On Tue, Apr 21, 2015 at 11:36:54AM -0500, Eric W. Biederman wrote:The point is that Eric's suggestion works even on kernels without kexec(), which is significant because a significant number of security minded people (myself included) explicitly disable kexec in their kernel configuration.
HeHeHe. You mean all I need to do to get around all of the logging servers is
capture CAP_SYS_BOOT? Say like just capture this crazy watchdog program
that doesn't run as root so that it can only reboot the system? HeHeHe
So I can just trigger a clean reboot wait for journald, auditd, and
syslog all to shut down and then do evil things to the machine without
having to worry about erasing forensic evidence?
CAP_SYS_BOOT gives you kexec, and kexec with init=/bin/sh lets you do
anything. You added that in dc009d92435f99498cbc579ce76bf28e837e2c14 and
now the horse is long gone. Don't give CAP_SYS_BOOT to anything you
don't trust with full privileges.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature