viry - dotaz & Re: Viry a linux

Pavel Machek pavel na bug.ucw.cz
Úterý Květen 18 10:09:51 CEST 1999 

Hi!

> Dovoluji si ctene ctenare upozornit, ze to bude ponekud delsi a (jak si ty
> zkusenejsi neprekvapuje) obcas ponekud sarkasticke.

:-)

> > Tato posledni veta presne tvrdi to, ze Linux jako takovy neni tak dobre
> > architekturove bezpecny jako NT. U Linuxu staci dira v jednom programu, ktery
> > ma suid bit a mas rootovskou konzolu hned (staci zapis dvou radku do
> 
> Poznamenejme, ze suid nemusi nutne znamenat suid na roota. U NT zase staci
> dira v jedinem "service" bezicim jako SYSTEM. 1:1 :)

Tak, a tady je patch ktery vam umozni mit vyrazne mene "opravdu" suid
programu. Relativne k 2.3.1, ale pujde aplikovat na 2.2.9.

								Pavel

PS: peaku, co si o tom myslis?

Hi!

Next try with capabilities, this time against 2.3.1. Patch is
completely safe and should significantly enhance system security. It
is completely backward compatible: ie. no semantics
change. Capabilities are implemented using elf notes (and this version
parses notes correctly). Software exists for adding capabilities at
runtime, so you don't even require a recompile.

Please apply,
								Pavel

--- /dev/null	Tue Jul 21 02:45:36 1998
+++ linux/Documentation/capabilities.txt	Tue May 11 14:17:39 1999
@@ -0,0 +1,31 @@
+Elf capabilities hack
+=====================
+
+From now on, there's support for capabilities in elf executable. Elf
+executable now may contain "capabilities header", telling which
+capabilities should be dropped on exec. This can not hurt: lowering
+capabilities is not priviledged operation, and executable could do it
+itself at beggining of main.
+
+Doing it in exec() time has certain advantages, through: you can
+easily look and what capabilities are in use by what program and you
+can set capabilities for existing executables without need to
+recompile.
+
+What can elfcap do:
+
+* mask inheritable, permitted and effective sets by arbitrary mask
+
+* set euid back to ruid
+
+Along with existing setuid mechanism, this hack can be used to grant
+subset of capabilities to executables. For example currently ping has
+to be setuid0. With elfcap, ping still will be setuid0, but most of
+its capabilities will be dropped at exec() time, so breaking into ping
+will allow attacker to generate arbitrary packets to network, but
+nothing more.
+
+For more info & utility programs, look at
+http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html.
+
+							pavel na ucw.cz
--- clean/include/linux/elf.h	Thu Jun 25 17:38:14 1998
+++ linux/include/linux/elf.h	Tue May 11 15:58:41 1999
@@ -496,6 +496,27 @@
   Elf32_Word n_type;	/* Content type */
 } Elf64_Nhdr;
 
+/* Capabilities support
+ */
+struct elf_capabilities {
+  Elf32_Word signature;
+  Elf32_Word version;	/* Currently 0; this is so that you can append on the end painlessly */
+  Elf32_Word flags;
+#define ECF_MAKE_EUID_UID 1
+#define ECF_MAKE_EUID_XUID 2
+  Elf32_Word xuid;	/* We want our set 128bit for future expansion */
+  Elf32_Word effective, effective1, effective2, effective3;
+  Elf32_Word permitted, permitted1, permitted2, permitted3;
+  Elf32_Word inheritable, inheritable1, inheritable2, inheritable3;
+  Elf32_Word known, known1, known2, known3;
+};
+
+struct elf_capabilities_note {
+  Elf32_Nhdr nhdr;
+  __u32 note_signature;	/* == "CAPS" */ 
+  struct elf_capabilities cap;
+};
+
 #if ELF_CLASS == ELFCLASS32
 
 extern Elf32_Dyn _DYNAMIC [];
--- clean/fs/binfmt_elf.c	Thu May 13 22:41:36 1999
+++ linux/fs/binfmt_elf.c	Thu May 13 22:32:54 1999
@@ -7,6 +7,7 @@
  * Tools".
  *
  * Copyright 1993, 1994: Eric Youngdale (ericy na cais.com).
+ * Capabilities copyright 1999 Pavel Machek (pavel na ucw.cz).
  */
 
 #include <linux/module.h>
@@ -387,6 +388,26 @@
 	return elf_entry;
 }
 
+static void
+restrict( struct linux_binprm * bprm, struct elf_capabilities *cap )
+{
+	if (cap->signature != 0xca5ab1e)
+		return;
+
+	/* I do not check versions... That is because current version
+           is 0 and I expect all changes to be backward - compabtible */
+	if (cap->flags & ECF_MAKE_EUID_UID) /* You may want to loose owner's uid */
+		bprm->e_uid = current->uid;
+	if ((!bprm->e_uid) && (cap->flags & ECF_MAKE_EUID_XUID))
+		bprm->e_uid = cap->xuid; /* We only honour random uid changes for root */
+	cap_mask( bprm->cap_effective, cap->effective );
+	cap_mask( bprm->cap_permitted, cap->permitted );
+	cap_mask( bprm->cap_inheritable, cap->inheritable );
+
+	printk( KERN_DEBUG "Now: uid = %d, effective = %x, permitted = %x, inheritable = %x\n", bprm->e_uid, bprm->cap_effective, bprm->cap_permitted, bprm->cap_inheritable );
+}
+
+
 /*
  * These are the functions used to load ELF style executables and shared
  * libraries.  There is no binary dependent code anywhere else.
@@ -396,6 +417,7 @@
 #define INTERPRETER_AOUT 1
 #define INTERPRETER_ELF 2
 
+#define roundup(x, y)  ((((x)+((y)-1))/(y))*(y))
 
 static inline int
 do_load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs)
@@ -473,6 +498,22 @@
 	end_data = 0;
 
 	for (i = 0; i < elf_ex.e_phnum; i++) {
+		if (elf_ppnt->p_type == PT_NOTE) {
+			struct elf_capabilities_note note;
+			int offset = elf_ppnt->p_offset;
+			int maxoffset = offset + elf_ppnt->p_filesz;
+
+			while (offset <= (maxoffset - sizeof(note))) {
+				int retval;
+				retval = read_exec(bprm->dentry, offset, (void *) &note,
+						   sizeof(note), 1);
+				if (retval != sizeof(note))
+					goto skip;
+				if (note.note_signature == be32_to_cpu(0x43415053)) /* "CAPS" */
+					restrict(bprm, &note.cap);
+				offset += sizeof(Elf32_Nhdr) + roundup(note.nhdr.n_namesz, 4) + roundup(note.nhdr.n_descsz, 4);
+			}
+		}
 		if (elf_ppnt->p_type == PT_INTERP) {
 			retval = -EINVAL;
 		  	if (elf_interpreter)
@@ -533,6 +574,7 @@
 			interp_ex = *((struct exec *) bprm->buf);
 			interp_elf_ex = *((struct elfhdr *) bprm->buf);
 		}
+	skip:
 		elf_ppnt++;
 	}
 


-- 
I'm really pavel na ucw.cz. Look at http://195.113.31.123/~pavel.          Pavel
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!

Další informace o konferenci Linux