| ▲ | jcgl 3 hours ago | |
What makes ss different? In any case, interesting to think of shared libraries (specifically shared libc) as a risk here. Makes sense, but I hadn't thought about it before. That said, I'm having a hard time doing a threat model where you worry about an attacker only setting LD_PRELOAD but not modifying PATH. The latter is more general and can screw you with all programs (doesn't cover shell builtins, but it's not like those would just be one more step). | ||
| ▲ | gus_ 15 minutes ago | parent [-] | |
ss obtains the connections information via netlink directly from the kernel (besides parsing /proc): https://manpages.debian.org/bookworm/manpages/sock_diag.7.en... https://github.com/vishvananda/netlink/blob/main/inet_diag.g... Not many rootkits tamper the netlink channel, so in most cases it's a bit more reliable. | ||