Date: Fri, 30 Jul 2010 23:18:39 -0700 From: Selphie Keller <selphie.keller@gmail.com> To: <freebsd-security@freebsd.org> Subject: kernel module for chmod restrictions while in securelevel one or higher Message-ID: <235BB726E71747BA980A0EF60F76ED37@2WIRE304>
next in thread | raw e-mail | index | archive | help
Kernel module for chmod restrictions while in securelevel one or higher: http://gist.github.com/501800 (fbsd 8.x) Was looking at the new recent sendfile/mbuf exploit and it was using a shellcode that calls chmod syscall to make a setuid/setgid binary. However was thinking of ways to block the creation of suid/sgid binaries if the machine is in a securelevel, beyond the normal things like nosuid/noexec mount flags for /tmp. So came up with this quick module to handle it, but the concept of restricting the creation of suid/sgid binaries while in securelevel seems like a good idea to be part of the base. -Estella Mystagic
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?235BB726E71747BA980A0EF60F76ED37>