). However, how
would you replace their shell without any possibility of detection?
Also, if one removed CAP_SYS_PTRACE from the permitted capability set
at boot time, would that be enough? (presume for a moment the user
always checks her shell rc files immediately after login, so window
to replace these with an exec to a trojaned shell and back before she
notices is small. indeed, lets ignore this window for a moment :) ).
If we go back to the common case (CAP_SYS_PTRACE available, user who
doesnt fanatically check their environment after login) what if the
system used some kind of smartcard authentication? Eg, a
challenge/response smartcard (see safeword.com for an example of one
with PAM support).
Few people are likely to shell out for authentication tokens though,
so generally its far too easy.
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
Fortune:
How much of their influence on you is a result of your influence on them?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
