Re: current->uid

Rogier Wolff (R.E.Wolff@BitWizard.nl)
Sun, 11 Apr 1999 17:22:47 +0200 (MEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nick Holloway: "Re: 2.2.x kernels missend odd-sized ICMP packets"
Previous message: kuznet@ms2.inr.ac.ru: "Re: Scheduler, Classifier"

kernel@vdr.qc.ca wrote:
> Hello,
>
> I am student in computer sciences at a university somewhere in
> Quebec Canada. For my final project I have to change the kernel to allow
> root's uid to change dynamicly.

Something like "echo 1234 > /proc/root_uid" ?

And from that moment on, "uid 1234" has root-powers, but not uid 0?

Well, "init" will already be running, and have uid 0. It won't like
its powers taken away.

> This would break some exploits, and might improve security
> slightly. I've been studying the sources for 8 mounth now, and I
> feel this could be done with an interface in /proc.

To set the uid? yes.

> I would like to have some feedbask from some more experienced
> hackers. I know this sounds silly at first, but if tou make system calls
> lie about the uid of super-user processes, and don't touch the file
> system, this can be done relativly painlessly.

There is a macro "suser" in older kernels that did something like

return (current ->uid == 0)

which is now replaced by capabilities stuff. That capabilities stuff
is much better.

Replacing that macro with

return (current->uid == root_uid)

and declaring the root_uid variable isn't more than 15 minutes
work. Getting the proc interface working might take the rest of the
day. I don't think that the "level" of this assignment is valid for a
final project.

But what will all this gain you? A program classically requiring
"root" to run, will now run under "1234", and getting that program to
do "exec /bin/sh" will still give a root-power-shell.

And if you're afraid that current exploits are doing
setreuid (0,0);
exec ("/bin/sh");
or
cp /bin/sh /tmp/.sh
chown 0 /tmp/.sh
chmod 4755 /tmp/.sh

then you should realize that the first needs to be rewritten to:
t = geteuid ();
setreuid (t,t);
exec ("/bin/sh");

and that the second has an extra "chown" that serves no purpose except
to make it fail when your patch is installed. Without the chown, it will
work with and without the patch!.

> I would just like to know why this has never been done, and what

Because it is a stupid idea.

> are the implications of this. Also, would such a patch be considered to
> become official some day or would this just sit in some folder of an

No.

> unknown university hidden getting just a bit dustier every year ?

Yes.

Roger.

-- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* ------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Nick Holloway: "Re: 2.2.x kernels missend odd-sized ICMP packets"
Previous message: kuznet@ms2.inr.ac.ru: "Re: Scheduler, Classifier"