From: <da...@us...> - 2003-05-08 16:03:33
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv8460 Modified Files: apache.cb openssh.cb Added Files: syslogd.cb Log Message: - New policy: syslogd. Submitted by: Michal Belczyk <di...@bs...> Corrected by: me - Don't use setprgid()/setpegid() when using setpgroups(). --- NEW FILE: syslogd.cb --- /* * Policy: syslogd. * * (c) 2003 Michal Belczyk <di...@bs...> * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: syslogd.cb,v 1.1 2003/05/08 16:03:29 dawidek Exp $ */ /* * my syslogd is started like this: * syslogd -4n -a allowed_loggers -l /usr/jails/some.jail.path -b a.b.c.d * where a.b.c.d is the main IP; It's quite jail-friendly environment * --Michal Belczyk */ #include <errno.h> #include <fcntl.h> #include <sys/syscall.h> #include <sys/socket.h> #include <sys/syslog.h> #include "addons.cbh" #if CERB_VERSION < 2003032101 #error Newer CerbNG required for this policy. #endif #define SYSLOGD_PNAME "syslogd" #define SYSLOGD_UID GET_GID("syslogd") #if 0 #define SYSLOGD_GID GET_GID("syslogd") #else #define SYSLOGD_GID 672 #endif #define SYSLOGD_INODE GET_INODE("/usr/sbin/syslogd") #define SYSLOGD_DEV GET_DEV("/usr/sbin/syslogd") #define SYSLOGD_PID "/var/run/syslog.pid" #define SYSLOGD_IPS [ "0.0.0.0", "127.0.0.1", "0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0" ] #define SYSLOGD_PORT 514 #define SYSLOGD_JAILPATH "/path/to/jail" beginrules ADD_SYSCALL( SYS_execve, SYS_open, SYS_chmod, SYS_bind, SYS_unlink ); /* * first of all, if someone with real uid 0 executes syslogd, we will remove * uid and gid 0 from syslogd process */ if (syscall == SYS_execve && ruid == 0) { if (getinode(arg[0]) == SYSLOGD_INODE && getdev(arg[0]) == SYSLOGD_DEV) { reg[1] = call(); if (reg[1] != 0) { return reg[1]; } /* everything is correct, removing uid and gid 0 */ setpruid(SYSLOGD_UID); setpeuid(SYSLOGD_UID); setpgroups( [ SYSLOGD_GID, SYSLOGD_GID ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return 0; } } if (finode == SYSLOGD_INODE && fdev == SYSLOGD_DEV && ruid == SYSLOGD_UID) { if (syscall == SYS_open) { reg[0] = 0; if (arg[1] == (O_WRONLY | O_CREAT | O_TRUNC) && arg[0] == SYSLOGD_PID) { reg[0] = 1; } if (arg[0] == "/dev/console") { if (arg[1] == O_WRONLY || arg[1] == (O_WRONLY | O_NONBLOCK) || arg[1] == (O_WRONLY | O_APPEND)) { return sucall(); } } if (arg[1] == (O_WRONLY | O_NONBLOCK) && arg[0] @ "/dev/ttyv?") { reg[0] = 1; } if (arg[1] == (O_WRONLY | O_APPEND)) { if (arg[0] @ "/dev/ttyv?" || arg[0] @ "/var/log/*") { reg[0] = 1; } } if (arg[1] == O_RDONLY && arg[0] == "/dev/klog") { reg[0] = 1; } if (reg[0]) { reg[1] = sucall(); CB_LOG(LOG_INFO, "Openning %s (flags=%x) [ret=%d].", arg[0], arg[1], reg[1]); return reg[1]; } } if (syscall == SYS_unlink) { if (arg[0] == _PATH_LOG || arg[0] == "/usr/jails/some.jail.path" _PATH_LOG) { reg[0] = euid; setpeuid(0); reg[1] = call(); CB_LOG(LOG_INFO, "Removing %s [ret=%d].", arg[0], reg[1]); setpeuid(reg[0]); return