[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] yet another OpenBSD kernel hole ...



On Wed, 19 Nov 2003, jamesb.au@acm.org wrote:

> Because it's a local exploit, it can only happen if a malicious user has
> access to the system anyway.
>
> Aside from that, perhaps a new security feature can be introduced into
> OpenBSD to (hopefully) stop these things quickly even if they are not known
> about in advance.  One possible way is to introduce a feature like
> /etc/shells called /etc/rootbins which lists the programs that may run as
> root.  The scheduler can use an assembler routine that does a quick check
> for programs running with uid=0, and if so, something not in /etc/rootbins
> gets killed and root is notified.  That's pretty nasty because it would hurt
> system performance, but it's a last ditch resort maybe - I have NO idea if
> it would be workable.

Sounds stupid. An exploit should just overwrite /etc/rootbins in that
case.


Cheers,

Dries
--
Dries Schellekens
email: gwyllion@ulyssis.org