patch: http://fredemmott.co.uk/files/rp.patch
This adds a whitelist of programs such as /bin/login and /sbin/agetty which
may be ran as root without the USB device prescent. It also includes my
earlier patch to check the USB device's serial number as well as
vendor/product.
This is not meant for inclusion; I'd appreciate comments on anything I've done
wrong, and suggestions on how to make it distribution neutral (at the moment
it probably only works correctly on slackware) - I'm thinking of adding a
security/root_plug_relax/ directory containing files such as "slackware.h"
"redhat.h" etc.
Thanks for your time,
--
Fred Emmott
(http://www.fredemmott.co.uk)
Fred Emmott wrote:
> patch: http://fredemmott.co.uk/files/rp.patch
>
> This adds a whitelist of programs such as /bin/login and /sbin/agetty which
> may be ran as root without the USB device prescent. It also includes my
> earlier patch to check the USB device's serial number as well as
> vendor/product.
>
> This is not meant for inclusion; I'd appreciate comments on anything I've done
> wrong, and suggestions on how to make it distribution neutral (at the moment
> it probably only works correctly on slackware) - I'm thinking of adding a
> security/root_plug_relax/ directory containing files such as "slackware.h"
> "redhat.h" etc.
>
> Thanks for your time,
>
Not Found
The requested URL /files/rp.patch was not found on this server.
--
~Randy
On Saturday 27 Nov 2004 23:50, you wrote:
[snip]
>
> Not Found
> The requested URL /files/rp.patch was not found on this server.
Sorry, http://fredemmott.co.uk/files/rp.diff - added a symlink for readers of
original message.
--
Fred Emmott
(http://www.fredemmott.co.uk)
* Fred Emmott ([email protected]) wrote:
> patch: http://fredemmott.co.uk/files/rp.patch
>
> This adds a whitelist of programs such as /bin/login and /sbin/agetty which
> may be ran as root without the USB device prescent. It also includes my
> earlier patch to check the USB device's serial number as well as
> vendor/product.
>
> This is not meant for inclusion; I'd appreciate comments on anything I've done
> wrong, and suggestions on how to make it distribution neutral (at the moment
> it probably only works correctly on slackware) - I'm thinking of adding a
> security/root_plug_relax/ directory containing files such as "slackware.h"
> "redhat.h" etc.
There's a couple of problems here. First, the serial number thing
should be done differently. The serial number should be spcecified by
a module parameter, and just store it as u8 and do direct compare (this
will eliminate the unecessary kmalloc, and the subsequent memory leak
you introduced). Second, the relax stuff should not be done via config
parameters. It, of course, undermines the point of the module, but if
you want to do it, make it done via userspace writing to some exposed fs
(e.g.. echo /usr/bin/foo > ..../relax). Finally, do the lookup there,
and then keep your whitelist as inode based, not pathname based.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net