From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 06:43:35 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7503D1065670 for ; Sat, 31 Jul 2010 06:43:35 +0000 (UTC) (envelope-from selphie.keller@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 448D38FC1C for ; Sat, 31 Jul 2010 06:43:35 +0000 (UTC) Received: by pvh1 with SMTP id 1so926225pvh.13 for ; Fri, 30 Jul 2010 23:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :message-id:mime-version:content-type:x-mailer:x-mimeole :thread-index; bh=6JwITWlneAWUumeKpXglwu99Wa4zmjyepUbv9CpAEsE=; b=DzCicRy5Tbrw+2VS5uJDTAcMZfX/QOnf08CcKCIRFKZB+YJKLvZvSvb98Xgnxpub4d YwgXpsWiIBr3jEPK8swjY2zQWrKGCpHd46BIbgxuWp2a07VXWPrUj6bcGEDWRhqCe0GX yOSrsjMHwiEc8IaxZ7IWU+4LCI6QC+Qy4eFpg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer :x-mimeole:thread-index; b=iNbHkuoiTWanV1qcMz6x68v0ADq/oBWIWBgDs9xu/O1SZ8+BFQFAWnzqrBn7xZbfoZ XHgkfyj0Mpvhu9Imt/lORUCkEWgqOU4wfsJw0/fgvF4K82tUz0OnVljqKeL34ktnPxRP Ph6kkM1RYR/qrNlWmBx4qBcKZLi2q5eugVuj0= Received: by 10.114.136.16 with SMTP id j16mr3636939wad.63.1280557121487; Fri, 30 Jul 2010 23:18:41 -0700 (PDT) Received: from 2WIRE304 (c-69-181-16-61.hsd1.ca.comcast.net [69.181.16.61]) by mx.google.com with ESMTPS id d35sm5381290waa.21.2010.07.30.23.18.40 (version=SSLv3 cipher=RC4-MD5); Fri, 30 Jul 2010 23:18:41 -0700 (PDT) From: Selphie Keller To: Date: Fri, 30 Jul 2010 23:18:39 -0700 Message-ID: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Thread-Index: AcsweDdrsqGp5duwTDyJf1pH2sw1RQ== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 06:43:35 -0000 Kernel module for chmod restrictions while in securelevel one or higher: http://gist.github.com/501800 (fbsd 8.x) Was looking at the new recent sendfile/mbuf exploit and it was using a shellcode that calls chmod syscall to make a setuid/setgid binary. However was thinking of ways to block the creation of suid/sgid binaries if the machine is in a securelevel, beyond the normal things like nosuid/noexec mount flags for /tmp. So came up with this quick module to handle it, but the concept of restricting the creation of suid/sgid binaries while in securelevel seems like a good idea to be part of the base. -Estella Mystagic