Determining userland return address (from syscall)

Steve Watt steve at Watt.COM
Tue Jan 4 05:29:04 GMT 2005

In article <41D8859E.4080609 at> you write:
[ snip ]
>The solution I am about to implement is based on a custom setuid 
>syscall, that would allow limited list of processes to obtain root 
>privileges from a limited set of locations (supposedly, the trusted 
>ones, originating in the httpd's .text section).

Unfortunately, the extremely powerful mmap() and munmap() system calls
will allow remapping of text addresses, which kinda blows away your
whole scheme.

>The key point here is ability to trust a call being made from a specific 
>location. I assume that process cannot change its .text section once 
>loaded so this scheme would no be abused by overwriting the location 
>with malicious code. Am I correct here? What do you think of this scheme 

Probably insufficient.  The safest way is still isolated processes,
possibly one (or, worse resource-wise, more) per UID, and those
processes communicate via pipes, unix-domain socket pairs, or similar
controlled IPC.  The parent vfork()s, does appropriate uid/gid/gidset
rearrangement, and execs the "user server" process, which would then
hang around servicing stuff for some time.

There don't seem to be better alternatives for doing this securely
and still keep reasonable *NIX-like behavior.

Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...

More information about the freebsd-hackers mailing list