On Wed, Oct 02, 2002 at 06:53:29PM +0200, Earl wrote: > Can all processes be observed in Linux, or is a rootkit invisible as a > process? Is a keylogger invisible as a process? > > If Linux is not capable of natively showing all running processes, are > there pgms available which are capable of this? Yes, all processes are visible in Linux. However, it's ultimately up to Linux itself to show these to you, regardless of what program you're using to view the list. If the kernel has been modified in such a way that it is not willing to report the existance of a particular process to you, then it doesn't matter what program you're using to view the list. Rootkits do exist that modify the kernel to allow it to hide processes, files, network connections, etc. > I have heard that physical possession of a Linux computer allows > anyone to take over as root, etc. It seems to me that this is a huge > security hole. Can I assume that this is still true in every distro? Of course. It's true in Windows, Solaris, just about everything else. If I have physical access to a computer, I can reboot it with something like Toms Root Boot floppy (or any other bootable floppy) and bypass any software security on the system. It's not a flaw in the software at all. Most distributions (by default) allow "init=/bin/sh" to be passed on the kernel's command line, which will give a root shell without ever prompting for a password. That's easy to fix, using things like LILO (or GRUB) passwords to prevent unauthorized users from passing parameters to the kernel. But of course, in that case, the BIOS needs to be configured to preven the attacker from rebooting with a floppy disk and bypassing LILO. And nothing's stopping an attacker from pulling out the hard drive, putting it in one of their own machines, and having their way with it. > Is no one concerned about this problem? Is this an inherent weakness > of Linux that can not be corrected? It's an inherent weekness in software. There are attempts to work around it using crypto, such as encrypted filesystems. But they don't change the fact that physical access to a computer basically allows an attacker access to whatever bits he wants. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgp00043.pgp
Description: PGP signature
