For information about this patch, see the message I sent in earlier to
the list. This revised patch simply makes use of the new find_lib()
function, and makes the default hard file size (PAM) 100MB (was 40MB).
More to come soon : )
And please, someone inform me of who is currently maintaining msec so
that I may send the patch directly to that person instead of the list.
(unless the list wants to see all the patch information).
NOTE: This is not an update patch, but revised. Patch against vanilla
msec-0.18 (mdk rel 1)
custom.sh | 9 +++++----
level4.sh | 4 ++--
level5.sh | 4 ++--
levelsnf.sh | 4 ++--
lib.sh | 24 ++++++++++++++++++++++--
lib.sh.usermode | 24 +++++++++++++++++++++++-
6 files changed, 56 insertions(+), 13 deletions(-)
/* Begin patch */
diff -urN msec-0.18/init-sh/custom.sh msec/init-sh/custom.sh
--- msec-0.18/init-sh/custom.sh Sat Dec 1 23:55:23 2001
+++ msec/init-sh/custom.sh Mon Jan 28 15:38:35 2002
@@ -81,7 +81,8 @@
fi
###
-if [[ -f /lib/libsafe.so.2 ]]; then
+find_lib libsafe.so.2
+if [[ ${FE} == true ]]; then
echo "Do you want to enable the libsafe stack overflow protection ?"
echo "This stack overflow protection work by catching dangerous function call"
echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
@@ -90,7 +91,7 @@
echo "destination address, and by substracting the frame address to the destination
buffer one"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
+ AddRules ${f_lib} /etc/ld.so.preload
fi
fi
@@ -367,7 +368,7 @@
### Pam
clear
-dfsize=40000
+dfsize=100000
echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable
Authentication Modules.)"
echo "By setting a limit on how big user files may get and how many processes a user
may run."
@@ -381,7 +382,7 @@
echo "Would you like to set a maximum file size a user is allowed ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
- echo "What shall be the maximum file size(default is $(dfsize))"
+ echo "What shall be the maximum file size(default is 100MB)"
echo -n "Size : "
read fsize
if [[ -z ${fsize} ]]; then
diff -urN msec-0.18/init-sh/level4.sh msec/init-sh/level4.sh
--- msec-0.18/init-sh/level4.sh Sun Dec 2 00:03:03 2001
+++ msec/init-sh/level4.sh Mon Jan 28 15:27:54 2002
@@ -106,9 +106,9 @@
AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
AddRules "UMASK_USER=077" /etc/sysconfig/msec
-if [[ -f /lib/libsafe.so.2 ]]; then
+find_lib libsafe.so.2
echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
+ AddRules ${f_lib} /etc/ld.so.preload
fi
# Console timeout
diff -urN msec-0.18/init-sh/level5.sh msec/init-sh/level5.sh
--- msec-0.18/init-sh/level5.sh Sun Dec 2 00:03:03 2001
+++ msec/init-sh/level5.sh Mon Jan 28 15:28:55 2002
@@ -118,9 +118,9 @@
AddRules "UMASK_ROOT=077" /etc/sysconfig/msec
AddRules "UMASK_USER=077" /etc/sysconfig/msec
-if [[ -f /lib/libsafe.so.2 ]]; then
+find_lib libsafe.so.2
echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
+ AddRules ${f_lib} /etc/ld.so.preload
fi
# Console timeout
diff -urN msec-0.18/init-sh/levelsnf.sh msec/init-sh/levelsnf.sh
--- msec-0.18/init-sh/levelsnf.sh Sun Dec 2 00:03:03 2001
+++ msec/init-sh/levelsnf.sh Mon Jan 28 15:29:18 2002
@@ -143,9 +143,9 @@
AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
AddRules "UMASK_USER=077" /etc/sysconfig/msec
-if [[ -f /lib/libsafe.so.2 ]]; then
+find_lib libsafe.so.2
echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
+ AddRules ${f_lib} /etc/ld.so.preload
fi
# Do not boot on a shell
diff -urN msec-0.18/init-sh/lib.sh msec/init-sh/lib.sh
--- msec-0.18/init-sh/lib.sh Thu Jan 17 11:22:55 2002
+++ msec/init-sh/lib.sh Mon Jan 28 15:26:32 2002
@@ -299,7 +299,7 @@
RootSshLogin () {
echo -n "Setting up the root ssh login : "
- if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then
+ if [[ $1 == 3 || $1 == 4 || $1 == 5 || $1 == snf ]]; then
/bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' <
/etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
chmod 0600 /etc/ssh/sshd_config
@@ -337,6 +337,27 @@
fi
}
+
+# Safer way to find libs to be appended to to ld.so.preload (e.g., libsafe)
+find_lib() {
+ export FE=NULL
+ declare -a spath
+ spath=("/lib/" "/usr/lib/" "/usr/local/lib/")
+ for i in ${spath[@]}
+do
+ if [[ -f ${i}${1} ]]
+ then
+ export f_lib=${i}${1}
+ export FE=true
+ break
+ else
+ export FE=false
+ break
+ fi
+done
+}
+
+
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX does it and gives us a file with some variables.
@@ -403,7 +424,6 @@
groupadd -g 33 ntools >& /dev/null
groupadd -g 34 ctools >& /dev/null
groupadd -g 81 audio >& /dev/null
-
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean
diff -urN msec-0.18/init-sh/lib.sh.usermode msec/init-sh/lib.sh.usermode
--- msec-0.18/init-sh/lib.sh.usermode Thu Jan 17 11:22:55 2002
+++ msec/init-sh/lib.sh.usermode Mon Jan 28 15:26:32 2002
@@ -301,6 +301,29 @@
}
+
+# Safer way to find libs to be appended to to ld.so.preload (e.g., libsafe)
+find_lib() {
+ export FE=NULL
+ declare -a spath
+ spath=("/lib/" "/usr/lib/" "/usr/local/lib/")
+ for i in ${spath[@]}
+do
+ if [[ -f ${i}${1} ]]
+ then
+ export f_lib=${i}${1}
+ export FE=true
+ break
+ else
+ export FE=false
+ break
+ fi
+done
+}
+
+
+
+
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX does it and gives us a file with some variables.
@@ -348,7 +371,6 @@
groupadd -g 33 ntools >& /dev/null
groupadd -g 34 ctools >& /dev/null
groupadd -g 81 audio >& /dev/null
-
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean
/* End Patch */
--
Bryan Paxton
Public PGP key: http://www.deadhorse.net/bpaxton.gpg
