On Mon, Dec 01, 2003 at 09:38:46PM +1300, Carey Evans wrote:
> If the kernel is working properly, then once CAP_SYS_MODULE is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you are concerned about security, you have to be careful making that
kind of assumption. ;-)
> disabled it is impossible for even a badly-behaved uid 0 user to add
> capabilities back to cap-bound or to load or unload modules. Without
> CAP_SYS_RAWIO, nobody can open /proc/kcore or /dev/mem. Are there any
> other ways to stuff around with the running kernel?
Yes, there are other ways. But at this point, we're far enough along
that the average rootkit-kiddie is likely to try more drastic (and easy)
measures to compromise the system.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
