Menu
▾
▴
[Cerb-commits] cerb-ng/examples syslogd.cb,NONE,1.1 apache.cb,1.8,1.9 openssh.cb,1.36,1.37
|
From: <da...@us...> - 2003-05-08 16:03:33
|
Update of /cvsroot/cerber/cerb-ng/examples
In directory sc8-pr-cvs1:/tmp/cvs-serv8460
Modified Files:
apache.cb openssh.cb
Added Files:
syslogd.cb
Log Message:
- New policy: syslogd.
Submitted by: Michal Belczyk <di...@bs...>
Corrected by: me
- Don't use setprgid()/setpegid() when using setpgroups().
--- NEW FILE: syslogd.cb ---
/*
* Policy: syslogd.
*
* (c) 2003 Michal Belczyk <di...@bs...>
* (c) 2003 Pawel Jakub Dawidek <ni...@ga...>
*
* $Id: syslogd.cb,v 1.1 2003/05/08 16:03:29 dawidek Exp $
*/
/*
* my syslogd is started like this:
* syslogd -4n -a allowed_loggers -l /usr/jails/some.jail.path -b a.b.c.d
* where a.b.c.d is the main IP; It's quite jail-friendly environment
* --Michal Belczyk
*/
#include <errno.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <sys/syslog.h>
#include "addons.cbh"
#if CERB_VERSION < 2003032101
#error Newer CerbNG required for this policy.
#endif
#define SYSLOGD_PNAME "syslogd"
#define SYSLOGD_UID GET_GID("syslogd")
#if 0
#define SYSLOGD_GID GET_GID("syslogd")
#else
#define SYSLOGD_GID 672
#endif
#define SYSLOGD_INODE GET_INODE("/usr/sbin/syslogd")
#define SYSLOGD_DEV GET_DEV("/usr/sbin/syslogd")
#define SYSLOGD_PID "/var/run/syslog.pid"
#define SYSLOGD_IPS [ "0.0.0.0", "127.0.0.1", "0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0" ]
#define SYSLOGD_PORT 514
#define SYSLOGD_JAILPATH "/path/to/jail"
beginrules
ADD_SYSCALL(
SYS_execve,
SYS_open,
SYS_chmod,
SYS_bind,
SYS_unlink
);
/*
* first of all, if someone with real uid 0 executes syslogd, we will remove
* uid and gid 0 from syslogd process
*/
if (syscall == SYS_execve && ruid == 0) {
if (getinode(arg[0]) == SYSLOGD_INODE &&
getdev(arg[0]) == SYSLOGD_DEV) {
reg[1] = call();
if (reg[1] != 0) {
return reg[1];
}
/* everything is correct, removing uid and gid 0 */
setpruid(SYSLOGD_UID);
setpeuid(SYSLOGD_UID);
setpgroups( [ SYSLOGD_GID, SYSLOGD_GID ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return 0;
}
}
if (finode == SYSLOGD_INODE && fdev == SYSLOGD_DEV && ruid == SYSLOGD_UID) {
if (syscall == SYS_open) {
reg[0] = 0;
if (arg[1] == (O_WRONLY | O_CREAT | O_TRUNC) &&
arg[0] == SYSLOGD_PID) {
reg[0] = 1;
}
if (arg[0] == "/dev/console") {
if (arg[1] == O_WRONLY ||
arg[1] == (O_WRONLY | O_NONBLOCK) ||
arg[1] == (O_WRONLY | O_APPEND)) {
return sucall();
}
}
if (arg[1] == (O_WRONLY | O_NONBLOCK) && arg[0] @ "/dev/ttyv?") {
reg[0] = 1;
}
if (arg[1] == (O_WRONLY | O_APPEND)) {
if (arg[0] @ "/dev/ttyv?" || arg[0] @ "/var/log/*") {
reg[0] = 1;
}
}
if (arg[1] == O_RDONLY && arg[0] == "/dev/klog") {
reg[0] = 1;
}
if (reg[0]) {
reg[1] = sucall();
CB_LOG(LOG_INFO, "Openning %s (flags=%x) [ret=%d].",
arg[0], arg[1], reg[1]);
return reg[1];
}
}
if (syscall == SYS_unlink) {
if (arg[0] == _PATH_LOG ||
arg[0] == "/usr/jails/some.jail.path" _PATH_LOG) {
reg[0] = euid;
setpeuid(0);
reg[1] = call();
CB_LOG(LOG_INFO, "Removing %s [ret=%d].", arg[0], reg[1]);
setpeuid(reg[0]);
return reg[1];
}
}
if (syscall == SYS_chmod) {
if (arg[1] == 0666 &&
(arg[0] == _PATH_LOG ||
arg[0] == SYSLOGD_JAILPATH _PATH_LOG)) {
reg[0] = euid;
setpeuid(0);
reg[1] = call();
CB_LOG(LOG_INFO, "Changing mode of %s to %o [ret=%d].",
arg[0], arg[1], reg[1]);
setpeuid(reg[0]);
return reg[1];
}
}
if (syscall == SYS_bind &&
(getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) {
reg[1] = getport(arg[1]);
reg[2] = getip(arg[1]);
if (reg[1] == SYSLOGD_PORT && ismember(reg[2], SYSLOGD_IPS) >= 0) {
reg[0] = sucall();
CB_LOG(LOG_INFO, "Binding to %s|%u [ret=%d].",
reg[2], reg[1], reg[0]);
return reg[0];
}
}
if (syscall == SYS_bind && getfamily(arg[1]) == AF_UNIX) {
reg[1] = getunpath(arg[1]);
if (reg[1] == _PATH_LOG ||
reg[1] == "/usr/jails/some.jail.path" _PATH_LOG) {
reg[0] = sucall();
CB_LOG(LOG_INFO, "Binding to %s [ret=%d].", reg[1],
reg[0]);
return reg[0];
}
}
} else {
if (syscall == SYS_bind && getfamily(arg[1]) == AF_INET) {
if (!isjailed() || (isjailed() && ismember(getjailip(), SYSLOGD_IPS) >= 0)) {
reg[0] = getport(arg[1]);
if (reg[0] == SYSLOGD_PORT) {
CB_LOG(LOG_INFO, "Port %u is reserved for "
"syslogd(8)!", reg[0]);
return EPERM;
}
}
}
}
endrules
Index: apache.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/apache.cb,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** apache.cb 17 Apr 2003 05:41:30 -0000 1.8
--- apache.cb 8 May 2003 16:03:28 -0000 1.9
***************
*** 22,26 ****
--- 22,30 ----
#define APACHE_PNAME "httpd"
#define APACHE_UID GET_UID("nobody")
+ #if 0
#define APACHE_GID GET_GID("nobody")
+ #else
+ #define APACHE_GID 65534
+ #endif
#define APACHE_INODE GET_INODE("/usr/local/sbin/httpd")
#define APACHE_DEV GET_DEV("/usr/local/sbin/httpd")
***************
*** 50,56 ****
setpruid(APACHE_UID);
setpeuid(APACHE_UID);
! setprgid(APACHE_GID);
! setpegid(APACHE_GID);
! setpgroups( [ 65534, 65534 ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return(0);
--- 54,58 ----
setpruid(APACHE_UID);
setpeuid(APACHE_UID);
! setpgroups( [ APACHE_GID, APACHE_GID ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return(0);
Index: openssh.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/openssh.cb,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** openssh.cb 14 Apr 2003 14:48:08 -0000 1.36
--- openssh.cb 8 May 2003 16:03:28 -0000 1.37
***************
*** 25,29 ****
--- 25,33 ----
#define SSHD_PNAME "sshd"
#define SSHD_UID GET_UID("sshd")
+ #if 0
#define SSHD_GID GET_GID("sshd")
+ #else
+ #define SSHD_GID 22
+ #endif
#define SSHD_INODE GET_INODE("/usr/sbin/sshd")
#define SSHD_DEV GET_DEV("/usr/sbin/sshd")
***************
*** 70,76 ****
setpruid(SSHD_UID);
setpeuid(SSHD_UID);
! setprgid(SSHD_GID);
! setpegid(SSHD_GID);
! setpgroups( [ 22, 22 ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return 0;
--- 74,78 ----
setpruid(SSHD_UID);
setpeuid(SSHD_UID);
! setpgroups( [ SSHD_GID, SSHD_GID ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return 0;
|