FreeBSD Mail Archives

Date:      Tue, 04 Jan 2005 15:55:24 +0300
From:      Rojer <myself@rojer.pp.ru>
To:        Steve Watt <steve@Watt.COM>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Determining userland return address (from syscall)
Message-ID:  <41DA923C.8070108@rojer.pp.ru>
In-Reply-To: <200501040529.j045T0LV050759@wattres.watt.com>
References:  <200501040529.j045T0LV050759@wattres.watt.com>


[-- Attachment #1 --]
Steve Watt wrote:
> In article <41D8859E.4080609@rojer.pp.ru> you write:
> [ snip ]
> 
>>The solution I am about to implement is based on a custom setuid 
>>syscall, that would allow limited list of processes to obtain root 
>>privileges from a limited set of locations (supposedly, the trusted 
>>ones, originating in the httpd's .text section).
> 
> 
> Unfortunately, the extremely powerful mmap() and munmap() system calls
> will allow remapping of text addresses, which kinda blows away your
> whole scheme.

yes, but i could check if the memory region covering the return address
is indeed a shared text segment (e.g. is backed by the file with given inode).
or if it is just the same as that of the parent process.
and to my understanding, while able to remap .text, malicious user would not be
able to remap it read-write from the same file (httpd), as he wouldn't be allowed to
by file permissions.

> 
> 
>>The key point here is ability to trust a call being made from a specific 
>>location. I assume that process cannot change its .text section once 
>>loaded so this scheme would no be abused by overwriting the location 
>>with malicious code. Am I correct here? What do you think of this scheme 
>>overall?
> 
> 
> Probably insufficient.  The safest way is still isolated processes,
> possibly one (or, worse resource-wise, more) per UID, and those
> processes communicate via pipes, unix-domain socket pairs, or similar
> controlled IPC.  The parent vfork()s, does appropriate uid/gid/gidset
> rearrangement, and execs the "user server" process, which would then
> hang around servicing stuff for some time.
> 
> There don't seem to be better alternatives for doing this securely
> and still keep reasonable *NIX-like behavior.
> 
this is no good either... overhead would bring down our servers right away.

-- 
Deomid Ryabkov aka Rojer
myself@rojer.pp.ru
rojer@sysadmins.ru
ICQ: 8025844

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	#0��0�U�
v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
040331221809Z
050331221809Z0_10URyabkov10
U*Deomid10UDeomid Ryabkov1!0	*�H��
	myself@rojer.pp.ru0�"0
	*�H��
�0�
���x?�ed:����4y �h�"�0��$F;O �4{�7��k����΢��U�����-�)��A
����{ �;q�r�k,�6s+�ZȀ�&�Qvi��)ZRu�%0 ���	�@�<r\�=/���)N��K4풓��d��|�$_&a�N��q�!�ڨ6��6.ʺ��`��WPF�m�d��;,H,ؑPd���0���!�J��5�Sـd����PI��K3@���]42g
򎼸\i�������3���/0-0U0�myself@rojer.pp.ru0U�00
	*�H��
��+���~������4��Y�X�f�
�DW��?%\�;҇�B2�n�
�Ϸ|Jճ�2�++�f���Z7�[m~�X��㽀c�6��x�*���2�%��^������Ln��moU�kQ�|Z>�?X�\uɝp/:0��0�U�
v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
040331221809Z
050331221809Z0_10URyabkov10
U*Deomid10UDeomid Ryabkov1!0	*�H��
	myself@rojer.pp.ru0�"0
	*�H��
�0�
���x?�ed:����4y �h�"�0��$F;O �4{�7��k����΢��U�����-�)��A
����{ �;q�r�k,�6s+�ZȀ�&�Qvi��)ZRu�%0 ���	�@�<r\�=/���)N��K4풓��d��|�$_&a�N��q�!�ڨ6��6.ʺ��`��WPF�m�d��;,H,ؑPd���0���!�J��5�Sـd����PI��K3@���]42g
򎼸\i�������3���/0-0U0�myself@rojer.pp.ru0U�00
	*�H��
��+���~������4��Y�X�f�
�DW��?%\�;҇�B2�n�
�Ϸ|Jճ�2�++�f���Z7�[m~�X��㽀c�6��x�*���2�%��^������Ln��moU�kQ�|Z>�?X�\uɝp/:0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�;0�70i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
v0	+���0	*�H��
	1	*�H��
0	*�H��
	1
050104125524Z0#	*�H��
	1��y=g�Q��H�~�9r���0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0x	+�71k0i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
v0z*�H��
	1k�i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
v0
	*�H��
�/d/CΒ:U�c�cG�A���@��c�I����m�7��X���e�����f�HP�<����Nc�~���6�uO��A�}�O����S�����jt��I�����1����N�$�R�x��EUo} �E��S}�{Q�Jkc�>�o=�N@�ߪ�V�4��'<�q�:�K�LrE�,�PBZ3Ｘ�!S�`���c@9ψ�v尗�
>�e��ܛ�M��O!��s��Jb7u��WjӨ�Tퟎ�Vy��ZY�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41DA923C.8070108>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation