An obscure kernel feature to get more info about dying processes
timetobleed.comThis is actually quite interesting - I didn't know you could do that, and I will likely employ it in the future, especially with a remote web server or something you can't immediately get to. So as you roll in, you check your email on your phone, and know walking in what you're getting into and likely how to fix it. From a time-optimization viewpoint, this is nigh-invaluable.
Plus this guy has some other very nifty articles.
But I guess (glancing at first few comments) that "haterz gonna hate."
Fedora's Automated Bug Reporting Tool (abrt) uses this to automatically produce crash reports, which you can sanitize and approve to post in a central location for developers. I imagine that Ubuntu does something similar.
So what happens if the helper application crashes and tries to dump core? Would it try to run another instance of it to handle that crash, and so on, leading to a "core bomb"?
It is nice to know that Linux has this feature, but it essentially amounts to a JIT debugger, and has been in other OSes for a long time. In Windows, it's been there since at least NT 4.
Hook root when a process crashes? How long until an exploit?
If you have the ability to modify or create files in /proc you almost certainly already control the system.
Not necessarily. You can trick someone who does have access to write /proc into writing something to /proc for you via symlink or another method.
Disclosure: I work on the unrEVOked rooting tool for android and we do stuff like this all the time.
You only need to modify the tool that runs as the hook script...which may or may not be protected
on the other hand, it makes for an interesting rootkit hook.
Which is more dangerous than all the others things you can do as root - like inserting an arbitrary kernel module - how?
Dangerous: no, but he said interesting, so perhaps. The advantage of using little known features, for rootkits, is that people are less likely to look for them.
i never said more dangerous nor intended it.
it's not a very good rootkit by itself, certainly, as typically rootkits will monkey with the kernel to hide processes and network sockets.
it's interesting because it's probably the simplest rootkit method i can think of (next to setuid binaries). it's less obvious than a setuid. it's not something that anyone sane would use by itself because like i said--it doesn't hide you.
it's not (yet) an obvious place to look.