> [...], and that some people still haven't realized that a root > compromise means *total control* over the systems hard- and > software.. Um, not quite - though admittedly pretty close. The main thing cracking root doesn't get you is physical access. For example, if the machine's only disk drive has its write-disable jumper in place, you *can't* write to it, you *can't* trojan its executables, even if you gained control of not only userland root but the kernel. That's another thing root access doesn't give you - kernel control. It's often a fairly short step, but not always. > including denial of service, automated compromising of other > machines, remote eavesdropping, All true, assuming the kernel is willing to let root do those things. There is no reason the kernel *has* to be willing to put the network interface in promiscuous mode at all - indeed, it'd be fairly easy to build a kernel that doesn't. And one box I've been considering putting together wouldn't even have a userland to compromise; it's raison d'etre (if and when) is going to be a particular form of packet forwarding, wholly in-kernel. No root to crack! Not that this should render anyone complacent, of course. A root compromise is pretty serious, and on most machines having root *does* give you everything you could want. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:27 PDT