I'm not talking about other users. I'm talking about root
being able to scan the address spaces of all of his processes,
which are sometimes system daemons that handle delicate
information.
> > While an evil superuser could do this in some other way
> > anyway (for example by substituting the original program
> > with a hacked version that loggs intresting information),
> > on a normal system, the superuser will not do a thing like
> > that.
>
> Root can do anything. Root can delete user's files, sneak
> up on their back. Hell, I wanna bet he can even pull the
> power cord :-)
If this root is an intruder who hacked a root shell, he can
trigger tripwire if he wants to replace a binary on the
filesystem to enable himself to spy on people. Also,
restarting a process could show up in all sorts of logs.
But by mmaping the process' space he can modify the process
itself - it will not trigger tripwire and it won't show in
any logs at all.
> > Can someone with more in-depth knowledge please shed a light
> > on this?
>
> Blink :-)
Andrej