[rsbac] Protecting secoff from malicious root

Rafal Wojtczuk rsbac@rsbac.org
Mon Apr 8 11:18:01 2002

On Mon, Apr 08, 2002 at 10:46:51AM +0200, Amon Ott wrote:
> On Sunday, 3. March 2002 19:47, Rafal Wojtczuk wrote:
> > OK, but we must remember thet if an attacker can force a privileged process
> > to run a machine code injected by the attacker (note I avoided the word
> > "shellcode"), the attacker doesn't need to execute anything to take full
> > advantage of the process' privileges.
> Rethought that. To get your code executed, you have to map the memory segment 
> as executable, which results in a MAP_EXEC (EXECUTE on <1.2.0) on target 
> NONE. You could try to deny these requests on server programs. Unfortunately, 
> even init does map such code without corresponding file...
Well, on i386 you can execute code in memory segment mmapped with PROT_READ
only - this is because i386 architecture has no exec protection at pages
level. i386 is broken, I know :)

> > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> Just fixed it for -pre6, please check it yourself. The ioctl now requires
> WRITE_OPEN on the terminal device.
When -pre6 appears in http://www.rsbac.org/pre/ I'll have a look. Anyway, with
this fix, is root able to open /dev/pts/number read-write ? This is needed
for things like wall, write etc.
I would disable TIOCSTI totally for rsbac. 

Save yourself,