On Thu, Dec 07, 2000 at 04:37:11PM +0100, Andi Kleen wrote:
> On Thu, Dec 07, 2000 at 09:35:17AM +0100, Christoph Hellwig wrote:
> > On Thu, Dec 07, 2000 at 05:25:57PM +1100, Timothy Shimmin wrote:
> > > Immutable sounds pretty much what one could achieve using the
> > > standard access modes except for ROOT being disallowed to change
> > > the file (without first setting the attribute).
> > > OOI, how useful is this attribute ?
> >
> > The basic idea of immutable files is that you drop
> > CAP_LINUX_IMMUTABLE for all processes, and attackers won't be able
> > to modifiy your binaries even if they have root access.
>
> So they just have to write to the block or raw device or directly to the
> hardware
Yes. But
a) it's at least harder for the attacker
b) for a even more secure system you will just disable that too
> (e.g. working IMMUTABLE normally implies non working x server).
No.
> Commonly accessed binaries like the ld.so can also be just modified in core.
Sure. But you probably want to disable access to /dev/kmem, too
(that implies an unusable X-Server, unless you use a sane framebuffer device).
Christoph
--
Of course it doesn't work. We've performed a software upgrade.
|