[23010] in bugtraq
Re: Flaws in recent Linux kernels
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Fri Oct 26 18:23:33 2001
Date: Fri, 26 Oct 2001 12:55:11 +0200 (EEST)
From: Mariusz Woloszyn <emsi@ipartners.pl>
To: Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.33.0110251927120.1960-100000@seekar.cip.physik.uni-muenchen.de>
Message-ID: <Pine.LNX.4.04.10110261247330.12025-200000@dzyngiel.ipartners.pl>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="429728448-1699421458-1004093711=:12025"
--429728448-1699421458-1004093711=:12025
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
On Thu, 25 Oct 2001, Thomas Fischbacher wrote:
> asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
> {
> struct task_struct *child;
> struct user * dummy = NULL;
> int i, ret;
>
> if(!in_group_p(102))return -EPERM;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> or with whatever GID that is convenient for you. Then, create the
> corresponding group and add to it all the users that you want to be able
> to use ptrace on your system.
>
>
> Of course, this will not be in the least bit new to people who ever had a
> closer look at the kernel, but for the average paranoid webmaster
> anticipating future problems here, it might be interesting to know how
> simple it is to get a useful workaround.
>
Better than recompiling kernel is to write module like I posted here
allready (attached again).
Just see into no_ptrace function:
if (current->euid ==0 ) {
return (orig_ptrace)(request, pid, addr, data);
} else
And change 'if (current->euid ==0)' condition to whatever you like.
gcc -c npt.c and insmod ./npt.o.
BTW: Solar Designer reminded me that if you have kernel compiled with SMP
support you HAVE to compile this module with -D__SMP__ as long as you use
current structute which is declared different in such case.
What about adding /proc/sys/ptrace, '1' would mean anyone can ptrace,
'0' only root? '1' would be default, '0' only for servers. Similar
sollution exists in kernel to disable ping...
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
--429728448-1699421458-1004093711=:12025
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="npt.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.10110261255110.12025@dzyngiel.ipartners.pl>
Content-Description:
Content-Disposition: attachment; filename="npt.c"
Lyogbm8gcHRyYWNlIG1vZHVsZQ0KICAgZmFzdCBwcmV2ZW50aW9uIGZvciBr
ZW5yZWwgYnVnDQogICAoYykgMjAwMSBhIExhbTNyWiBvZGR5c2V5DQoqLw0K
DQoNCiNkZWZpbmUgTU9EVUxFDQojZGVmaW5lIF9fS0VSTkVMX18NCg0KI2lu
Y2x1ZGUgPGxpbnV4L21vZHVsZS5oPg0KI2luY2x1ZGUgPGxpbnV4L3NjaGVk
Lmg+DQojaW5jbHVkZSA8bGludXgvdW5pc3RkLmg+DQojaW5jbHVkZSA8c3lz
L3N5c2NhbGwuaD4NCg0KI2lmbmRlZiBLRVJORUxfVkVSU0lPTg0KI2RlZmlu
ZSBLRVJORUxfVkVSU0lPTihhLGIsYykgKChhKSo2NTUzNisoYikqMjU2Kyhj
KSkNCiNlbmRpZg0KDQojaWYgTElOVVhfVkVSU0lPTl9DT0RFID49IEtFUk5F
TF9WRVJTSU9OKDIsMiwwKQ0KI2luY2x1ZGUgPGFzbS91bmlzdGQuaD4NCiNl
bmRpZg0KDQojaWYgTElOVVhfVkVSU0lPTl9DT0RFID49IEtFUk5FTF9WRVJT
SU9OKDIsMiwxNCkNCiNpbmNsdWRlIDxiaXRzL3N5c2NhbGwuaD4NCiNlbmRp
Zg0KDQpleHRlcm4gdm9pZCAqc3lzX2NhbGxfdGFibGVbXTsNCg0KaW50ICgq
b3JpZ19wdHJhY2UpKGludCwgaW50LCBpbnQsIGludCk7DQoNCmludCBub19w
dHJhY2UgKGludCByZXF1ZXN0LCBpbnQgcGlkLCBpbnQgYWRkciwgaW50IGRh
dGEpIHsNCglpZiAoY3VycmVudC0+ZXVpZCA9PTAgKSB7DQoJCXJldHVybiAo
b3JpZ19wdHJhY2UpKHJlcXVlc3QsIHBpZCwgYWRkciwgZGF0YSk7DQoJfSBl
bHNlIA0KCXJldHVybiAtMTsNCn0NCg0KDQppbnQgaW5pdF9tb2R1bGUodm9p
ZCkgew0KCQ0KCW9yaWdfcHRyYWNlID0gc3lzX2NhbGxfdGFibGVbX19OUl9w
dHJhY2VdOw0KCXN5c19jYWxsX3RhYmxlW19fTlJfcHRyYWNlXT1ub19wdHJh
Y2U7DQoJcmV0dXJuIDA7DQp9DQoNCnZvaWQgY2xlYW51cF9tb2R1bGUodm9p
ZCkgew0KCQ0KCXN5c19jYWxsX3RhYmxlW19fTlJfcHRyYWNlXT1vcmlnX3B0
cmFjZTsNCn0NCg==
--429728448-1699421458-1004093711=:12025--
