joelja
On Wed, 27 May 1998, Kurt Starsinic wrote:
> David Woodhouse wrote:
> > > >I dont mean that.
> > > >I want sth such that Noone even root cannot take the machine into promisc
> > > >mode.
> > >
> > > >get the idea?
> > >
> > >
> > > Don't give root access to people you can't trust.
> >
> > That's a fine plan if you can guarantee it. However, if someone _does_ get root
> > access to a box on a sensitive subnet, then it's nice to know they can't start
> > a packet sniffer without recompiling the kernel and rebooting.
>
> This is impossible through software. If a user gains root
> access, and if the NIC has a promiscuous mode which is software
> selectable, then that user can put the NIC into promiscuous mode.
> Proof is left as an Exercise for the Reader.
>
> If root-enabled packet sniffers are a security concern at
> your site, then you'll need to either get a card which doesn't
> have p-mode or which can disable p-mode through hardware (e.g.,
> a jumper), or you'll have to pull out your soldering iron.
>
> Peace,
> * Kurt Starsinic (kstar@isinet.com) ------------------ Technical Specialist *
> | ``And you can believe me, because I never lie, and I'm always right.'' |
> | -- Firesign Theatre |
> Institute for Scientific Information http://www.isinet.com/
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
>
--------------------------------------------------------------------------
Joel Jaeggli joelja@darkwing.uoregon.edu
Academic User Services consult@gladstone.uoregon.edu
PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--------------------------------------------------------------------------
It is clear that the arm of criticism cannot replace the criticism of
arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu