From: <da...@us...> - 2002-09-15 12:38:24
|
Update of /cvsroot/cerber/cerb-ng/examples In directory usw-pr-cvs1:/tmp/cvs-serv31283/examples Modified Files: end.cb openssh.cb passwd.cb ping.cb start.cb Log Message: - Updated example files. - Implemented rest of [gs]etp*() functions and all fd2*() functions. - Changed MCB_DEBUG() and MCB_XDEBUG() macros to work with format strings. - Modfied fcb_desc_getname() function. - Removed old comments. - Arguments for operations functions are now in CB_OPARGS #define. Index: end.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/end.cb,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -C2 -d -r1.1.1.1 -r1.2 *** end.cb 10 Aug 2002 19:17:35 -0000 1.1.1.1 --- end.cb 15 Sep 2002 12:38:20 -0000 1.2 *************** *** 1,4 **** /* ! * Example cerb-ng configuration file on end * * $Id$ --- 1,4 ---- /* ! * Example cerb configuration file on end * * $Id$ *************** *** 7,11 **** /* if sugid wasn't defined earlier, it means that we want to block it */ ? pruid != peuid || prgid != pegid { ! return(EPERM) } /* --- 7,11 ---- /* if sugid wasn't defined earlier, it means that we want to block it */ ? pruid != peuid || prgid != pegid { ! return(EPERM); } /* *************** *** 18,22 **** syscall == kldunload || syscall == reboot { ! return(EPERM) } ! return(call()) --- 18,28 ---- syscall == kldunload || syscall == reboot { ! return(EPERM); } ! if (syscall == execve) { ! /* We want to log all execve() activity. */ ! log "!INFO! Running %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)", ! realpath(arg[0]), pname, pruid, prgid, peuid, pegid); ! } ! ! return(call()); Index: openssh.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/openssh.cb,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** openssh.cb 5 Sep 2002 01:13:30 -0000 1.2 --- openssh.cb 15 Sep 2002 12:38:20 -0000 1.3 *************** *** 1,4 **** /* ! * Example cerb-ng configuration file for /usr/sbin/sshd (OpenSSH) * * $Id$ --- 1,4 ---- /* ! * Example cerb configuration file for /usr/sbin/sshd (OpenSSH) * * $Id$ *************** *** 12,16 **** SSHD_GID = GET_GID("sshd") ! SSHDINODE = GET_INODE("/usr/sbin/sshd") /* --- 12,21 ---- SSHD_GID = GET_GID("sshd") ! /* ! * Only inode's number and inode's device made us ! * sure that we're talking about our sshd. ! */ ! INODE_SSHD = 1337 ! DEV_SSHD = 1338 /* *************** *** 19,95 **** */ ? syscall == execve && pruid == 0 { ! reg[0] = realpath(name) ! ? reg[0] == "/usr/sbin/sshd" && inode == SSHDINODE { ! reg[0] = call() if reg[0] != 0 { ! return(reg[0]) } /* everything correct, removing uid and gid 0 */ ! setpeuid(SSHD_UID) ! setpruid(SSHD_UID) ! setpegid(SSHD_GID) ! setprgid(SSHD_GID) ! return(0) } } ! ? pname == PNAME && pinode == SSHDINODE { ? syscall == execve { /* * if sshd have no longer SSHD_UID uid, that means, that setuid() ! * was done already, su sshd can run only shells */ ? pruid != SSHD_UID { ! ? (name == "/bin/sh" && inode == GET_INODE("/bin/sh")) || ! (name == "/bin/tcsh" && inode == GET_INODE("/bin/tcsh")) { ! return(call()) } ! return(EACCESS) } /* * sshd can only run sshd on SIGHUP ! * (it can run also login programm if UseLogin yes, but...) */ ! reg[0] = realpath(name) ? reg[0] == "/usr/sbin/sshd" && ! inode == SSHDINODE { ! return(call()) } ! return(EPERM) } ? syscall == open { ! ? name == "/var/run/sshd.pid" && ! flags == (O_WRONLY | O_CREAT | O_TRUNC) { /* setting effective uid to 0 */ ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } ! ? flags == O_RDWR { ! ? name == "/etc/skeykeys" || ! name == "/var/log/lastlog" || ! name == "/var/log/utmp" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } } ! ? name == "/var/log/utmp" && flags == (O_WRONLY | O_CREAT) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } ! ? name == "/var/log/wtmp" && flags == (O_WRONLY | O_APPEND) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } /* --- 24,108 ---- */ ? syscall == execve && pruid == 0 { ! reg[0] = realpath(name); ! ? reg[0] == "/usr/sbin/sshd" && getinode(reg[0]) == INODE_SSHD && ! getdev(reg[0]) == DEV_SSHD { ! reg[0] = call(); if reg[0] != 0 { ! return(reg[0]); } /* everything correct, removing uid and gid 0 */ ! setpruid(SSHD_UID); ! setpeuid(SSHD_UID); ! setprgid(SSHD_GID); ! setpegid(SSHD_GID); ! return(0); } } ! ? pname == PNAME && pinode == INODE_SSHD && pdev == DEV_SSHD { ? syscall == execve { /* * if sshd have no longer SSHD_UID uid, that means, that setuid() ! * was done already, so sshd can run only shells */ ? pruid != SSHD_UID { ! ? arg[0] == "/bin/sh" || arg[0] == "/bin/tcsh" || ! arg[0] == "/bin/zsh" { ! return(call()); } ! log("!WARN! Attempt to run invalid shell %s (proc=%s, " ! "ruid=%u, rgid=%u, euid=%u, egid=%u)", ! realpath(arg[0]), pname, pruid, prgid, peuid, pegid); ! return(EACCESS); } /* * sshd can only run sshd on SIGHUP ! * (it can run also login program if UseLogin yes, but...) */ ! reg[0] = realpath(name); ? reg[0] == "/usr/sbin/sshd" && ! getinode(reg[0]) == INODE_SSHD && ! getdev(reg[0]) == DEV_SSHD) { ! return(call()); } ! log("!WARN! Attempt to run %s (proc=%s, ruid=%u, rgid=%u, " ! "euid=%u, egid=%u)", realpath(arg[0]), pname, pruid, prgid, ! peuid, pegid); ! return(EPERM); } ? syscall == open { ! ? arg[0] == "/var/run/sshd.pid" && ! arg[1] == (O_WRONLY | O_CREAT | O_TRUNC) { /* setting effective uid to 0 */ ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } ! ? arg[1] == O_RDWR { ! ? arg[0] == "/etc/skeykeys" || ! arg[0] == "/var/log/lastlog" || ! arg[0] == "/var/log/utmp" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } } ! ? arg[0] == "/var/log/utmp" && arg[1] == (O_WRONLY | O_CREAT) { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } ! ? arg[0] == "/var/log/wtmp" && arg[1] == (O_WRONLY | O_APPEND) { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } /* *************** *** 97,198 **** * chance to read file as normal user */ ! ? flags == O_RDONLY { ! ? name == "/etc/spwd.db" || ! name == "/etc/ssh/ssh_host_dsa_key" || ! name == "/etc/ssh/ssh_host_key" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } } } ? syscall == __sysctl { ! ? operation == write { ! ? name == "kern.proc.args" || ! name == "sysctl.name2oid" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling __sysctl() */ ! setpeuid(reg[0]) ! return(reg[1]) } } } ! ? syscall == seteuid { ! ? euid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && euid == 0) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling seteuid() */ if reg[1] != 0 { ! setpeuid(reg[0]) } ! return(reg[1]) ! } ! } ! ? syscall == setegid { ! ? egid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && egid == 0) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling setegid() */ ! setpeuid(reg[0]) ! return(reg[1]) } } ! ? syscall == setuid { ! ? uid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && uid == 0) { reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling setuid() */ ! if reg[1] != 0 { ! setpeuid(reg[0]) ! } ! return(reg[1]) } } ! ? syscall == setgid { ! ? gid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && gid == 0) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling setegid() */ ! setpeuid(reg[0]) ! return(reg[1]) ! } } ? syscall == chown { ! ? name ~ "/dev/tty?" { ! ? (nouid >= 1000 || ! (PERMIT_ROOT_LOGIN == 1 && nouid == 0)) && ! (nogid >= 1000 || nogid == -1 || nogid == 4 || ! (PERMIT_ROOT_LOGIN == 1 && nogid == 0)) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling chown() */ ! setpeuid(reg[0]) ! return(reg[1]) } } } ? syscall == chmod { ! ? name ~ "/dev/tty?" { ! ? mode == OCTAL(0620) || ! mode == OCTAL(0622) || ! mode == OCTAL(0666) { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling chown() */ ! setpeuid(reg[0]) ! return(reg[1]) } } } ? syscall == unlink { ! ? name ~ "/var/run/sshd.pid" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } } --- 110,202 ---- * chance to read file as normal user */ ! ? arg[1] == O_RDONLY { ! ? arg[0] == "/etc/spwd.db" || ! arg[0] == "/etc/ssh/ssh_host_dsa_key" || ! arg[0] == "/etc/ssh/ssh_host_key" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } } } ? syscall == __sysctl { ! /* this means that process want to change sysctl value */ ! ? arg[4] != 0 { ! reg[0] = getsysctlname(arg[0], arg[1]); ! ? reg[0] == "kern.proc.args" || ! reg[0] == "sysctl.name2oid" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling __sysctl() */ ! setpeuid(reg[0]); ! return(reg[1]); } } } ! ? syscall == setuid || syscall == seteuid { ! ? arg[0] >= 1000 || (PERMIT_ROOT_LOGIN == 1 && arg[0] == 0) { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling set[e]uid() */ if reg[1] != 0 { ! setpeuid(reg[0]); } ! return(reg[1]); } } ! ? syscall == setgid || syscall == setegid { ! ? arg[0] >= 1000 || (PERMIT_ROOT_LOGIN == 1 && arg[0] == 0) { reg[0] = peuid ! setpeuid 0 ! reg[1] = call /* calling setegid() */ ! setpeuid reg[0] ! return reg[1] } } ! ? syscall == getuid { ! /* Och, process is trying to check his uid:) */ ! pretval0 = 0 ! /* We don't even call getuid() syscall */ ! return(0); } ? syscall == chown { ! ? arg[0] ~ "/dev/tty?" { ! /* we'r getting file owner uid and gid */ ! reg[0] = getouid(arg[0]); ! reg[1] = getogid(arg[0]); ! ? (reg[0] >= 1000 || ! (PERMIT_ROOT_LOGIN == 1 && reg[0] == 0)) && ! (reg[1] >= 1000 || reg[1] == -1 || reg[1] == 4 || ! (PERMIT_ROOT_LOGIN == 1 && reg[1] == 0)) { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling chown() */ ! setpeuid(reg[0]); ! return(reg[1]); } } } ? syscall == chmod { ! ? arg[0] ~ "/dev/tty?" { ! ? arg[1] == OCTAL(0620) || ! arg[1] == OCTAL(0622) || ! arg[1] == OCTAL(0666) { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling chown() */ ! setpeuid(reg[0]); ! return(reg[1]); } } } ? syscall == unlink { ! ? arg[0] == "/var/run/sshd.pid" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } } *************** *** 200,206 **** /* ! * we don't have to wory about rest syscalls, ! * because sshd isn't run as root */ ! return(call()) } --- 204,210 ---- /* ! * We're blockin all rest, because we don't want to remote attacker can ! * use kernels hole (for example in syscalls). */ ! return(EPERM); } Index: passwd.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/passwd.cb,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** passwd.cb 5 Sep 2002 01:13:30 -0000 1.2 --- passwd.cb 15 Sep 2002 12:38:20 -0000 1.3 *************** *** 1,4 **** /* ! * example cerb-ng configuration file for /usr/bin/passwd * * $Id$ --- 1,4 ---- /* ! * example cerb configuration file for /usr/bin/passwd * * $Id$ *************** *** 9,16 **** PNAME = passwd ! PASSWDINODE = GET_INODE("/usr/bin/passwd") ! PWDMKDBINODE = GET_INODE("/usr/sbin/pwd_mkdb") ! ? pname == PNAME && pinode == PASSWDINODE { /* checking process real uid */ ? pruid == 0 { /* if root is calling passwd, checks are not needed */ --- 9,16 ---- PNAME = passwd ! INODE_PASSWD = 666 ! INODE_PWD_MKDB = 31337 ! ? pname == PNAME && pinode == INODE_PASSWD { /* checking process real uid */ ? pruid == 0 { /* if root is calling passwd, checks are not needed */ *************** *** 19,25 **** ? syscall == execve { /* we gives access to execute only pwd_mkdb */ ! ? name != "/usr/sbin/pwd_mkdb" || ! inode != PWDMKDBINODE { ! return(EPERM) } --- 19,28 ---- ? syscall == execve { /* we gives access to execute only pwd_mkdb */ ! ? arg[0] != "/usr/sbin/pwd_mkdb" || ! getinode(arg[0]) != INODE_PWD_MKDB) { ! log("!!WARN!! Attempt to run %s (proc=%s, ruid=%u, " ! "rgid=%u, euid=%u, egid=%u)", realpath(arg[0]), ! pname, pruid, prgid, peuid, pegid); ! return(EPERM); } *************** *** 31,88 **** getstr(arg[1],3) != "/etc" || getstr(arg[1],4) != "-u" || ! getstr(arg[1],5) != plogin { ! return(EPERM) } /* now we set effective uid to 0 */ ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling execve() */ ! setpeuid(reg[0]) /* ! * switching back process effective uid, ! * because for pwd_mkdb we got ! * diffrent rules ! */ ! return(reg[1]) } ? syscall == open { ! ? flags == (O_CREAT | O_EXCL | O_RDWR) && mode == OCTAL(0600) { ! reg[0] = realpath(name) ? reg[0] ~ "/etc/pw.??????" { /* setting effective uid to 0 */ ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } } ! ? flags == O_RDONLY { /* * passwd want to check old password, * so euid = 0 again */ ! ? name == "/etc/spwd.db" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } } } ? syscall == unlink { ? name ~ "/etc/pw.??????" { ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling open() */ ! setpeuid(reg[0]) ! return(reg[1]) } /* ! * we don't have to wory about rest of syscalls, * because passwd isn't set-uid-root */ ! return(call()) } --- 34,92 ---- getstr(arg[1],3) != "/etc" || getstr(arg[1],4) != "-u" || ! getstr(arg[1],5) != login { ! log("!!WARN!! Wrong arguments (proc=%s, ruid=%u, " ! "rgid=%u, euid=%u, egid=%u)", pname, pruid, prgid, ! peuid, pegid); ! return(EPERM); } /* now we set effective uid to 0 */ ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling execve() */ ! setpeuid(reg[0]); ! return(reg[1]); } ? syscall == open { ! /* we got open flags in arg[1] and mode in arg[2] */ ! ? arg[1] == (O_CREAT | O_EXCL | O_RDWR) && arg[2] == OCTAL(0600) { ! reg[0] = realpath(arg[0]); ? reg[0] ~ "/etc/pw.??????" { /* setting effective uid to 0 */ ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } } ! ? arg[1] == O_RDONLY { /* * passwd want to check old password, * so euid = 0 again */ ! ? arg[0] == "/etc/spwd.db" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } } } ? syscall == unlink { + /* we can remove temporary files */ ? name ~ "/etc/pw.??????" { ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling open() */ ! setpeuid(reg[0]); ! return(reg[1]); } /* ! * we don't have to wory about rest syscalls, * because passwd isn't set-uid-root */ ! return(call()); } Index: ping.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/ping.cb,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** ping.cb 5 Sep 2002 01:13:30 -0000 1.2 --- ping.cb 15 Sep 2002 12:38:20 -0000 1.3 *************** *** 1,24 **** /* ! * example cerb-ng configuration file for /sbin/ping * * $Id$ */ ! /* Note that /sbin/ping should don't have set-uid-root */ PNAME = ping ! PINGINODE = GET_INODE("/sbin/ping") ! ! ? pname == "ping" && pinode == PINGINODE { ? syscall == socket { ! ? domain == AF_INET && type == SOCK_RAW && ! protocol == IPPROTO_ICMP { /* let's change effective uid to 0 */ ! reg[0] = peuid ! setpeuid(0) ! reg[1] = call() /* calling socket() */ ! setpeuid(reg[0]) ! return(reg[1]) } } --- 1,23 ---- /* ! * example cerb configuration file for /sbin/ping * * $Id$ */ ! /* Note that /sbin/ping don't need set-uid-root! */ PNAME = ping + INODE_PING = 88 ! ? pname == "ping" && pinode == INODE_PING { ? syscall == socket { ! ? arg[0] == AF_INET && arg[1] == SOCK_RAW && ! arg[2] == IPPROTO_ICMP { /* let's change effective uid to 0 */ ! reg[0] = peuid; ! setpeuid(0); ! reg[1] = call(); /* calling socket() */ ! setpeuid(reg[0]); ! return(reg[1]); } } Index: start.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/start.cb,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** start.cb 5 Sep 2002 01:13:30 -0000 1.2 --- start.cb 15 Sep 2002 12:38:20 -0000 1.3 *************** *** 1,4 **** /* ! * Example cerb-ng configuration file on start * * $Id$ --- 1,4 ---- /* ! * Example cerb configuration file on start * * $Id$ *************** *** 7,21 **** ? syscall == execve { /* ! * first of all we will check arguments and enviroments ! * tests what are made by check(args|envs) function: * - arg/env length (max length is defined with sysctl) * - number of args/envs (max is defined with sysctl) * - chars in args/envs are printable? */ ! ? (reg[0] = check_args) > 0 { ! return(reg[0]) /* something is wrong, don't call execve() */ } ! ? (reg[1] = check_envs) > 0 { ! return(reg[1]) /* something is wrong, don't call execve() */ } --- 7,43 ---- ? syscall == execve { /* ! * First of all we will check arguments and enviroments. ! * Tests that are made by check(args|envs) function: * - arg/env length (max length is defined with sysctl) * - number of args/envs (max is defined with sysctl) * - chars in args/envs are printable? */ ! ? (reg[0] = check_args()) > 0 { ! ? reg[0] == 1 { ! reg[1] = "Argument too long."; ! } ! ? reg[0] == 2 { ! reg[1] = "Too many arguments."; ! } ! ? reg[0] == 3 { ! reg[1] = "Suspicious char in argument."; ! } ! log("!WARN! %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)", ! reg[1], pname, pruid, prgid, peuid, pegid); ! return(EPERM); /* something is wrong, don't call execve() */ } ! ? (reg[1] = check_envs()) > 0 { ! ? reg[0] == 1 { ! reg[1] = "Environment too long."; ! } ! ? reg[0] == 2 { ! reg[1] = "Too many environments."; ! } ! ? reg[0] == 3 { ! reg[1] = "Suspicious char in environment."; ! } ! log("!WARN! %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)", ! reg[1], pname, pruid, prgid, peuid, pegid); ! return(EPERM); /* something is wrong, don't call execve() */ } *************** *** 31,52 **** */ ? pruid >= 1000 { ! rmenv("LD_*") /* ! * removing enviroments ! * that match to LD_* */ ! ? ouid >= 1000 { /* ! * only running own or other ! * users files arn't permited ! */ ! return(EPERM) } } } ! /* we could do this in diffrent way */ ? pruid >= 1000 { ! rmenv("LD_*") ! reg[0] = realpath(name) ! ? reg[0] ~ "/usr/home/*" || reg[0] ~ "/tmp/*" { ! return(EPERM) } } --- 53,83 ---- */ ? pruid >= 1000 { ! rmld("LD_*"); /* ! * removing enviroments that ! * match to LD_* */ ! /* ! * getting owner uid of file specified as ! * first argument of syscall ! */ ! ? getouid(arg[1]) >= 1000 { /* ! * user can only ! * run system binaries ! */ ! log("!WARN! Don't have permission to run %s " ! "(proc=%s, ruid=%u, rgid=%u, euid=%u, " ! "egid=%u)", realpath(arg[0]), pname, pruid, ! prgid, peuid, pegid); ! return(EPERM); } } } ! /* and diffrent way to do ,,noexec'' mechanism */ ? pruid >= 1000 { ! rmld("LD_*"); ! reg[0] = realpath(arg[0]); ! ? reg[0] ~ "/usr/home/*" || reg[0] ~ "/tmp/*" || ! reg[0] ~ "/var/tmp/*" { ! return(EPERM); } } |