Who wants to test cracklinux??

Who wants to test cracklinux??

[Marko]

Hello,

I've written a small kernel module & shared object for kernel 2.6 to
enable the following for normal users:

- inb()/outb()... via a wrapper function
- enable direct IO access (like ioperm())
- direct access on physical memory addresses
- installation of user space ISR
- change nice level

The module is primary thought for education, but perhaps also helpful
in software development.
The module is finished now, but because it's my first kernel code
there could be something to improve. If anyone wants to test, just
send me a mail and you'll get the code.

Thanks,

Marko Euth

Re: Who wants to test cracklinux??

[Sam Ravnborg]

On Tue, Mar 28, 2006 at 10:12:23PM +0200, Marko wrote:
> 
> The module is primary thought for education, but perhaps also helpful
> in software development.
> The module is finished now, but because it's my first kernel code
> there could be something to improve. If anyone wants to test, just
> send me a mail and you'll get the code.
Why not post it to lkml?
You may be lucky and get some feedback here then.

	Sam

Re: Who wants to test cracklinux??

[Pavel Machek]

Hi!

> I've written a small kernel module & shared object for kernel 2.6 to
> enable the following for normal users:
> 
> - inb()/outb()... via a wrapper function

ioperm() does that already, no? You mean, you enable it for non-root,
too? That's security hole.

> - enable direct IO access (like ioperm())
> - direct access on physical memory addresses

read/write on /dev/mem. chmod 666 /dev/mem if you want to allow normal
users to access physical memory (security hole, again).

> - installation of user space ISR

That seems nice. Does it work with PCI shared interrupts?

> - change nice level
> 
> The module is primary thought for education, but perhaps also helpful
> in software development.
> The module is finished now, but because it's my first kernel code
> there could be something to improve. If anyone wants to test, just
> send me a mail and you'll get the code.

Please post it to the list.
								Pavel
-- 
Picture of sleeping (Linux) penguin wanted...

Re: Who wants to test cracklinux??

[Måns Rullgård]

Pavel Machek <pavel@suse.cz> writes:

> Hi!
>
>> I've written a small kernel module & shared object for kernel 2.6 to
>> enable the following for normal users:
>> 
>> - inb()/outb()... via a wrapper function
>
> ioperm() does that already, no? You mean, you enable it for non-root,
> too? That's security hole.
>
>> - enable direct IO access (like ioperm())
>> - direct access on physical memory addresses
>
> read/write on /dev/mem. chmod 666 /dev/mem if you want to allow normal
> users to access physical memory (security hole, again).

It's a security risk, but one that you might sometimes take to gain
some performance on a non-critical machine.  I've done this in the
past to be able to play videos smoothly on a slow machine.

>> - installation of user space ISR
>
> That seems nice. Does it work with PCI shared interrupts?

I obviously can't comment on this case, but I've successfully done it
previously, so it's demonstrably possible.  The code is all available
from vidix.sf.net, although it's not updated to the latest ways of
doing things.

-- 
Måns Rullgård
mru@inprovide.com

Re: Who wants to test cracklinux??

[Jan Engelhardt]

>>
>> read/write on /dev/mem. chmod 666 /dev/mem if you want to allow normal
>> users to access physical memory (security hole, again).
>
>It's a security risk, but one that you might sometimes take to gain
>some performance on a non-critical machine.  I've done this in the
>past to be able to play videos smoothly on a slow machine.
>
Actually, not only you. MPlayer's vesa output module (IIRC. if not, 
then it was svga) pokes /dev/mem as well.
(Seeing vidix in your mail makes me assume you know the vesa/mem thing 
already. ;-)


Jan Engelhardt
-- 
| Software Engineer and Linux/Unix Network Administrator
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/

Re: Who wants to test cracklinux??

[Marko Euth]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]


Ok, here's the code.

And... of course, I know that it's a security hole.
I've written the module primary for students. They should
learn how Interrupts ... work without crashing the system
every time.

I'm appreciate for every advice!

