--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich
<[email protected]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Boyd Stephen Smith Jr. wrote:
What about hardlinking the suid-root binaries to a hidden location,
waiting for a security hole to be found/fixed, and then running the old
binary to exploit the hole?
This is why compromised systems can't be trusted ever again. Taht said,
there are utilities and methods for finding rogue SUID binaries. Tripwire
comes to mind, there are many others too.
IIRC, a hard link is the same file called two different names. If
dpkg/apt change the file in one location (security update), the other
one will be changed as well [1]...
That only holds true of edit-in-place. Something that most packaging
systems do not do, the reason being is that with the way modern
systems/kernels execute code, this would modify running code (They
generally mmap the code, readonly, into the processes address space).
FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error.
However, you can't create a hard link on a file you don't own, you can't do
it across drives, and I don't think your hardlinked copy retains SUID
bits....The last bit I could be wrong though.
You'd have to *copy* the hard linked file, but that would still not
allow you to copy it back later or to retain it's suid properties.
Am I missing something?
Johannes
[1] http://en.wikipedia.org/wiki/Hard_link
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAklw0fkACgkQC1NzPRl9qEXaKACfX8VfBxpZsSH7Lf0HAGC9JL4b
298AoIAqW+BtPtRZ6wZvT37t4zujq3a0
=rOKy
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact
[email protected]
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
