Linux security (was Re: [clug] Witty worm a wake up call)

Martijn van Oosterhout kleptog at
Mon Jun 7 11:52:08 GMT 2004

On Mon, Jun 07, 2004 at 08:38:01PM +1000, Tony and Robyn Lewis wrote:
> 1. how easy is it to keylog in Linux, assuming privileges of the user
> you're trying to log?  I just tried firing up two xterms, and got as far
> as running "cat /dev/pts/2 | tee /dev/pts/2" in one that the other was
> using.  I saw my text in both windows, but <CR> was broken, and any
> commands weren't actually executed.

As already pointed out, X is a really big hole here. If you can connect
to an X server, you can pretty much read/write anything there, trap all
events, etc. These features are used for nifty window manager tricks,
xkill, xev, xmag, xwd, window mapping, etc. All neat, but it is a

For console it's a bit trickier to do in userspace, but with a kernel
module, all bets are off.

> Going further would probably be something like strace, which I just
> did.  Did much better - I could see that it was responding to each
> character, and it even looks like the characters for me entering my sudo
> password.  Maybe all it would take is to modify strace (or use similar
> libraries) and you've got a pretty silent key sniffer.

Last I checked a process could only be ptraced by one other process at
a time and it does strange tricks with the process tree so it would be
pretty obvious if it were happening to a lot of processes. PS would
also show state T which is quite abnormal.

One trick I havn't tried much is a malicous shared library that sets
LD_PRELOAD just before exec and unsets it in the new process. Doesn't
work on static binaries but you could trap parts of the C library that

> 2. how easy would it be to rigorously test to see if you're being
> sniffed?  Could you reasonably expect to see, say, how many processes
> get your keystrokes (e.g. X -> shell -> some app), and then have a good
> indicator as to if you're being sniffed?

I would love to have some kind of process viewer that traced data flows
rather than execution hierachy. So you could trace where stuff is
going. However, the X server would be in the middle of everything
though :)

Rigously checking all outgoing connections would also be a good idea,
but it can be hard to know what to look for.

To do it properly you need to compromise the kernel, then all bets are
off. In normal userspace it would be quite tricky, expecially the
user/root boundary is tricky (most users don't own binaries). Scripts
are another possibility, ala macro virus.

So fix those kernel bugs, check all setuid binaries, don't run network
services as root and don't run stuff as root that you don't have to.
But they've been saying that for 20 years, right?

Have a nice day,
Martijn van Oosterhout   <kleptog at>
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the linux mailing list