Zoltan Boszormenyi wrote: > Stuart Sears írta: >> Which, although you may have been lucky, is not usually the most >> sensible approach. (no offence intended) >> A few points to consider... >> 1. what if the rootkit is installed using rpm? >> > > It wasn't, it was installed from source. The intruder > left the source tree in place. He was a bit tricky to > use chattr +i on /bin/login and some other progs. > BTW, although rpm complained that it cannot replace > those, why isn't it prepared for such scenarios? > RPM is made for Linux, it should certainly know > about special filesystem flags and handle them. > How should rpm handle it? Rpm has no way of knowing why the immutable flag was set. I believe the proper way is to report the problem, and let the user decide what to do about it. You could add a flag to rpm to let it override the immutable flag, but I think that would be a bad idea. The way I look at it, if the immutable flag is set, then ether you didn't want the file to be changed without you giving specific permission by un-setting the flag, or you have other problems you should be made aware of. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
