[1115] in linux-security and linux-alert archive
[linux-security] Re: RESOLV_HOST_CONF
daemon@ATHENA.MIT.EDU (Keith Owens)
Thu Aug 29 19:35:11 1996
Date: Fri, 30 Aug 1996 02:13:46 +1000 (EST)
From: Keith Owens <kaos@audio.apana.org.au>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960827105049.17121B-100000@audio.apana.org.au>
On Tue, 27 Aug 1996, Keith Owens wrote:
> How about the best of both worlds. kernel detects suid/sgid programs and,
> instead of running them directly, starts a trusted wrapper program. [snip]
> [REW: You don't need the kernel to detect this. [snip]]
Need - no, prefer - yes. Renaming files and adding symlinks is all very
well but it is a manual process and has to be redone whenever you
upgrade. It also will not catch the malicious user who creates their
own suid program through the backdoor you did not know about. Having
the kernel detect suid/sgid and drive the security wrapper automatically
is transparent, offers a single point of control and can lock out
unexpected suid/sgid binaries (anything not permitted is forbidden).
[REW: Agreed. Kernel patch included below. This patch compiles, but is
NOT tested. It is against 2.0.15. I don't know an easy way to get back
to the pathname from that part of the kernel, so the messages don't
say much (could report dev/inode though). The userlevel program that
opens all allowed suid binaries, does the ioctl and NEVER EXITS has
not been written yet. The system "turns on automatically". Once you
explicitly allow a suid program, all others automatically turn
disabled.
Anybody want to finish this up and submit it to Linus once 2.1 gets
started?
--- fs/ioctl.c.orig Fri Jul 5 17:45:33 1996
+++ fs/ioctl.c Thu Aug 29 23:55:56 1996
@@ -48,6 +48,15 @@
put_fs_long(filp->f_inode->i_size - filp->f_pos,
(int *) arg);
return 0;
+ case FIALLOWSUID:
+ {
+ struct suid_allow *tsa;
+ tsa = kmalloc (sizeof (struct suid_allow));
+ if (!tsa) return -ENOMEM;
+ tsa->next = first_sa;
+ tsa->inode = filp->f_inode;
+ return 0;
+ }
}
if (filp->f_op && filp->f_op->ioctl)
return filp->f_op->ioctl(filp->f_inode, filp, cmd, arg);
--- fs/exec.c.orig Thu Aug 29 23:34:51 1996
+++ fs/exec.c Fri Aug 30 00:14:28 1996
@@ -51,6 +51,9 @@
asmlinkage int sys_exit(int exit_code);
asmlinkage int sys_brk(unsigned long);
+struct suid_allow *first_sa;
+
+
/*
* Here are the actual binaries that will be accepted:
* add more with "register_binfmt()" if using modules...
@@ -520,6 +523,16 @@
|| (current->files->count > 1)) {
if (!suser())
return -EPERM;
+ }
+ if (first_sa) {
+ struct suid_allow *sa;
+ for (sa = first_sa;sa != NULL;sa = sa->next)
+ if (sa->inode == bprm->inode) break;
+ if (!sa) {
+ printk ("Refusing setuid for uid %d.\n",current->uid);
+ return -EPERM;
+ }
+ printk ("Approving setuid exec for uid %d.\n",current->uid);
}
}
--- include/linux/fs.h.orig Thu Aug 29 17:14:29 1996
+++ include/linux/fs.h Fri Aug 30 00:15:31 1996
@@ -116,8 +116,16 @@
#define BMAP_IOCTL 1 /* obsolete - kept for compatibility */
#define FIBMAP _IO(0x00,1) /* bmap access */
#define FIGETBSZ _IO(0x00,2) /* get the block size used for bmap */
+#define FIALLOWSUID _IO(0x00,3) /* Allow SUID on this file */
#ifdef __KERNEL__
+
+struct suid_allow {
+struct suid_allow *next;
+struct inode *inode;
+};
+
+extern struct suid_allow *first_sa;
#include <asm/bitops.h>
-- End of Moderator comment.]