[-- Attachment #2: cracklinux-0.50.tar.gz --]
[-- Type: application/octet-stream, Size: 19170 bytes --]

Re: Who wants to test cracklinux??

[Ben Ford]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pavel Machek wrote:
> Hi!
>> I've written a small kernel module & shared object for kernel 2.6 to
>> enable the following for normal users:
>>
>> - inb()/outb()... via a wrapper function
> ioperm() does that already, no? You mean, you enable it for non-root,
> too? That's security hole.

My OS development classes have a lab of machines that run entirely as
root just for these reasons.  I think it's valid to allow these
operations as non-root in certain situations.  It is better than
running *everything* as root, no?

- -b

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEMFGSInEozL1f7FIRAif7AJ41yzdVRHpiGU3Mqy8ef3aZ4TGNVACfYyED
xfZzMo2d5RFO80ciQ1YSo68=
=JKdo
-----END PGP SIGNATURE-----

Re: Who wants to test cracklinux??

[Arjan van de Ven]

On Sun, 2006-04-02 at 15:34 -0700, Ben Ford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Pavel Machek wrote:
> > Hi!
> >> I've written a small kernel module & shared object for kernel 2.6 to
> >> enable the following for normal users:
> >>
> >> - inb()/outb()... via a wrapper function
> > ioperm() does that already, no? You mean, you enable it for non-root,
> > too? That's security hole.
> 
> My OS development classes have a lab of machines that run entirely as
> root just for these reasons.  I think it's valid to allow these
> operations as non-root in certain situations.  It is better than
> running *everything* as root, no?

is there any difference? I mean... if you can outb you for all intents
and purposes are root anyway ;) (like you can overwrite any memory in
the system etc etc)

Re: Who wants to test cracklinux??

[Marko Euth]

On Mon, 03 Apr 2006 00:39:41 +0200
Arjan van de Ven <arjan@infradead.org> wrote:

> On Sun, 2006-04-02 at 15:34 -0700, Ben Ford wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Pavel Machek wrote:
> > > Hi!
> > >> I've written a small kernel module & shared object for kernel 2.6 to
> > >> enable the following for normal users:
> > >>
> > >> - inb()/outb()... via a wrapper function
> > > ioperm() does that already, no? You mean, you enable it for non-root,
> > > too? That's security hole.
> > 
> > My OS development classes have a lab of machines that run entirely as
> > root just for these reasons.  I think it's valid to allow these
> > operations as non-root in certain situations.  It is better than
> > running *everything* as root, no?

Yes, that's exactly what the whole module is meant for.

> 
> is there any difference? I mean... if you can outb you for all intents
> and purposes are root anyway ;) (like you can overwrite any memory in
> the system etc etc)
> 

Don't you think beeing root is a little bit more
easy than doing everything with outb??? ;))

Re: Who wants to test cracklinux??

[Alan Cox]

On Llu, 2006-04-03 at 00:39 +0200, Arjan van de Ven wrote:
> is there any difference? I mean... if you can outb you for all intents
> and purposes are root anyway ;) (like you can overwrite any memory in
> the system etc etc)

There are two clear uses

#1	Its possible to write such a module to allow only some ports to be
accessed, eg to export a PCI device for learning purposes

#2	As root you can make mistakes and mess up a box. Having the ability
to do stuff and having the default as "its allowed" differ. Giving
someone iopl rights is a bit like giving someone sudo. The security
against active attack is unchanged, the security against screwups is
higher


Alan

Re: Who wants to test cracklinux??

[Jan Engelhardt]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 607 bytes --]

>> is there any difference? I mean... if you can outb you for all intents
>> and purposes are root anyway ;) (like you can overwrite any memory in
>> the system etc etc)
>
>There are two clear uses
>
>#1	Its possible to write such a module to allow only some ports to be
>accessed, eg to export a PCI device for learning purposes
>
You can do parts of that in userspace, which is A Good Thing(tm).

Write a SUID wrapper which ioperm's (or denies it) a range request, opens 
/dev/mem or /dev/port and then drops privilegues. Voilà.

(Not sure if outb requires root too, besides ioperm.)


Jan Engelhardt
--