From 0309554711a65c74719da89a23f14dfa4dcbeea1 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 5 Jun 2000 14:53:55 +0000 Subject: [PATCH] o Introduce kern.suser_permitted, a sysctl that disables the suser_xxx() returning anything but EPERM. o suser is enabled by default; once disabled, cannot be reenabled o To be used in alternative security models where uid0 does not connote additional privileges o Should be noted that uid0 still has some additional powers as it owns many important files and executables, so suffers from the same fundamental security flaws as securelevels. This is fixed with MAC integrity protection code (in progress) o Not safe for consumption unless you are *really* sure you don't want things like shutdown to work, et al :-) Obtained from: TrustedBSD Project --- sys/kern/kern_mib.c | 24 ++++++++++++++++++++++++ sys/kern/kern_prot.c | 2 ++ sys/sys/systm.h | 1 + 3 files changed, 27 insertions(+) diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index 35c70fb19b1..bc480c32d73 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -182,6 +182,30 @@ sysctl_kern_securelvl SYSCTL_HANDLER_ARGS SYSCTL_PROC(_kern, KERN_SECURELVL, securelevel, CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_kern_securelvl, "I", "Current secure level"); +int suser_permitted = 1; + +static int +sysctl_kern_suser_permitted SYSCTL_HANDLER_ARGS +{ + int error, flag; + + flag = suser_permitted; + + error = sysctl_handle_int(oidp, &flag, 0, req); + if (error || !req->newptr) + return (error); + if (flag != 0 && flag != 1) + return(EPERM); + if (!suser_permitted) + return(EPERM); + suser_permitted = flag; + return (0); +} + +SYSCTL_PROC(_kern, OID_AUTO, suser_permitted, + CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_kern_suser_permitted, "I", + "processes with uid 0 have privilege"); + char domainname[MAXHOSTNAMELEN]; SYSCTL_STRING(_kern, KERN_NISDOMAINNAME, domainname, CTLFLAG_RW, &domainname, sizeof(domainname), "Name of the current YP/NIS domain"); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 3be52c888ca..9194e55eb16 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -950,6 +950,8 @@ suser_xxx(cred, proc, flag) struct proc *proc; int flag; { + if (!suser_permitted) + return (EPERM); if (!cred && !proc) { printf("suser_xxx(): THINK!\n"); return (EPERM); diff --git a/sys/sys/systm.h b/sys/sys/systm.h index 3f900a8cd25..059fd8929cd 100644 --- a/sys/sys/systm.h +++ b/sys/sys/systm.h @@ -47,6 +47,7 @@ #include extern int securelevel; /* system security level (see init(8)) */ +extern int suser_permitted; /* suser_xxx() is permitted to return 0 */ extern int cold; /* nonzero if we are doing a cold boot */ extern const char *panicstr; /* panic message */