LJ Archive

Listing 4. Disallowing Execution of suid Programs

for exec "/usr/sbin/in.telnetd" {
  // Indicator, this process can't run suid
  // program
  flags = 1;
  // monitor, when he tries to run suid program
  procact = P_SEXEC;
}
// when sexec event appears
on sexec {
  // is it disallowed process ?
  if (flags == 1) {
    // do not allow to run set uid program
    answer = NO;
  }

Output Messages

[robo@unicorn robo]$ ls -l /bin/ping
-rwsr-xr-x   1 root    root    18228 Sep 10 22:04 /bin/ping
[robo@unicorn robo]$ ping localhost
PING localhost.localdomain (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.7 ms
--- localhost.localdomain ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms
[robo@unicorn robo]$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.14 on an i586
login: robo
PAM_pwdb[1655]: (login) session opened for user robo by (uid=0)
Last login: Sat Jan 22 23:19:13 on tty3
[robo@unicorn robo]$ ping localhost
ping: socket: Operation not permitted
[robo@unicorn robo]$exit
Connection closed by foreign host.
[robo@unicorn robo]$ping localhost
PING localhost.localdomain (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.7 ms
--- localhost.localdomain ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms
LJ Archive