Can I block access to certain system calls from non-privileged users?
For example, restricting statfs() so normal users would not be able to
see results of 'df' command.

Regards,
Pascal Damian

[ Post a follow-up to this message ]

On Apr 22, 11:52 am, pascaldami...@gmail.com wrote:
> Can I block access to certain system calls from non-privileged users?
> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.
>
> Regards,
> Pascal Damian



chmod 700 /bin/df ?

zaher el siddik
http://elsiddik.blogspot.com/

[ Post a follow-up to this message ]

In article <1177223045.629046.81520@y80g2000hsf.googlegroups.com>,
elsiddik <elsiddik@gmail.com> wrote:

> On Apr 22, 11:52 am, pascaldami...@gmail.com wrote: 
>
>
>
> chmod 700 /bin/df ?

The user can simply copy it from another system or recompile it
themselves.  There's no security achieved by removing access to
non-setuid programs.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

[ Post a follow-up to this message ]

pascaldamian2@gmail.com writes:

> Can I block access to certain system calls from non-privileged users?

Yes, but not easily.

> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.

On Linux, you can patch your kernel source to return EACCESS from
sys_statfs() unless 0 == current->uid.

You can probably write a kernel module that will do the above patch
at load time.

You can also add a special interposer library that will return
error from statfs64() unless 0 == getuid() [1], and arrange for
that library to be preloaded everywhere via /etc/ld.so.preload

However this last method is easily bypassed: the user could
statically link his own copy of "df".

Cheers,

[1] better implement your own getuid() via direct syscall.
If you do not, the user can preload his own interposer that answers
0 to getuid(), bypassing your protection using the same trick you
used to implement the protection.
--
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.

[ Post a follow-up to this message ]

On Apr 21, 9:52 pm, pascaldami...@gmail.com wrote:
> Can I block access to certain system calls from non-privileged users?
> For example, restricting statfs() so normal users would not be able to
> see results of 'df' command.
>
> Regards,
> Pascal Damian

OpenBSD, for example, provides systrace(1) where you can do
all sort of cool things. There's also a shell implemented on top
of that: http://www.monkey.org/~jose/software/stsh/
I'd figure Linux would have something similar/close.
--
Nikolai

[ Post a follow-up to this message ]