Date: Mon, 14 Dec 1998 17:31:43 -0600 (CST) From: Kevin Day <toasty@home.dragondata.com> To: jabley@clear.co.nz (Joe Abley) Cc: freebsd-current@FreeBSD.ORG, jabley@clear.co.nz Subject: Re: modification to exec in the kernel? Message-ID: <199812142331.RAA17203@home.dragondata.com> In-Reply-To: <19981215120357.B11837@clear.co.nz> from Joe Abley at "Dec 15, 1998 12: 3:57 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi, > > We want to allow people to upload scripts to provide cgi hosting for our > web hosting product. However, we are nervous about allowing people to > upload arbitrary binaries, even though they will be run chrooted. > > We would also like to provide telnet access - but again, we don't want people > to hang around running their own binaries. A controlled set of binaries > will be installed for users to play with instead. > > Telnet and ftp access is provided within a chrooted filesystem, and the > web server will exec scripts with uid set to the user's uid. > > How about a kernel option which, when enabled, restricts the use of exec > for users in a particular group? > > With this option set, "execve will always fail for a user in the restricted > group if the binary to be run is owned by the user who is running it." > > This means that we don't have to worry about users uploading their own > binaries any more - they won't be able to run them anyway. In fact, we bill > them for the disk space they use, so the more statically-linked exploits > they try to upload the better :) > > Here is a patch to sys/kern/kern_exec.c which, if the macro > RESTRICT_EXEC_GROUP exists, restricts execve in the manner mentioned for > the restricted gid RESTRICT_EXEC_GROUP. > > Whaddaya think? > > > Joe I dunno if this fits your requirements or not, but in the past where this was necessary, i simply put these user's home directories on a volume mounted with 'noexec'. Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812142331.RAA17203>