reg[1]; } } if (syscall == SYS_chmod) { if (arg[1] == 0666 && (arg[0] == _PATH_LOG || arg[0] == SYSLOGD_JAILPATH _PATH_LOG)) { reg[0] = euid; setpeuid(0); reg[1] = call(); CB_LOG(LOG_INFO, "Changing mode of %s to %o [ret=%d].", arg[0], arg[1], reg[1]); setpeuid(reg[0]); return reg[1]; } } if (syscall == SYS_bind && (getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) { reg[1] = getport(arg[1]); reg[2] = getip(arg[1]); if (reg[1] == SYSLOGD_PORT && ismember(reg[2], SYSLOGD_IPS) >= 0) { reg[0] = sucall(); CB_LOG(LOG_INFO, "Binding to %s|%u [ret=%d].", reg[2], reg[1], reg[0]); return reg[0]; } } if (syscall == SYS_bind && getfamily(arg[1]) == AF_UNIX) { reg[1] = getunpath(arg[1]); if (reg[1] == _PATH_LOG || reg[1] == "/usr/jails/some.jail.path" _PATH_LOG) { reg[0] = sucall(); CB_LOG(LOG_INFO, "Binding to %s [ret=%d].", reg[1], reg[0]); return reg[0]; } } } else { if (syscall == SYS_bind && getfamily(arg[1]) == AF_INET) { if (!isjailed() || (isjailed() && ismember(getjailip(), SYSLOGD_IPS) >= 0)) { reg[0] = getport(arg[1]); if (reg[0] == SYSLOGD_PORT) { CB_LOG(LOG_INFO, "Port %u is reserved for " "syslogd(8)!", reg[0]); return EPERM; } } } } endrules Index: apache.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/apache.cb,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** apache.cb 17 Apr 2003 05:41:30 -0000 1.8 --- apache.cb 8 May 2003 16:03:28 -0000 1.9 *************** *** 22,26 **** --- 22,30 ---- #define APACHE_PNAME "httpd" #define APACHE_UID GET_UID("nobody") + #if 0 #define APACHE_GID GET_GID("nobody") + #else + #define APACHE_GID 65534 + #endif #define APACHE_INODE GET_INODE("/usr/local/sbin/httpd") #define APACHE_DEV GET_DEV("/usr/local/sbin/httpd") *************** *** 50,56 **** setpruid(APACHE_UID); setpeuid(APACHE_UID); ! setprgid(APACHE_GID); ! setpegid(APACHE_GID); ! setpgroups( [ 65534, 65534 ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return(0); --- 54,58 ---- setpruid(APACHE_UID); setpeuid(APACHE_UID); ! setpgroups( [ APACHE_GID, APACHE_GID ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return(0); Index: openssh.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/openssh.cb,v retrieving revision 1.36 retrieving revision 1.37 diff -C2 -d -r1.36 -r1.37 *** openssh.cb 14 Apr 2003 14:48:08 -0000 1.36 --- openssh.cb 8 May 2003 16:03:28 -0000 1.37 *************** *** 25,29 **** --- 25,33 ---- #define SSHD_PNAME "sshd" #define SSHD_UID GET_UID("sshd") + #if 0 #define SSHD_GID GET_GID("sshd") + #else + #define SSHD_GID 22 + #endif #define SSHD_INODE GET_INODE("/usr/sbin/sshd") #define SSHD_DEV GET_DEV("/usr/sbin/sshd") *************** *** 70,76 **** setpruid(SSHD_UID); setpeuid(SSHD_UID); ! setprgid(SSHD_GID); ! setpegid(SSHD_GID); ! setpgroups( [ 22, 22 ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return 0; --- 74,78 ---- setpruid(SSHD_UID); setpeuid(SSHD_UID); ! setpgroups( [ SSHD_GID, SSHD_GID ] ); CB_LOG(LOG_INFO, "Removed uid 0."); return 0; |