From: <da...@us...> - 2003-03-30 18:24:12
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv10338 Added Files: apache.cb Log Message: Added policy for apache1.3+mod_ssl. --- NEW FILE: apache.cb --- /* * Policy: apache. * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: apache.cb,v 1.1 2003/03/30 18:24:09 dawidek Exp $ */ #include <errno.h> #include <fcntl.h> #include <sys/syscall.h> #include <sys/syslog.h> #include "addons.cbh" #define APACHE_PNAME "httpd" #define APACHE_UID GET_UID("nobody") #define APACHE_GID GET_GID("nobody") #define APACHE_INODE GET_INODE("/usr/local/sbin/httpd") #define APACHE_DEV GET_DEV("/usr/local/sbin/httpd") #define APACHE_PORTS 22,443 #define WWW_UID GET_UID("www") beginrules ADD_SYSCALL( SYS_execve, SYS_open, SYS_stat, SYS_chown, SYS_chmod, SYS_unlink, SYS_bind ); if (syscall == SYS_execve && ruid == 0) { if (getinode(arg[0]) == APACHE_INODE && getdev(arg[0]) == APACHE_DEV) { reg[0] = call(); if (reg[0] != 0) { return(reg[0]); } /* everything is correct, removing uid and gid 0 */ setpruid(APACHE_UID); setpeuid(APACHE_UID); setprgid(APACHE_GID); setpegid(APACHE_GID); setpgroups( [ 65534, 65534 ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return(0); } } if (finode == APACHE_INODE && fdev == APACHE_DEV && ruid == APACHE_UID) { if (syscall == SYS_execve) { CB_LOG(LOG_WARNING, "!WARN! Attempt to run %s(%s)!", arg[0], realpath(arg[0])); return(EPERM); } if (syscall == SYS_stat) { if (arg[0] == "/usr/local/etc/apache/ssl.key/server.key") { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)", pname, syscallname, reg[0]); return(reg[0]); } } if (syscall == SYS_chmod) { if (arg[0] @ "/var/run/httpd.mm.*.sem" && arg[1] == 0600) { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)", pname, syscallname, reg[0]); return(reg[0]); } } if (syscall == SYS_chown) { if (arg[0] @ "/var/run/httpd.mm.*.sem" && arg[1] == WWW_UID && arg[2] == -1) { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)", pname, syscallname, reg[0]); return(reg[0]); } } if (syscall == SYS_unlink) { if (arg[0] == "/var/run/ssl_scache.db" || arg[0] @ "/var/run/ssl_mutex.*" || arg[0] @ "/var/run/httpd.lock.*" || arg[0] @ "/var/run/httpd.mm.*.sem") { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)", pname, syscallname, reg[0]); return(reg[0]); } } if (syscall == SYS_bind) { reg[1] = getport(arg[1]); if (ismember(reg[1], [ APACHE_PORTS ])) { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%u) [ret=%d] (with euid 0)", pname, syscallname, reg[1], reg[0]); return(reg[0]); } } if (syscall == SYS_open) { if (arg[1] == O_RDONLY) { if (arg[0] == "/usr/local/etc/apache/ssl.crt/server.crt" || arg[0] == "/usr/local/etc/apache/ssl.key/server.key") { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], reg[0]); return(reg[0]); } } if (arg[1] == O_WRONLY) { if (arg[0] @ "/var/run/ssl_mutex.*" || arg[0] @ "/var/run/httpd.lock.*") { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], reg[0]); return(reg[0]); } } if (arg[1] == (O_CREAT | O_WRONLY)) { if (arg[0] @ "/var/run/ssl_mutex.*") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } if (arg[1] == O_RDWR) { if (arg[0] == "/var/run/ssl_scache.db") { reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], reg[0]); return(reg[0]); } } if (arg[1] == (O_CREAT | O_RDWR)) { if (arg[0] == "/var/run/ssl_scache.db") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } if (arg[1] == (O_CREAT | O_APPEND | O_WRONLY)) { if (arg[0] == "/var/log/httpd-access.log" || arg[0] == "/var/log/httpd-error.log" || arg[0] == "/var/log/ssl_engine_log" || arg[0] == "/var/log/ssl_request_log") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } if (arg[1] == (O_TRUNC | O_CREAT | O_WRONLY)) { if (arg[0] == "/var/run/httpd.pid") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } if (arg[1] == (O_EXCL | O_CREAT | O_WRONLY)) { if (arg[0] @ "/var/run/httpd.lock.*") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } if (arg[1] == (O_EXCL | O_CREAT | O_RDWR)) { if (arg[0] @ "/var/run/httpd.mm.*.sem") { /* Better be sure and set creation perms to 0600. */ arg[2] = 0600; reg[0] = sucall(); log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)", pname, syscallname, arg[0], arg[1], arg[2], reg[0]); return(reg[0]); } } } CB_PREPARE(); } endrules |