James Carlson wrote:
If so, does it sound like a feasible idea to hack the kernel to forbid
opening the /dev/ppp device to other processes, once pppd is working?
It sounds plausible, but since I don't understand the trust model
you're working with, I'm afraid I can't address the broader questions.
(In particular, pppd needs a substantial amount of privilege in order
to run the /etc/ppp/ip-{up,down} scripts properly. Given that level
of privilege, and the trust that it necessarily implies, I think that
if you have problems in pppd, you're already sunk, no matter how you
try to limit the scope.)
The trust model is this: We suppose that malware is running.
Suppose from a buffer overflow in libPNG which achieved
priviledge escallation to root. It is OK for malware to run but
it will not be able to connect to anyone. Thus the attacker
will be blind, he will never know that the malware is
working and it will operate in isolation. Therefore,
nobody will be able to *control* the host or *get* data from
it. Sure, the running malware may delete everything :)
So the host may be compromised but it will be more like the
good old viruses that were transmitted in the boot sector
and didn't have a link to their creator.
Anyway. Thanks for the tips.
jerald
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html