mailing list archives
Re: Re: Linux kernel scm_send local DoS
From: xbud <xbud () g0thead com>
Date: Fri, 17 Dec 2004 16:18:47 -0500
On Wednesday 15 December 2004 15:48, gadgeteer () elegantinnovations org wrote:
Not by disabling the syscall but by replacing it in the manner that a
rootkit replaces syscalls. Build a new kernel from the same
source/config except for patch. Replace syscalls where there is change.
No. Much easier to simply reboot to new kernel. If service(s) are so
critical as to not tolerate a reboot yet have a single point of failure
on this one component then there are greater problems at play.
I'd have to agree with Paul on this one, be it syscall or a binary patch for
other code. It's in kernel mode, if the module/patch crashes the running
image 'oops' I downed the box. I doubt any reasonable IT procedures would
endure this type of fix on their production systems.
Full-Disclosure - We believe in it.