From owner-freebsd-current Mon Dec 14 15:31:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA00267 for freebsd-current-outgoing; Mon, 14 Dec 1998 15:31:58 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from home.dragondata.com (home.dragondata.com [204.137.237.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA00252 for ; Mon, 14 Dec 1998 15:31:55 -0800 (PST) (envelope-from toasty@home.dragondata.com) Received: (from toasty@localhost) by home.dragondata.com (8.8.8/8.8.5) id RAA17203; Mon, 14 Dec 1998 17:31:43 -0600 (CST) From: Kevin Day Message-Id: <199812142331.RAA17203@home.dragondata.com> Subject: Re: modification to exec in the kernel? In-Reply-To: <19981215120357.B11837@clear.co.nz> from Joe Abley at "Dec 15, 1998 12: 3:57 pm" To: jabley@clear.co.nz (Joe Abley) Date: Mon, 14 Dec 1998 17:31:43 -0600 (CST) Cc: freebsd-current@FreeBSD.ORG, jabley@clear.co.nz X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hi, > > We want to allow people to upload scripts to provide cgi hosting for our > web hosting product. However, we are nervous about allowing people to > upload arbitrary binaries, even though they will be run chrooted. > > We would also like to provide telnet access - but again, we don't want people > to hang around running their own binaries. A controlled set of binaries > will be installed for users to play with instead. > > Telnet and ftp access is provided within a chrooted filesystem, and the > web server will exec scripts with uid set to the user's uid. > > How about a kernel option which, when enabled, restricts the use of exec > for users in a particular group? > > With this option set, "execve will always fail for a user in the restricted > group if the binary to be run is owned by the user who is running it." > > This means that we don't have to worry about users uploading their own > binaries any more - they won't be able to run them anyway. In fact, we bill > them for the disk space they use, so the more statically-linked exploits > they try to upload the better :) > > Here is a patch to sys/kern/kern_exec.c which, if the macro > RESTRICT_EXEC_GROUP exists, restricts execve in the manner mentioned for > the restricted gid RESTRICT_EXEC_GROUP. > > Whaddaya think? > > > Joe I dunno if this fits your requirements or not, but in the past where this was necessary, i simply put these user's home directories on a volume mounted with 'noexec'. Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message