Protecting against downloads

Marc Unangst mju at mudos.ann-arbor.mi.us
Fri Sep 14 07:51:18 AEST 1990 

epeterso at encore.com (Eric Peterson) writes:
> ** BZZZT! **  Wrong.  People need to be able to read the kernel and
> other binaries.  Changing the permission bits on the standard files is
> not necessarily a healthy idea.

No, you're wrong.  People don't need to be able to read the kernel; in
fact, on every modern Unix system I've seen, the ordinary user CAN'T
read the kernel.  It's usually owned by "root", group "sysinfo" (or
something similar), and permitted 640 or 040.  Programs like ps(1)
that need to read the kernel are SGID sysinfo.  /dev/kmem, /dev/mem,
and /dev/swap are similarly owned by group sysinfo and permitted 640
or 040.  Any programs that have to access these protected files are
SGID sysinfo.

The only executable files that need to be readable by the user are
shell scripts.

(However, note that something like "chmod 711 /usr/bin/*" is a Bad
Idea, since it strips things like SUID and SGID bits.  Try "chmod
go-rw /usr/bin/*" instead.)

> instance, if you gave the command "chroot /usr/$HOME /bin/csh" instead
> of just "/bin/csh" as your shell command, the user would see
> "/usr/$HOME" as "/" and would not have access to /bin or /lib.

Well, ignoring for the moment that "/usr/$HOME" will probably expand
to "/usr/u/loginid" or something similar, this opens up a security
hole big enough to drive a medium-sized planet through.  Consider this:

% cd
% mkdir etc
% cd etc
% cat >passwd
root::0:0::/:/bin/sh
^D
% su root
Password: <return>
# 

The user now has root.  Kids, don't try this at home.  THIS IS WHY
ROOT IS THE ONLY ONE ALLOWED TO EXECUTE chroot(1).

The solution, as I mentioned before, is to remove read permission from
any and all binaries, INCLUDING the kernel.  Make sure the hard drive
and raw hard drive devices are permitted 600.  Make sure /dev/mem,
/dev/kmem, and /dev/swap can't be read by an ordinary user.  Forget
about hacking sz(1) or rz(1), because the user can just upload their
own version, compile it, and use it.

--
Marc Unangst               | "da-DE-DA: I am sorry, the country you have
mju at mudos.ann-arbor.mi.us  | dialed is not in service.  Please check the
...!umich!leebai!mudos!mju | number and try again."  -- Telecom Kuwait

More information about the Comp.unix.sysv386 mailing list