Re: ext2 attribute immutable
Mon, 1 Apr 96 22:50 BST


On Fri, 29 Mar 1996 19:52:32 -0800 (PST), Snow Cat
<> said:

> once wrote:
>> ... A non-zero securelev prevents even root from bypassing or
>> removing the immutable (or the append-only) flag on an ext2 file.
>> Not even root is allowed to decrease the securelev again. The only
>> process ever allowed to decrement securelev is init.

> So, how does one need to modify /proc/1/mem to decrease the secure-level
> after getting root access? :)

You don't need to. You can just do a ptrace() on init, or create your
OWN init process --- by using a careful, controlled fork bomb we can
easily create new processes until we are about to wrap pid, then kill
init and wait until one of our forks has a pid of 1.

The securelevel code is now fully implemented, but of course it is
still insecure if there are other vulnerabilities in the security
regime which permit arbitrary access to kernel memory or to the init
process. A complete security mechanism, capable of defeating even a
root attack, has GOT to be more complex than Linux can currently
achieve. There's nothing new about this!

However, one thing which could be done fairly easily would be to (a)
protect init from all attacks, making it immune to ptrace, kill -9
etc; and (b) disable all direct kernel access (such as /dev/mem or
loading new kernel modules) once securelev is sufficiently high.


Stephen Tweedie <>
Department of Computer Science, Edinburgh University, Scotland.