Mikkel L. Ellertson írta:
Zoltan Boszormenyi wrote:
Stuart Sears írta:
Which, although you may have been lucky, is not usually the most
sensible approach. (no offence intended)
A few points to consider...
1. what if the rootkit is installed using rpm?
It wasn't, it was installed from source. The intruder
left the source tree in place. He was a bit tricky to
use chattr +i on /bin/login and some other progs.
BTW, although rpm complained that it cannot replace
those, why isn't it prepared for such scenarios?
RPM is made for Linux, it should certainly know
about special filesystem flags and handle them.
How should rpm handle it? Rpm has no way of knowing why the
How?
1. be able to specify special flags in the specfile and apply them upon
install
2. detect if the filesystem doesn't handle such specials and make note
of it in the rpmdb
3. clear them before uninstalling or upgrading
4. detect if it was modified, report it with rpmv
(skip this check if the rpmdb indicates it, see 2)
At least ext2/3/4 and xfs has such special flags, make use of them.
immutable flag was set. I believe the proper way is to report the
problem, and let the user decide what to do about it. You could add
a flag to rpm to let it override the immutable flag, but I think
that would be a bad idea.
The way I look at it, if the immutable flag is set, then ether you
didn't want the file to be changed without you giving specific
permission by un-setting the flag, or you have other problems you
should be made aware of.
Mikkel