COMMAND

    kerneld

SYSTEMS AFFECTED

    Linux (RedHat and possibly others)

PROBLEM

    Zygo Blaxell posted following  about kerneld and module  security.
    There's a neat trick for a machine running kerneld:

        not_root@machine$ /sbin/ifconfig isofs

    loads '/lib/modules/(kernel version here)/fs/isofs.o'.

    /sbin/ifconfig when  run as  non-root queries  a network interface
    for its configuration.   However, if the  interface is unknown  it
    also  tries  to  load  the  module  that implements that interface
    using the  name of  the interface  as the  token for kerneld (it's
    usually  aliased  to  "3c59x.o"  or  something  appropriate to the
    installed hardware in  /etc/modules.conf).  However,  kerneld will
    happily load a filesystem driver  or anything else in the  list of
    directories  compiled  into  it  as  long  as its name matches the
    "interface-name" parameter.

    Corollary:  Any module in  /lib/modules can be loaded into  kernel
    memory  by   any  user   at  any   time.    There  are   potential
    denial-of-service    attacks    from    autoprobes    and   device
    initialization all  kinds of  other goo  that you  wish you didn't
    have to think about here.

SOLUTION

    Here are four alternative fixes:

        Fix 1:  Add a  keyword to /etc/modules.conf that puts  kerneld
        Into a  mode where  nothing that  wasn't explicitly  listed in
        /etc/modules  could  be  loaded.   The  defaults  are nice and
        convenient,  but  too  dangerous  when  any user could ask for
        potentially dangerous modules by  name.  This is  probably the
        best  solution  of   the  four.    Vendors  can  generate   an
        /etc/modules.conf as part of system installation; most of  the
        modules are harmless, only device drivers with autoprobes  are
        a significant  threat, so  most of  /etc/modules.conf will  be
        constant.

        Fix 2:   Make whatever system  call that ifconfig  executes to
        get  interface  information  fail  if  there is no such module
        installed and the request is not made by root.  And close  all
        similar problems, e.g. in mount's filesystem parameter.  It is
        not advisable fix; you would never manage to get it right.

        Fix 3:  Don't use  kerneld.  Load modules manually  or compile
        all  modules   directly  into   the  kernel   and  don't   use
        insmod/modprobe/kerneld at all.  This is a short-term solution
        for people under attack.

        Fix 4:  Never install a module you do not intend to use.  This
        sort of defeats  several of the  benefits of modules,  but not
        all  of  them.   If   you  were  using  modules  to   simplify
        configuration  of  many  machines,  you'd  have  to explicitly
        choose  which  module  files  were  installed  on each machine
        based on what is safe for that machine.