Giancarlo Razzolini said: > Theo, I'm using the word rootkit in the sense I've always knew it, a > malicious program installed *after *you had gained root access on a > machine, which it's sole purpose is to maintain the access while ate the > same time, hiding the fact that it's being done so: > http://en.wikipedia.org/wiki/Rootkit > > Also, I mentioned in one of the first e-mails that are much better ways > to hide a rootkit. There is not a doubt about that. We were only > discussing if it is indeed *possible* to have a rootkit using LD_PRELOAD > on OpenBSD. Just that and nothing else.
Putting something into LD_PRELOAD is nowhere near hiding it, if not completely opposite. 1. Any competent system administrator will be watching out his environment. 2. The actual assignment should happen somewhere in a fairly limited set of files (~/.profile, ~/.kshrc or several locations in /etc). Basic mtree check defeats such "hiding". In fact for files in /etc root will even receive a pretty mail message the night addition happens. 3. echo $LD_PRELOAD That's not to mention that unless someone logs in as root (which is discouraged in favor of sudo), he isn't affected by root's LD_PRELOAD. So again: there's not much useful things you can do with this trick. You can do some nasty things, but whoever has access to root will be aware of your actions very soon. Given that you already assume that you raised your privilege to root, basicly with your LD_PRELOAD trick you are limited to the subset of things you can already do for the similar period of time, which means that if you actually spend some time on tempering with LD_PRELOAD, you just wasted this time. -- Dmitrij D. Czarkoff
