Date: Tue, 15 Dec 1998 12:03:57 +1300 From: Joe Abley <jabley@clear.co.nz> To: freebsd-current@FreeBSD.ORG Cc: jabley@clear.co.nz Subject: modification to exec in the kernel? Message-ID: <19981215120357.B11837@clear.co.nz>
next in thread | raw e-mail | index | archive | help
Hi, We want to allow people to upload scripts to provide cgi hosting for our web hosting product. However, we are nervous about allowing people to upload arbitrary binaries, even though they will be run chrooted. We would also like to provide telnet access - but again, we don't want people to hang around running their own binaries. A controlled set of binaries will be installed for users to play with instead. Telnet and ftp access is provided within a chrooted filesystem, and the web server will exec scripts with uid set to the user's uid. How about a kernel option which, when enabled, restricts the use of exec for users in a particular group? With this option set, "execve will always fail for a user in the restricted group if the binary to be run is owned by the user who is running it." This means that we don't have to worry about users uploading their own binaries any more - they won't be able to run them anyway. In fact, we bill them for the disk space they use, so the more statically-linked exploits they try to upload the better :) Here is a patch to sys/kern/kern_exec.c which, if the macro RESTRICT_EXEC_GROUP exists, restricts execve in the manner mentioned for the restricted gid RESTRICT_EXEC_GROUP. Whaddaya think? Joe [$Id: kern_exec.c,v 1.88 1998/10/28 13:36:58 dg Exp $] 256,257c256,257 < if ((attr.va_mode & VSUID && p->p_ucred->cr_uid != attr.va_uid || < attr.va_mode & VSGID && p->p_ucred->cr_gid != attr.va_gid) && --- > if ((attr.va_mode & VSUID && p->p_cred->cr_uid != attr.va_uid || > attr.va_mode & VSGID && p->p_cred->cr_gid != attr.va_gid) && 686a687,698 > > #ifdef RESTRICT_EXEC_GROUP > /* > * If the invoking user has gid RESTRICT_EXEC_GROUP, check ownership > * of the file and deny execution if owned by the invoker. > */ > if ((p->p_ucred->p_rgid == (gid_t) RESTRICT_EXEC_GROUP || \ > p->p_ucred->p_svgid == (gid_t) RESTRICT_EXEC_GROUP) && \ > (p->p_ucred->p_ruid == attr->va_uid || \ > p->p_ucred->p_psvuid == attr->va_uid)) \ > return(ENOEXEC); > #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981215120357.B11837>