From: "Kristian Sørensen" <ks@cs.aau.dk>
To: umbrella-devel@lists.sourceforge.net
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [Umbrella-devel] Re: Getting full path from dentry in LSM hooks
Date: Sat, 04 Sep 2004 11:06:31 +0200 [thread overview]
Message-ID: <41398597.2040506@cs.aau.dk> (raw)
In-Reply-To: <200409032039.i83Kd1ZR028638@turing-police.cc.vt.edu>
Valdis.Kletnieks@vt.edu wrote:
> On Fri, 03 Sep 2004 22:05:03 +0200, =?UTF-8?B?S3Jpc3RpYW4gU8O4cmVuc2Vu?= said:
>
>
>>Also simple bufferoverflows in suid-root programs may be avoided. The
>>simple way would to set the restriction "no fork", and thus if an
>>attacker tries to fork a (root) shell, this would be denied.
>
>
> All this does is stop fork(). I'm not sure, but most shellcodes I've seen
> don't bother forking, they just execve() a shell....
I was not precise enough - it is not just fork, but the LSM catches
every time a new process is created - so we do have some way of generic
catching creation of processes, and denying so, if prohibited.
> It doesn't stop a buffer overflow that does this:
>
> f1 = open("/bin/bash");
> f2 = open("/tmp/bash", O_CREAT);
> while ((bytes = read(f1,buffer,sizeof(buffer))) > 0)
> write(f2,buffer,bytes);
> fchmod(f2,4775);
> close(f1); close(f2);
You are right! ... as long as a new process is not created, this may do
some damage ... but:
> Papering over *that* one by restricting fchmod just means the exploit needs to
> append a line to /etc/passwd, or create a trojan inetd.conf or crontab entry,
Not mny suid programs would really need to be able to access the /etc
and everything below... E.g. cdrecord (there were a bug a year ago or
something)... it should definitely not have access to the possiblílities
you mention!
> Remember - just papering over the fact that most shellcodes just execve() a
> shell doesn't fix the fundemental problem, which is that the attacker is able
> to run code of his choosing as root.
Good point!
Best, Kristian.
next prev parent reply other threads:[~2004-09-04 9:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-03 12:12 Getting full path from dentry in LSM hooks Kristian Sørensen
2004-09-03 12:32 ` Christoph Hellwig
2004-09-03 12:38 ` [Umbrella-devel] " Kristian Sørensen
2004-09-03 13:04 ` Christoph Hellwig
2004-09-03 13:20 ` Kristian Sørensen
2004-09-03 14:01 ` Christoph Hellwig
2004-09-03 19:54 ` Kristian Sørensen
2004-09-04 11:09 ` Christoph Hellwig
2004-09-04 18:52 ` Kristian Sørensen
2004-09-03 15:38 ` Stephen Smalley
2004-09-03 12:43 ` Andrea Arcangeli
2004-09-03 14:14 ` Alan Cox
2004-09-03 20:05 ` [Umbrella-devel] " Kristian Sørensen
2004-09-03 20:39 ` Valdis.Kletnieks
2004-09-04 9:06 ` Kristian Sørensen [this message]
2004-09-04 10:50 ` Emmanuel Fleury
2004-09-07 14:19 ` Kristian Sørensen
2004-09-04 2:41 ` Horst von Brand
2004-09-04 19:01 ` Kristian Sørensen
2004-09-04 19:06 ` Kristian Sørensen
2004-09-04 16:56 ` Alan Cox
2004-09-04 18:47 ` Kristian Sørensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41398597.2040506@cs.aau.dk \
--to=ks@cs.aau.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=umbrella-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox