|
Home > Archive > Unix Programming > April 2007 > Linux: restricting access to system call?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Linux: restricting access to system call?
|
|
| pascaldamian2@gmail.com 2007-04-22, 1:20 am |
| Can I block access to certain system calls from non-privileged users?
For example, restricting statfs() so normal users would not be able to
see results of 'df' command.
Regards,
Pascal Damian
| |
| elsiddik 2007-04-22, 7:17 am |
| On Apr 22, 11:52 am, pascaldami...@gmail.com wrote:
> Can I block access to certain system calls from non-privileged users?
> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.
>
> Regards,
> Pascal Damian
chmod 700 /bin/df ?
zaher el siddik
http://elsiddik.blogspot.com/
| |
| Barry Margolin 2007-04-22, 7:17 pm |
| In article <1177223045.629046.81520@y80g2000hsf.googlegroups.com>,
elsiddik <elsiddik@gmail.com> wrote:
> On Apr 22, 11:52 am, pascaldami...@gmail.com wrote:
>
>
>
> chmod 700 /bin/df ?
The user can simply copy it from another system or recompile it
themselves. There's no security achieved by removing access to
non-setuid programs.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
| |
| Paul Pluzhnikov 2007-04-22, 7:17 pm |
| pascaldamian2@gmail.com writes:
> Can I block access to certain system calls from non-privileged users?
Yes, but not easily.
> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.
On Linux, you can patch your kernel source to return EACCESS from
sys_statfs() unless 0 == current->uid.
You can probably write a kernel module that will do the above patch
at load time.
You can also add a special interposer library that will return
error from statfs64() unless 0 == getuid() [1], and arrange for
that library to be preloaded everywhere via /etc/ld.so.preload
However this last method is easily bypassed: the user could
statically link his own copy of "df".
Cheers,
[1] better implement your own getuid() via direct syscall.
If you do not, the user can preload his own interposer that answers
0 to getuid(), bypassing your protection using the same trick you
used to implement the protection.
--
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.
| |
| nickf3 2007-04-25, 1:24 pm |
| On Apr 21, 9:52 pm, pascaldami...@gmail.com wrote:
> Can I block access to certain system calls from non-privileged users?
> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.
>
> Regards,
> Pascal Damian
OpenBSD, for example, provides systrace(1) where you can do
all sort of cool things. There's also a shell implemented on top
of that: http://www.monkey.org/~jose/software/stsh/
I'd figure Linux would have something similar/close.
--
Nikolai
|
|
|
|
|