Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily

From: Erik Andersen (andersen@codepoet.org)
Date: Sun Aug 03 2003 - 16:08:22 EST


On Sun Aug 03, 2003 at 08:09:50PM +0200, bert hubert wrote:
> Greetings,
>
> After being gloriously rootkitted with a program coded by HTB author Martin
> Devera (lots of thanks, devik, your work is appreciated, I suggest you read
> up about Oppenheimer when disclaiming that you are 'just a coder'. The item
> to google on is: "ethics sweetness hydrogen bomb Oppenheimer"), I wrote
> a patch to disable /dev/kmem and /dev/mem, which is harmless on servers
> without X.
>
> It blocks attempts by rootkits, such as devik's SucKIT, to hide themselves.

Until the rootkit, already running as root, loads stuff as a
kernel module... Perhaps you should make this enforce that
people have CONFIG_MODULES=n,

 -Erik

--
Erik B. Andersen             http://codepoet-consulting.com/
--This message was written using 73% post-consumer electrons--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:22 EST