A few thoughts..
H. S.
security at revolutionsp.com
Wed Mar 30 12:16:03 PST 2005
> On Wed, 2005-Mar-30 11:06:53 -0600, H. S. wrote:
>>As I stated previously, I'm not much of a C programmer, but I can do some
>>coding. I've been thinking into changing the core of the system a bit to
>>return errors if some information is accessed by a normal user.
>
> Wouldn't making /sbin and /usr/sbin mode 750 be enough?
That's the "heart" of my question. A user uploading a dmesg binary to his
homedir and then ./dmesg will overcome these permissions. People suggested
making /home noexec, I'm still considering the implications of that in my
scenario.
>
>> I'd like
>>to know if getuid() would work that deep in the system?
>
> In general, system calls can't be used within the kernel. The uid and
> gid could be determined by directly dereferencing curproc or the
> thread pointer passed around in most kernel internal calls. Note that
> the only checks the (non-MAC) kernel currently does is "root" or
> "not-root" using suser(9) (apart from the checks in kill(2)).
> Restrictions for non-root users are implemented using file
> permissions.
>
>> And how can I register sysctl mibs in the kernel ?
>
> Look at sysctl(3), /sys/sys/sysctl.h and (eg) /sys/kern/subr_msgbuf.c
>
Thanks, I'll have a look, also will have a look at MAC. I think I have a
completely wrong idea of what MAC does.
> --
> Peter Jeremy
>
More information about the freebsd-hackers
mailing list