diff options
author | rwatson <rwatson@FreeBSD.org> | 2000-06-05 14:53:55 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2000-06-05 14:53:55 +0000 |
commit | 68239103ca69ad700547a0a80b8af367f735e0d1 (patch) | |
tree | 230cbbf17decee8cffa54408bc4fa0b76b6da98d | |
parent | 051a92f4cd76b6608fa5a85e1d95a4ddfd8be0e7 (diff) | |
download | FreeBSD-src-68239103ca69ad700547a0a80b8af367f735e0d1.zip FreeBSD-src-68239103ca69ad700547a0a80b8af367f735e0d1.tar.gz |
o Introduce kern.suser_permitted, a sysctl that disables the suser_xxx()
returning anything but EPERM.
o suser is enabled by default; once disabled, cannot be reenabled
o To be used in alternative security models where uid0 does not connote
additional privileges
o Should be noted that uid0 still has some additional powers as it
owns many important files and executables, so suffers from the same
fundamental security flaws as securelevels. This is fixed with
MAC integrity protection code (in progress)
o Not safe for consumption unless you are *really* sure you don't want
things like shutdown to work, et al :-)
Obtained from: TrustedBSD Project
-rw-r--r-- | sys/kern/kern_mib.c | 24 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 2 | ||||
-rw-r--r-- | sys/sys/systm.h | 1 |
3 files changed, 27 insertions, 0 deletions
diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index 35c70fb..bc480c3 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -182,6 +182,30 @@ sysctl_kern_securelvl SYSCTL_HANDLER_ARGS SYSCTL_PROC(_kern, KERN_SECURELVL, securelevel, CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_kern_securelvl, "I", "Current secure level"); +int suser_permitted = 1; + +static int +sysctl_kern_suser_permitted SYSCTL_HANDLER_ARGS +{ + int error, flag; + + flag = suser_permitted; + + error = sysctl_handle_int(oidp, &flag, 0, req); + if (error || !req->newptr) + return (error); + if (flag != 0 && flag != 1) + return(EPERM); + if (!suser_permitted) + return(EPERM); + suser_permitted = flag; + return (0); +} + +SYSCTL_PROC(_kern, OID_AUTO, suser_permitted, + CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_kern_suser_permitted, "I", + "processes with uid 0 have privilege"); + char domainname[MAXHOSTNAMELEN]; SYSCTL_STRING(_kern, KERN_NISDOMAINNAME, domainname, CTLFLAG_RW, &domainname, sizeof(domainname), "Name of the current YP/NIS domain"); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 3be52c8..9194e55 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -950,6 +950,8 @@ suser_xxx(cred, proc, flag) struct proc *proc; int flag; { + if (!suser_permitted) + return (EPERM); if (!cred && !proc) { printf("suser_xxx(): THINK!\n"); return (EPERM); diff --git a/sys/sys/systm.h b/sys/sys/systm.h index 3f900a8..059fd89 100644 --- a/sys/sys/systm.h +++ b/sys/sys/systm.h @@ -47,6 +47,7 @@ #include <sys/callout.h> extern int securelevel; /* system security level (see init(8)) */ +extern int suser_permitted; /* suser_xxx() is permitted to return 0 */ extern int cold; /* nonzero if we are doing a cold boot */ extern const char *panicstr; /* panic message */ |