Re: RFC: sys_execve security kernel mod

From: J. Paul Reed (preedat_private)
Date: Fri Jun 21 2002 - 15:16:11 PDT

  • Next message: Chris Wright: "Re: RFC: sys_execve security kernel mod"

    On Fri, 21 Jun 2002, Chris Wright wrote:
    
    > ctime can be modified from userspace.  the same touch(1) attack using
    > sys_utime(2) will update both mtime and ctime.
    
    Yeah, but as I remember it, ctime logs inode changes... so they can change
    the ctime from userspace with touch all the want, but the kernel will
    always update the ctime to the current (inode change) time when the
    operation is complete.
    
    You'll note that you *can't* change ctime with sys_utime(); it takes a
    pointer to a struct utimebuf, which has no entry for ctime.
    
    I should point out that people are making a bigger issue of this than it
    really is, in so far as the fact that mtime (which *should* have been
    ctime... that's what I was thinking anyway, and I wrote that code) is way
    easier to check than md5 sums, and yet still provides a relatively high
    level of protection in terms of scriptkiddies... so it's just one more
    (quicker) entry in the list of things to check.
    
    It's by no means a replacement for the actual md5 summing, which was the
    core idea of the module.
    
    But I do appreciate Jesse Pollard bringing the mtime error to my
    attention... I screwed that up.
    
    > security through obscurity is not a valid security scheme.
    
    Yes, yes... I'm aware of the mantra... ;-)
    
    Later,
    Paul
        --------------------------------------------------------------------
        J. Paul Reed              preedat_private || web.sigkill.com/preed
        Nothing satisfies more than a post-coital omelet of your own design.
                               -- Will Farrell, Saturday Night Live, 5/18/02
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 15:33:29 PDT