>The point be debated here is whether or not a hacker could cause bad
>things to happen by chaning lib C.
I guess I wasn't clear in my earlier posting: that's not
open to debate. I know for a fact that this has been done in the
past, specifically to get around tripwire.
However it's implemented, you need to be able to remap
accesses to the tripwire database so that they open different
files when they think they are opening the database and libc
for read. You also need to be able to make the backup copies
"invisible" to the tripwire process. The version I've been told
about is apparently implemented in a shared library for Suns.
Presumably it jiggers stat/lstat and open with hardcoded inode
numbers or something like that.
My other observation was that it should be no more
difficult for a skilled programmer to paste it directly into
the kernel, by linking a kernel with a modified system call
jump table. Take a look at init_sysent.c and ask yourself
how hard it would be.
There's a bunch of trivial implementation details that
I'm hand-waving over but if someone wants to do it, they can.