Date: Wed, 30 Mar 2005 14:15:05 -0600 (CST) From: "H. S." <security@revolutionsp.com> To: freebsd-hackers@freebsd.org Subject: Re: A few thoughts.. Message-ID: <63776.81.84.174.37.1112213705.squirrel@mail.revolutionsp.com> In-Reply-To: <20050330184224.GC71384@cirb503493.alcatel.com.au> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> <20050329193558.L33759@eleanor.us1.wmi.uvac.net> <63511.81.84.174.37.1112202327.squirrel@mail.revolutionsp.com> <63519.81.84.174.37.1112202413.squirrel@mail.revolutionsp.com> <20050330184224.GC71384@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 2005-Mar-30 11:06:53 -0600, H. S. wrote: >>As I stated previously, I'm not much of a C programmer, but I can do some >>coding. I've been thinking into changing the core of the system a bit to >>return errors if some information is accessed by a normal user. > > Wouldn't making /sbin and /usr/sbin mode 750 be enough? That's the "heart" of my question. A user uploading a dmesg binary to his homedir and then ./dmesg will overcome these permissions. People suggested making /home noexec, I'm still considering the implications of that in my scenario. > >> I'd like >>to know if getuid() would work that deep in the system? > > In general, system calls can't be used within the kernel. The uid and > gid could be determined by directly dereferencing curproc or the > thread pointer passed around in most kernel internal calls. Note that > the only checks the (non-MAC) kernel currently does is "root" or > "not-root" using suser(9) (apart from the checks in kill(2)). > Restrictions for non-root users are implemented using file > permissions. > >> And how can I register sysctl mibs in the kernel ? > > Look at sysctl(3), /sys/sys/sysctl.h and (eg) /sys/kern/subr_msgbuf.c > Thanks, I'll have a look, also will have a look at MAC. I think I have a completely wrong idea of what MAC does. > -- > Peter Jeremy >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63776.81.84.174.37.1112213705.squirrel>