* Mohit Kalra (kmohit@in.ibm.com) wrote: > Hi everyone, > > I am not sure if this is the right place to post the question. I did the > following on my system. > > strings /dev/mem > out > > Later I opened the file "out" in vim and found out that if I search for > login, I get the user name and corresponding password in plain text near > about ten lines where i found login. > To gain root by buffer overflows is one way of breaking in. But that can > be patched when it is revealed. If someone does get a root shell using > buffer overflows and then does the strings /dev/mem , he can get a backdoor > anytime (unless the password is changed). Is there any workaround for > this problem or can the kernel be patched to encrypt such pages containing > passwords? this is the problem with the traditional all powerful root. once someone has root on your box, game over. they can trojan any program, they can read and write to files and memory, they can load kernel modules, etc. really, the ability to read a password from /dev/mem is low on the list of worries. the kernel has some support for POSIX.1e capabilites so access to /dev/mem is protected by the CAP_SYS_RAWIO capability. one alternative you have is to simply take that capbility away from your machine by either recompiling your kernel, or setting cap_bset from /proc/sys/kernel/cap-bound. there are patches for the kernel to allow for more sophisticated security policies, SELinux[1] being a prime example. if you are interested in security w.r.t. the linux kernel check out the LSM project[2]. thanks, -chris [1] http://www.nsa.gov/selinux [2] http://lsm.immunix.org and #lsm-dev on opn -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ IRC Channel: irc.openprojects.net / #kernelnewbies Web Page: http://www.kernelnewbies.org/
