Date: Mon, 3 Jan 2005 21:29:00 -0800 From: steve@Watt.COM (Steve Watt) To: myself@rojer.pp.ru Cc: freebsd-hackers@freebsd.org Subject: Re: Determining userland return address (from syscall) Message-ID: <200501040529.j045T0LV050759@wattres.watt.com> In-Reply-To: <41D8859E.4080609@rojer.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <41D8859E.4080609@rojer.pp.ru> you write: [ snip ] >The solution I am about to implement is based on a custom setuid >syscall, that would allow limited list of processes to obtain root >privileges from a limited set of locations (supposedly, the trusted >ones, originating in the httpd's .text section). Unfortunately, the extremely powerful mmap() and munmap() system calls will allow remapping of text addresses, which kinda blows away your whole scheme. >The key point here is ability to trust a call being made from a specific >location. I assume that process cannot change its .text section once >loaded so this scheme would no be abused by overwriting the location >with malicious code. Am I correct here? What do you think of this scheme >overall? Probably insufficient. The safest way is still isolated processes, possibly one (or, worse resource-wise, more) per UID, and those processes communicate via pipes, unix-domain socket pairs, or similar controlled IPC. The parent vfork()s, does appropriate uid/gid/gidset rearrangement, and execs the "user server" process, which would then hang around servicing stuff for some time. There don't seem to be better alternatives for doing this securely and still keep reasonable *NIX-like behavior. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501040529.j045T0LV050759>