From: "Kristian Sørensen" <ks@cs.aau.dk>
To: umbrella-devel@lists.sourceforge.net
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks
Date: Sat, 04 Sep 2004 11:06:31 +0200 [thread overview]
Message-ID: <41398597.2040506@cs.aau.dk> (raw)
In-Reply-To: <200409032039.i83Kd1ZR028638@turing-police.cc.vt.edu>
Valdis.Kletnieks@vt.edu wrote:
> On Fri, 03 Sep 2004 22:05:03 +0200, =?UTF-8?B?S3Jpc3RpYW4gU8O4cmVuc2Vu?= said:
>
>
>>Also simple bufferoverflows in suid-root programs may be avoided. The
>>simple way would to set the restriction "no fork", and thus if an
>>attacker tries to fork a (root) shell, this would be denied.
>
>
> All this does is stop fork(). I'm not sure, but most shellcodes I've seen
> don't bother forking, they just execve() a shell....
I was not precise enough - it is not just fork, but the LSM catches
every time a new process is created - so we do have some way of generic
catching creation of processes, and denying so, if prohibited.
> It doesn't stop a buffer overflow that does this:
>
> f1 = open("/bin/bash");
> f2 = open("/tmp/bash", O_CREAT);
> while ((bytes = read(f1,buffer,sizeof(buffer))) > 0)
> write(f2,buffer,bytes);
> fchmod(f2,4775);
> close(f1); close(f2);
You are right! ... as long as a new process is not created, this may do
some damage ... but:
> Papering over *that* one by restricting fchmod just means the exploit needs to
> append a line to /etc/passwd, or create a trojan inetd.conf or crontab entry,
Not mny suid programs would really need to be able to access the /etc
and everything below... E.g. cdrecord (there were a bug a year ago or
something)... it should definitely not have access to the possiblílities
you mention!
> Remember - just papering over the fact that most shellcodes just execve() a
> shell doesn't fix the fundemental problem, which is that the attacker is able
> to run code of his choosing as root.
Good point!
Best, Kristian.
next prev parent reply other threads:[~2004-09-04 9:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-03 12:12 Getting full path from dentry in LSM hooks Kristian Sørensen
2004-09-03 12:32 ` Christoph Hellwig
2004-09-03 12:38 ` [Umbrella-devel] " Kristian Sørensen
2004-09-03 13:04 ` Christoph Hellwig
2004-09-03 13:20 ` Kristian Sørensen
2004-09-03 14:01 ` Christoph Hellwig
2004-09-03 19:54 ` Kristian Sørensen
2004-09-04 11:09 ` Christoph Hellwig
2004-09-04 18:52 ` Kristian Sørensen
2004-09-03 15:38 ` Stephen Smalley
2004-09-03 12:43 ` Andrea Arcangeli
2004-09-03 14:14 ` Alan Cox
2004-09-03 20:05 ` [Umbrella-devel] " Kristian Sørensen
2004-09-03 20:39 ` Valdis.Kletnieks
2004-09-04 9:06 ` Kristian Sørensen [this message]
2004-09-04 10:50 ` Emmanuel Fleury
2004-09-07 14:19 ` Kristian Sørensen
2004-09-04 2:41 ` Horst von Brand
2004-09-04 19:01 ` Kristian Sørensen
2004-09-04 19:06 ` Kristian Sørensen
2004-09-04 16:56 ` Alan Cox
2004-09-04 18:47 ` Kristian Sørensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41398597.2040506@cs.aau.dk \
--to=ks@cs.aau.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=umbrella-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.