Re: How to limit it ?

To: grendel@vip.net.pl, Marek Habersack <grendel@vip.net.pl>
Cc: Grzegorz Pawel Szostak <grzecho@ikar.mps.com.pl>, Kain <kain@infodump.net>, debian-isp@lists.debian.org
Subject: Re: How to limit it ?
From: Russell Coker <russell@coker.com.au>
Date: Tue, 16 Nov 1999 14:30:52 +0100
Message-id: <[🔎] 9911161434201G.00788@lyta>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 19991116141128.D27373@vip.net.pl>
References: <[🔎] 19991115121337.B27488@artemis.smsu.edu> <[🔎] 9911161358141C.00788@lyta> <[🔎] 19991116141128.D27373@vip.net.pl>

>> >> problem but... may be can someone write linux kernel module (i saw one,
>> >> writed by lcamtuf@ids.pl but compilation wasn't sucessfull ) that will
>> >A module?! :)))) What for?! Just write your own WRAPPER around the open
>> >syscall and use that instead of the libc's one :))))))). You can do it using
>> >the LD_PRELOAD mechanism.
>> >
>> 
>> int (*real_open)(const char *, int) = NULL;
>> int main()
>> {
>>   void *libc6 = NULL;
>>   libc6 = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
>>   if(!libc6)
>>   {
>>     printf("Aieee\n");
>>     exit(1);
>>   }
>>   real_open = (int (*)(const char *, int))dlsym(libc6, "open");
>> 
>>   int fd = real_open("/etc/passwd", O_RDONLY);
>>   read(fd...
>> }
>You can prevent that easily. Just deny read access on libc.so.6, leaving the
>executable bit set.

I doubt that.  See the following strace.  NB I don't have a spare system to
test this on at the moment.  If you're sure it'll work then try it.  ;)

rjc@lyta:/tmp$strace ls t
execve("/bin/ls", ["ls", "t"], [/* 29 vars */]) = 0
brk(0)                                  = 0x8052920
open("/etc/ld.so.preload", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31, ...}) = 0
mmap(NULL, 31, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x40013000
close(3)                                = 0
munmap(0x40013000, 31)                  = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=19984, ...}) = 0
mmap(NULL, 19984, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40013000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3

>> Of course you could pre-load a library that replaces the dlopen call, but
>> your system probably won't work in such a fashion.
>It would. You could add CAP ability to the dl* family of functions to test
>for the credentials of the user that invokes the library. Much easier and
>cleaner IMO.

That will probably work.  It's a lot of work though, and if they can get a
statically linked program installed then they get access anyway...
Or they can write a program that calls the open() system call directly by
number (I've worked with code that does this with clone(), I'm sure I could
write code for open() in a few hours.

>> Mounting /home, /tmp, and /var/tmp in a noexec fashion is probably a better
>> idea.
>I agree. That's what I do with users I don't really trust. noexec, nosuid,
>nodev. Pity that /tmp has to be executable, but the OpenWall patch makes it
>possible to secure it anyway, besides mode 03777 makes it quite secure.

Why does /tmp have to be mounted with execute permission?

Why mode 03777 not 01777 as everyone else uses?


-- 
Electronic information tampers with your soul.

Reply to:

Follow-Ups:
- Re: How to limit it ?
  - From: Marek Habersack <grendel@vip.net.pl>

References:
- Re: How to limit it ?
  - From: Kain <kain@infodump.net>
- Re: How to limit it ?
  - From: Russell Coker <russell@coker.com.au>
- Re: How to limit it ?
  - From: Marek Habersack <grendel@vip.net.pl>

Prev by Date: Re: How to limit it ?
Next by Date: Re: How to limit it ?
Previous by thread: Re: How to limit it ?
Next by thread: Re: How to limit it ?
Index(es):
- Date
- Thread