> >> So, how does one need to modify /proc/1/mem to decrease the secure-level
> >> after getting root access? :)
> >
> >You don't need to. You can just do a ptrace() on init, or create your
> >OWN init process --- by using a careful, controlled fork bomb we can
> >easily create new processes until we are about to wrap pid, then kill
> >init and wait until one of our forks has a pid of 1.
>
> The fork attack shouldn't be possible. On SunOS, for example, when the
> PIDs wrap, they wrap to 101, not 1. Doesn't Linux do something like
> this? If it wraps to 1, this has to change -- conceptually, low PIDs
> are a privileged resource, so access to them must be restricted.
(clip)
Testing this with a bash script, I counted the pid up to 32,750 and then did
'ps' manually until the pid wrapped. The pid did NOT wrap to 100 or 300, it
wrapped to '4'... skipping 1,2,3 which were taken.
So in linux, it wraps to 1, but seems to skip in-use pid's (which would
prevent the attack shown above.)
Using ps further, it seems to skip in use pid's in every assignment (ie not
just on wrap.)
__kmb203@psu.edu_____________________________Debian/GNU__Linux__1.3.77___
To A Quick Young Fox:
Why jog exquisite bulk, fond crazy vamp,
Daft buxom jonquil, zephyr's gawky vice?
Guy fed by work, quiz Jove's xanthic lamp --
Zow! Qualms by deja vu gyp fox-kin thrice.
-- Lazy Dog