On Fri, 21 Jun 2002, Chris Wright wrote:
> ctime can be modified from userspace. the same touch(1) attack using
> sys_utime(2) will update both mtime and ctime.
Yeah, but as I remember it, ctime logs inode changes... so they can change
the ctime from userspace with touch all the want, but the kernel will
always update the ctime to the current (inode change) time when the
operation is complete.
You'll note that you *can't* change ctime with sys_utime(); it takes a
pointer to a struct utimebuf, which has no entry for ctime.
I should point out that people are making a bigger issue of this than it
really is, in so far as the fact that mtime (which *should* have been
ctime... that's what I was thinking anyway, and I wrote that code) is way
easier to check than md5 sums, and yet still provides a relatively high
level of protection in terms of scriptkiddies... so it's just one more
(quicker) entry in the list of things to check.
It's by no means a replacement for the actual md5 summing, which was the
core idea of the module.
But I do appreciate Jesse Pollard bringing the mtime error to my
attention... I screwed that up.
> security through obscurity is not a valid security scheme.
Yes, yes... I'm aware of the mantra... ;-)
Later,
Paul
--------------------------------------------------------------------
J. Paul Reed preedat_private || web.sigkill.com/preed
Nothing satisfies more than a post-coital omelet of your own design.
-- Will Farrell, Saturday Night Live, 5/18/02
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 15:33:29 PDT