[PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily

From: bert hubert (ahu_at_ds9a.nl)
Date: 08/03/03

  • Next message: Werner Almesberger: "Re: TOE brain dump" 
    Date:	Sun, 3 Aug 2003 20:09:50 +0200
To: linux-kernel@vger.kernel.org, akpm@osdl.org

    Greetings,

    After being gloriously rootkitted with a program coded by HTB author Martin
    Devera (lots of thanks, devik, your work is appreciated, I suggest you read
    up about Oppenheimer when disclaiming that you are 'just a coder'. The item
    to google on is: "ethics sweetness hydrogen bomb Oppenheimer"), I wrote
    a patch to disable /dev/kmem and /dev/mem, which is harmless on servers
    without X.

    It blocks attempts by rootkits, such as devik's SucKIT, to hide themselves.

    It is not a final solution but it raises the bar a lot. Please apply.

    By default, nothing is changed, but I'd turn this feature on on servers
    without X. Patch:

    --- linux-2.6.0-test1/drivers/char/Kconfig.orig Mon Jul 14 05:29:27 2003
    +++ linux-2.6.0-test1/drivers/char/Kconfig Sun Aug 3 19:55:37 2003
    @@ -1003,5 +1003,20 @@
               out to lunch past a certain margin. It can reboot the system
               or merely print a warning.
     
    +config MEMORY_ACCESS
    + bool "Allow userspace access to memory"
    + default y
    + help
    + Security paranoid operators may want to disable userspace
    + from accessing raw memory or kernel memory via /dev/mem and
    + /dev/kmem. Some malware hides itself from sight by manipulating
    + the kernel directly via raw memory, disabling this feature
    + gives some protection against rootkits.
    +
    + Answering 'N' generally breaks the X Window System.
    +
    + Answer 'Y' unless you are paranoid about security or don't
    + care about X.
    +
     endmenu
     
    --- linux-2.6.0-test1/drivers/char/mem.c.orig Sun Aug 3 19:22:29 2003
    +++ linux-2.6.0-test1/drivers/char/mem.c Sun Aug 3 19:34:04 2003
    @@ -608,12 +608,14 @@
     static int memory_open(struct inode * inode, struct file * filp)
     {
             switch (minor(inode->i_rdev)) {
    +#if defined(CONFIG_MEMORY_ACCESS)
                     case 1:
                             filp->f_op = &mem_fops;
                             break;
                     case 2:
                             filp->f_op = &kmem_fops;
                             break;
    +#endif
                     case 3:
                             filp->f_op = &null_fops;
                             break;
    @@ -655,8 +657,10 @@
             umode_t mode;
             struct file_operations *fops;
     } devlist[] = { /* list of minor devices */
    +#if defined(CONFIG_MEMORY_ACCESS)
             {1, "mem", S_IRUSR | S_IWUSR | S_IRGRP, &mem_fops},
             {2, "kmem", S_IRUSR | S_IWUSR | S_IRGRP, &kmem_fops},
    +#endif
             {3, "null", S_IRUGO | S_IWUGO, &null_fops},
     #if defined(CONFIG_ISA) || !defined(__mc68000__)
             {4, "port", S_IRUSR | S_IWUSR | S_IRGRP, &port_fops}, 

    -- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
  • Next message: Werner Almesberger: "Re: TOE brain dump"

    Relevant Pages