On Fri, Mar 09, 2001 at 05:40:03PM -0500, Robert Mognet wrote: > > Anyone know where I can find a kernel patch that restricts users so.. > > 'who' shows only the user himself > > "who" is not a kernel function, it's a system utility.
That doesn't mean a kernel patch can't modify its behavior. Have you ever seen the Knark module in action? It's frightening. All filesystem, process listings, user listings, etc come straight from the kernel. With Knark you can modify any of it. You can hide users, files, processes and so on. You can even modify the behavior of executables without actually changing them (i.e. run 'ls' and suddently your system reboots itself...just as an example). Knark can also completely hide itself from tools like lsmod and rmmod, making it *impossible* to remove or detect (without rebooting to a trusted kernel). Not that this is directly on topic, and it's not what the original poster is looking for. I just wanted to let you know that on some level, everything calls kernel functions, and you can definitely modify their behavior. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpEB5sZPmZo9.pgp
Description: PGP signature