Date: Tue, 18 Jan 2000 12:47:44 +0100 (MET) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: Nicholas Brawn <ncb@attrition.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: sh? Message-ID: <Pine.GSO.4.10.10001181245170.5604-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <Pine.LNX.4.10.10001181513340.14565-100000@zipperii.zip.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Jan 2000, Nicholas Brawn wrote:
> On Mon, 17 Jan 2000, Omachonu Ogali wrote:
>
> > That was the purpose for the denying code, to try and stop the attack
> > before it goes through. For instance, 'named' shouldn't be executing sh,
> > so I would add 'named' to the file, see where I'm going?
> >
> > Omachonu Ogali
> > Intranova Networking Group
> >
>
> I thought of doing something similar to this in the kernel last year. On
> execve(), check the calling process name/etc and compare to a database for
> acceptable calling processes. Ie, disallow the calling of execve() from
> certain network services.
A lot of work on this issue has been done in the "Generic Software
Wrappers".
An info about it has been posted here in september, I'll quote the head
of the mail:
======================================================================
From: Steve Kiernan <stevek@tislabs.com>
To: freebsd-security@FreeBSD.ORG
Date: Thu, 2 Sep 1999 16:59:21 -0400 (EDT)
Subject: Generic Software Wrappers 1.2.1 now available...
Some time ago there was some discussion of adding security policies to the
FreeBSD kernel. ("Using capabilties aaginst shell code" August 1998) In
that thread, Robert Watson had referered to the Generic Software Wrappers
Toolkit which we at NAI Labs (formerly TIS Labs) were working on. We now
have a release available for use. The current source release contains
support for FreeBSD 2.2.x on Intel x86 and Solaris 2.6 on UltraSPARC, and
preliminary support for FreeBSD 3.x on Intel x86 (not all syscalls are
characterized and the code is not SMP-safe) and Windows NT on Intel x86
(the implementation is in user-space and not complete).
The following is an excerpt from the readme file (you can grab a copy of
the Toolkit from ftp://ftp.tislabs.com/pub/wrappers):
...
======================================================================
>
> The difficulty would be in making a suitable interface for such a
> modification. I also think there must be more elegant ways of
> accomplishing the same thing, such as what Robert Watson has been
> discussing in his recent posts.
The interface used in the GSW is really nice.
Vlada Mencl
>
> Cheers,
> Nick
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10001181245170.5604-100000>