|
Firewall Wizards
mailing list archives
Re: syscall wrappers (was Re: chroot useful?)
From: George Ross <gdmr () dcs ed ac uk>
Date: Tue, 18 Nov 1997 09:52:06 +0000
... Nicer still would be to integrate
the facility down in the kernel proper, on the far side of the syscall
interface; rather than wrapping the syscalls in libc, actually indirect
them on the far side of the syscall interface so the original
(unwrapped) syscalls aren't available through any calling interface in
the client program. ...
I remember doing this a few years ago to a lab of Sun 3/50 machines running SunOS 4.0.3. The system call vector was
one of the kernel files distributed in source form, so I was able to fix chmod, fchmod and umask (I think that was the
lot) so that they returned EPERM unless the caller's group ID was below a certain threshold. And that, together with
0700-mode home directories, quotas on /tmp and /usr/tmp, and a primitive kind of rlogin wrapper, was enough to bring
the incidence of hacking down from huge to zero -- it was remarkably effective.
Back then, of course, 3/50s were new and exciting (well, sort of...). A couple of years later the University had
installed some much more desirable machines, and our labs weren't nearly such tempting hacker targets.
--
Dr George D M Ross, Department of Computer Science, University of Edinburgh
Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr () dcs ed ac uk Voice: +44 131 650 5147 Fax: +44 131 667 7209
PGP: 1024/B74A4F7D 14 E8 B3 00 20 04 68 F8 95 40 CB 36 A4 D4 FA 90
 By Date 
By Thread
Current thread:
- Re: chroot useful?, (continued)
|
Intro
