Re: How to limit it ?
>> >> problem but... may be can someone write linux kernel module (i saw one,
>> >> writed by lcamtuf@ids.pl but compilation wasn't sucessfull ) that will
>> >A module?! :)))) What for?! Just write your own WRAPPER around the open
>> >syscall and use that instead of the libc's one :))))))). You can do it using
>> >the LD_PRELOAD mechanism.
>> >
>>
>> int (*real_open)(const char *, int) = NULL;
>> int main()
>> {
>> void *libc6 = NULL;
>> libc6 = dlopen("libc.so.6", RTLD_LAZY | RTLD_GLOBAL);
>> if(!libc6)
>> {
>> printf("Aieee\n");
>> exit(1);
>> }
>> real_open = (int (*)(const char *, int))dlsym(libc6, "open");
>>
>> int fd = real_open("/etc/passwd", O_RDONLY);
>> read(fd...
>> }
>You can prevent that easily. Just deny read access on libc.so.6, leaving the
>executable bit set.
I doubt that. See the following strace. NB I don't have a spare system to
test this on at the moment. If you're sure it'll work then try it. ;)
rjc@lyta:/tmp$strace ls t
execve("/bin/ls", ["ls", "t"], [/* 29 vars */]) = 0
brk(0) = 0x8052920
open("/etc/ld.so.preload", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=31, ...}) = 0
mmap(NULL, 31, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x40013000
close(3) = 0
munmap(0x40013000, 31) = 0
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=19984, ...}) = 0
mmap(NULL, 19984, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40013000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
>> Of course you could pre-load a library that replaces the dlopen call, but
>> your system probably won't work in such a fashion.
>It would. You could add CAP ability to the dl* family of functions to test
>for the credentials of the user that invokes the library. Much easier and
>cleaner IMO.
That will probably work. It's a lot of work though, and if they can get a
statically linked program installed then they get access anyway...
Or they can write a program that calls the open() system call directly by
number (I've worked with code that does this with clone(), I'm sure I could
write code for open() in a few hours.
>> Mounting /home, /tmp, and /var/tmp in a noexec fashion is probably a better
>> idea.
>I agree. That's what I do with users I don't really trust. noexec, nosuid,
>nodev. Pity that /tmp has to be executable, but the OpenWall patch makes it
>possible to secure it anyway, besides mode 03777 makes it quite secure.
Why does /tmp have to be mounted with execute permission?
Why mode 03777 not 01777 as everyone else uses?
--
Electronic information tampers with your soul.
Reply to: