> using the mode +i (immutable) even root can't change didly on a system.
> this is not uncommon for attackers to do (either manually or in their
> rootkit installation scripts) to protect their files.

My appologies already if this is a stupid question, but how does chattr -i
prevent root from doing anything to a file? I can see that while the immutable
attribute is set, root can't do anything, but root can run chattr and delete
this attribute, right? Doesn't that mean then that an attacker who is able to
put a file into /bin is also able to execute chattr and delete any immutable
attributes that the admin might have set to protect his trusted shells and so
on?

        Just something I was always wondering about....nick

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]