[lug] R00tKIT!! Raah!

Dean Brissinger brissing at kaidok.com
Sun Jun 19 21:57:16 MDT 2005 

> Now, here is a question, can the 'apache' user install a rootkit if they
> are not root?

This has already been said in this thread but I thought I'd say it again:
YES.

Not long ago the PHP team announced a vulnerability allowing a remote
attacker to execute code of their choosing on your system.  Using the bug in
the php interpreter the attacker would write a file in /tmp, then call a
program to interpret it.  Perhaps a perl script that you'd then use perl to
execute like what you found.  If the perl script was able to gain root to
your system you're done.  At the minimum it could destroy all files and
processes that belong to your web user.

I prefer jails for security.  This is a BSD feature.  Solaris 10 also has a
"zones" feature that is effectively the same thing (www.opensolaris.org).
Jails are unique because they not only chroot and prevent getting out of a
file-system space but also are unable to gain rights in the kernel.
Basically your processes and memory spaces are locked in a jail too.  I
mention solaris btw because it is binary compatible with Linux now.  I
haven't yet but am tempted to try Linux web servers in Solaris zones.  :-)

I'm not aware that Linux has incorporated a complete jail-like security
model yet.  However it is headed that way and there are several projects
working on the problem for Linux.  The suggested alterative is virtual
machines.  They are not as good but do minimize damage to whole servers.
You can look in to UML or XEN for a virtual machine solution.  I don't
recommend any of the Linux jail models for production--just not stable
enough.

I like jails better than virtual machines.  I don't even install 'sh' in a
jail.  No need for device files most of the time either.  They are unusable
for any purpose other than the daemon they serve.  I like to prevent any
script running from a writable directory, then taking away the right to
change permissions from all users in the jail.  Root is an unknown concept
inside such jails.  The highest level user is the web user.  The best part
about Jails is you don't have the overhead of a virtual machine or second
kernel.

More information about the LUG mailing list