From owner-freebsd-hackers Thu Nov 16 1:12:58 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from matrix.42.org (matrix.42.org [194.246.250.200]) by hub.freebsd.org (Postfix) with ESMTP id 883C537B4C5 for ; Thu, 16 Nov 2000 01:12:55 -0800 (PST) Received: (from sec@localhost) by matrix.42.org (8.8.8/8.8.5) id KAA14766 (sender ); Thu, 16 Nov 2000 10:12:51 +0100 (CET) Date: Thu, 16 Nov 2000 10:12:50 +0100 From: Stefan `Sec` Zehl To: Peter Pentchev Cc: freebsd-hackers@freebsd.org Subject: Re: changing a running process's credentials Message-ID: <20001116101250.A14200@matrix.42.org> References: <20001115161316.C309@ringworld.oblivion.bg> <20001115190135.E309@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001115190135.E309@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Nov 15, 2000 at 06:02:22PM +0100 I-love-doing-this: really X-Modeline: vim:set ts=8 sw=4 smarttab tw=72 si noic notitle: Accept-Languages: de, en X-URL: http://sec.42.org/ Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Nov 15, 2000 at 06:02:22PM +0100, Peter Pentchev wrote: > On Wed, Nov 15, 2000 at 08:47:22AM -0800, Alfred Perlstein wrote: > > * Peter Pentchev [001115 06:19] wrote: > > > As far as I can see, FreeBSD (nor any other Unix system I'm aware > > > of) does not provide a way to do this (short of writing to > > > /dev/kmem ;). If a new syscall should be implemented to this end, > > > would it be enough to change a struct proc's p_cred member, its > > > pc_ucred and such, or would that raise hell all over the process > > > table? I see the comments mentioning 'possibly shared' > > > credentials - does this mean that I can inadvertently change the > > > credentials of a whole process children/siblings tree? That does > > > not sound too good - how do I go about taking a single process's > > > credentials out - just allocate a new pcred/ucred structure? > > > > Struct ucred is read-only, that would mean that strange things may > > happen, fortunatly at the moment most access control checks are > > only done at file open/socket bind time, so that if your cred > > changes you should still have access to it. > > > > > And yes, I'm quite aware of the security implications of something like > > > that.. let's just say I like playing with fire in a controlled > > > environment :) (famous last words..) > > > > Well there wouldn't be any security implications if done right... > > The security implications I meant have to do with the ability to provide > either a tool or a sysctl to change the uid of any running process > on the system - that would have to include stringent controls on exactly > who and why uses this tool/sysctl. I have some ideas about this, > but they need some more grinding before they're ready to be tossed > at the world for discussion (and dissing ;) A few years ago (Feb-1997 on FreeBSD-2.1.0) i wrote a little proof-of-concept program to show that write access means instant root. It uses stolen parts from the kvm lib and /bin/ps to do it. I ported it to FreeBSD-3.2 a year ago, and it compiles and runs on 4.1 also. I found it really handy when I start to edit a file to which i have no write access. I can promote vi to root, and write the file instead of fiddling around with temp-files ;-) I've put the source at in case anyone wants it. Of course it will only work as root, as write access to /dev/kmem is needed. Do not make /dev/kmem group or even world writable ;-) If this code is usefull for anyone else, i'd be happy to hear about it ;-) CU, Sec -- My biggest problem was when I screwed up the device driver for my eyelids I couldn't open my eyes to debug them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message