Date: Mon, 20 Jul 1998 17:38:00 +0400 From: Alexandre Snarskii <snar@paranoia.ru> To: Allen Smith <easmith@beatrice.rutgers.edu>, Warner Losh <imp@village.org> Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <19980720173800.17978@nevalink.ru> In-Reply-To: <9807192209.ZM23527@beatrice.rutgers.edu>; from Allen Smith on Sun, Jul 19, 1998 at 10:09:29PM -0400 References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <imp@village.org> <9807192209.ZM23527@beatrice.rutgers.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii On Sun, Jul 19, 1998 at 10:09:29PM -0400, Allen Smith wrote: > On Jul 19, 7:48pm, Warner Losh (possibly) wrote: > > > I think that most, but not all, of the problems can be fixed by making > > the stack non-executables for set[gu]id binaries. this will fix the > > attacks where elevated privs are used to get access. however, i'm not > > completely sure about this because there are many problems with this > > idea. not the least of which is that it feels like a bandaide to me. > > I'd suggest adding anything executing with an effective uid of root; > keep in mind servers. I've actually worked on this with the > libparanoia's libc substitution, at least with the non-assembler ones; > I'll try to find the time to test soon whether this actually speeds > things up. Better approach is (every suid/sgid program) or ( euid == 0 ). Patch to libparanoia/stentry.c attached. ( You have no need to patch any other file - all checks are in stentry.c, others is just standard files from /usr/src/lib/libc, just calls to stentry.c functions added ). Patched libparanoia available at ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz -- Alexandre Snarskii the source code is included --pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=libparanoia10 Index: libparanoia/stentry.c diff -c libparanoia/stentry.c:1.3 libparanoia/stentry.c:1.5 *** libparanoia/stentry.c:1.3 Tue Jul 14 21:04:50 1998 --- libparanoia/stentry.c Mon Jul 20 17:19:19 1998 *************** *** 23,34 **** --- 23,41 ---- closelog();\ kill(SIGSEGV,getpid());\ exit(1) ;\ + + static int docheck=-1; /* -1 - still unknown, 0 - do not check, 1 - do check */ void enter_violation() { int i; unsigned bp=getbp(); + if(!docheck) return ; + if(docheck==-1) { + if(issetugid()||(!geteuid())) docheck=1; + else docheck=0; + }; invflag++; if(invflag>1) return; bzero(save,sizeof(save)); *************** *** 59,64 **** --- 66,73 ---- { int i; unsigned bp=getbp(); + if(!docheck) return ; /* at exit_violation docheck is _always_ + initialised, so we can skip checking of -1 */ if(invflag>1) { invflag--; return; --pXqbjpZ4EhLzMW5y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980720173800.17978>