Date: Thu, 31 Mar 2005 04:42:25 +1000 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: "H. S." <security@revolutionsp.com> Cc: freebsd-hackers@freebsd.org Subject: Re: A few thoughts.. Message-ID: <20050330184224.GC71384@cirb503493.alcatel.com.au> In-Reply-To: <63519.81.84.174.37.1112202413.squirrel@mail.revolutionsp.com> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> <20050329193558.L33759@eleanor.us1.wmi.uvac.net> <63511.81.84.174.37.1112202327.squirrel@mail.revolutionsp.com> <63519.81.84.174.37.1112202413.squirrel@mail.revolutionsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2005-Mar-30 11:06:53 -0600, H. S. wrote: >As I stated previously, I'm not much of a C programmer, but I can do some >coding. I've been thinking into changing the core of the system a bit to >return errors if some information is accessed by a normal user. Wouldn't making /sbin and /usr/sbin mode 750 be enough? > I'd like >to know if getuid() would work that deep in the system? In general, system calls can't be used within the kernel. The uid and gid could be determined by directly dereferencing curproc or the thread pointer passed around in most kernel internal calls. Note that the only checks the (non-MAC) kernel currently does is "root" or "not-root" using suser(9) (apart from the checks in kill(2)). Restrictions for non-root users are implemented using file permissions. > And how can I register sysctl mibs in the kernel ? Look at sysctl(3), /sys/sys/sysctl.h and (eg) /sys/kern/subr_msgbuf.c -- Peter Jeremy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050330184224.GC71384>