[JoeAltmaier]

Hook root when a process crashes? How long until an exploit?

[InclinedPlane]

If you have the ability to modify or create files in /proc you almost certainly already control the system.

[mmastrac]

Not necessarily. You can trick someone who does have access to write /proc into writing something to /proc for you via symlink or another method.

Disclosure: I work on the unrEVOked rooting tool for android and we do stuff like this all the time.

[JoeAltmaier]

You only need to modify the tool that runs as the hook script...which may or may not be protected

[dododo]

on the other hand, it makes for an interesting rootkit hook.

[FooBarWidget]

Which is more dangerous than all the others things you can do as root - like inserting an arbitrary kernel module - how?

[InclinedPlane]

Dangerous: no, but he said interesting, so perhaps. The advantage of using little known features, for rootkits, is that people are less likely to look for them.

[dododo]

i never said more dangerous nor intended it.

it's not a very good rootkit by itself, certainly, as typically rootkits will monkey with the kernel to hide processes and network sockets.

it's interesting because it's probably the simplest rootkit method i can think of (next to setuid binaries). it's less obvious than a setuid. it's not something that anyone sane would use by itself because like i said--it doesn't hide you.

[milkshakes]

it's not (yet) an obvious place to look.