Re: A few thoughts..

From: H. S. (security_at_revolutionsp.com)
Date: 03/30/05

Next message: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"

Previous message: zean zean: "Re: the best form to wait the finish of execution of a child..."
In reply to: Peter Jeremy: "Re: A few thoughts.."
Next in thread: Aaron Glenn: "Re: A few thoughts.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 30 Mar 2005 14:15:05 -0600 (CST)
To: freebsd-hackers@freebsd.org

> On Wed, 2005-Mar-30 11:06:53 -0600, H. S. wrote:
>>As I stated previously, I'm not much of a C programmer, but I can do some
>>coding. I've been thinking into changing the core of the system a bit to
>>return errors if some information is accessed by a normal user.
>
> Wouldn't making /sbin and /usr/sbin mode 750 be enough?

That's the "heart" of my question. A user uploading a dmesg binary to his
homedir and then ./dmesg will overcome these permissions. People suggested
making /home noexec, I'm still considering the implications of that in my
scenario.
>
>> I'd like
>>to know if getuid() would work that deep in the system?
>
> In general, system calls can't be used within the kernel. The uid and
> gid could be determined by directly dereferencing curproc or the
> thread pointer passed around in most kernel internal calls. Note that
> the only checks the (non-MAC) kernel currently does is "root" or
> "not-root" using suser(9) (apart from the checks in kill(2)).
> Restrictions for non-root users are implemented using file
> permissions.
>

>> And how can I register sysctl mibs in the kernel ?
>
> Look at sysctl(3), /sys/sys/sysctl.h and (eg) /sys/kern/subr_msgbuf.c
>

Thanks, I'll have a look, also will have a look at MAC. I think I have a
completely wrong idea of what MAC does.
> --
> Peter Jeremy
>

_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

Next message: Roland Dowdeswell: "Re: A bunch of memory allocation bugs in CGD"

Previous message: zean zean: "Re: the best form to wait the finish of execution of a child..."
In reply to: Peter Jeremy: "Re: A few thoughts.."
Next in thread: Aaron Glenn: "Re: A few thoughts.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Someone please tell Steve Jobs . . .
... The Dock is interface design on drugs. ... and then for newer Mac programs not to support it (e.g. ... The NeXT side of the new Apple didn't take AppleScript too seriously, ... The enormous overhead of users and permissions on OSX wastes ...
(comp.sys.mac.system)
[NEWS] Mac OS X Systemic Insecure File Permissions
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Many applications are installed onto Mac OS X systems with insecure file ... insecure file permissions packaged by different vendors ...
(Securiteam)
Re: Repairing permissions options?
... is amazing since most Mac users recommend it so often. ... "Repairing permissions" is often thrown out there as a magic fix for any ... Apple is primarily a hardware company, they are making lots of money off ...
(comp.sys.mac.system)
Re: XILINX Ethernet MAC (URGENT...)
... Virtex2Pro board using ethernet. ... Ethernet MAC ip core. ... You get the unlocked CoreGen core. ... Starting with EDK 9.2, the ...
(comp.arch.fpga)
Re: Mac 6.0 and Word 2003 compatibility - mail merge
... > the PC such that the Mac will recognize them and perform the same? ... > Are there conventions I can use when coding in the current version ... Sometimes it takes a few responses before the best or complete solution ...
(microsoft.public.mac.office.word)