Jak vykonat skript suid
Pavel Kankovsky
peak na argo.troja.mff.cuni.cz
Úterý Únor 8 00:16:49 CET 2000
Jen tak mimochodem...pro zajimavost prikladam kus meho programu, jehoz
ucelem je maximalne bezpecne spustit jiny program. Neni to cele,
jeste byla na jinem miste sanace argv[] a envp[]...tedy v pripade envp[]
to spis byla synteza uplne noveho environmentu, ve kterem nebylo nic
z toho stareho.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
------
#define MB (1024*1024)
struct rlim_check { int limit, value; };
struct rlim_check sensible_limits[] = {
{ RLIMIT_CPU, 120 },
{ RLIMIT_FSIZE, 16 * MB },
{ RLIMIT_DATA, 16 * MB },
{ RLIMIT_STACK, 1 * MB },
{ RLIMIT_AS, 16 * MB },
{ RLIMIT_NOFILE, 30 },
{ RLIMIT_NPROC, 50 },
{ -1, -1 }
};
struct sig_check { int signal; struct sigaction value; };
struct sig_check sensible_signals[] = {
{ SIGIO, { SIG_IGN, 0, 0 } },
{ -1, {} }
};
void
sanity_checks()
{
int i, j;
struct rlimit rlim;
for (i = 0; i < 3; ++i) {
if (fcntl(i, F_GETFD, &j) != 0)
exit(EX_TEMPFAIL);
/* no error diag */
}
for (i = 3; i < OPEN_MAX; ++i)
close(i);
for (i = 0; sensible_limits[i].limit >= 0; ++i) {
if (getrlimit(sensible_limits[i].limit, &rlim) != 0) {
perror(PROGNAME_C "getrlimit");
exit(EX_OSERR);
}
if (rlim.rlim_cur != RLIM_INFINITY &&
rlim.rlim_cur < sensible_limits[i].value) {
fprintf(stderr, PROGNAME_C "living environment not kosher");
exit(EX_TEMPFAIL);
}
}
for (i = 0; sensible_signals[i].signal >= 0; ++i) {
if (sigaction(sensible_signals[i].signal,
&sensible_signals[i].value, NULL) != 0) {
perror(PROGNAME_C "sigaction");
exit(EX_OSERR);
}
}
umask(022);
if (chdir("/") != 0) {
perror(PROGNAME_C "chdir");
exit(EX_OSERR);
}
}
Další informace o konferenci Linux