[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Enforcing systrace on binaries

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Enforcing systrace on binaries
From: Joachim Blaabjerg <styx_(_at_)_gentoo_(_dot_)_org>
Date: Wed, 19 Mar 2003 19:58:54 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've just written a little C wrapper to enforce systrace on all my 
setuid/setgid files. The general idea is that all setuid/setgid files are 
moved to /usr/libexec/suid/ (subject to change) which is root:suid (I added 
a new group for the purpose) with permissions 0750. The wrapper is called 
swrapper for now, and resides in /bin, owned by root:suid and with 2755 
permissions. All setuid/setgid files are replaced by symlinks to the 
swrapper binary, thusly:

styx_(_at_)_zaphod styx $ ls -l /sbin/ping
lrwxr-xr-x  1 root  wheel  15 Mar 19 17:07 /sbin/ping -> ../bin/swrapper
styx_(_at_)_zaphod styx $ ls -l /bin/swrapper
- -rwxr-sr-x  1 root  suid  7376 Mar 19 17:47 /bin/swrapper

Upon being called, swrapper checks argv[0] to see what program it should 
invoke, checks if the program exists in /usr/libexec/suid/, proceeds to 
check if there's a policy for the program in /etc/systrace/, and finally 
execve's the program as an argument to `systrace -a` (with arguments and  
environment intact, of course).

The whole scheme is fully transparent for users, although it may have a 
little overhead. Here's what it looks like for a regular user (beware of 
wrapping):

styx_(_at_)_zaphod styx $ ls -l `which ping`
lrwxr-xr-x  1 root  wheel  15 Mar 19 17:07 /sbin/ping -> ../bin/swrapper
styx_(_at_)_zaphod styx $ ping suxos.org > /dev/null &
[1] 26572
styx_(_at_)_zaphod styx $ ps axu | grep ping
styx     26572  3.2  0.0   800   384 p1  Sx     7:56PM    0:00.16 
/usr/libexec/suid/ping suxos.org
styx     23923  0.0  0.0   896   512 ??  Ss     7:56PM    0:00.02 
/bin/systrace -a /usr/libexec/suid/ping suxos.org
styx_(_at_)_zaphod styx $

What are your thoughts on this? I don't find it particularly elegant myself, 
but it works the purpose and helps me sleep better at night. I'll gladly 
publish the (trivial) code online if there's any interest.

Best Regards,

- --
Joachim Blaabjerg
Gentoo Linux Security Developer
GPG key @ http://cvs.gentoo.org/~styx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+eL3yFJKdDpq6hFsRAkzlAJ9RCSZluhhqfFcG4wnhE/COu12QDgCgimlB
z4yhvlns6NUYz77MnUMaRNM=
=7JHE
-----END PGP SIGNATURE-----

Prev by Date: SSH Config
Next by Date: kerberos protocol bug, soon to be patched?
Previous by thread: SSH Config
Next by thread: Re: Enforcing systrace on binaries
Index(es):
- Date
- Thread

Visit your host, monkey.org