> On Wed, 2005-Mar-30 11:06:53 -0600, H. S. wrote: >>As I stated previously, I'm not much of a C programmer, but I can do some >>coding. I've been thinking into changing the core of the system a bit to >>return errors if some information is accessed by a normal user. > > Wouldn't making /sbin and /usr/sbin mode 750 be enough?
That's the "heart" of my question. A user uploading a dmesg binary to his homedir and then ./dmesg will overcome these permissions. People suggested making /home noexec, I'm still considering the implications of that in my scenario. > >> I'd like >>to know if getuid() would work that deep in the system? > > In general, system calls can't be used within the kernel. The uid and > gid could be determined by directly dereferencing curproc or the > thread pointer passed around in most kernel internal calls. Note that > the only checks the (non-MAC) kernel currently does is "root" or > "not-root" using suser(9) (apart from the checks in kill(2)). > Restrictions for non-root users are implemented using file > permissions. > >> And how can I register sysctl mibs in the kernel ? > > Look at sysctl(3), /sys/sys/sysctl.h and (eg) /sys/kern/subr_msgbuf.c > Thanks, I'll have a look, also will have a look at MAC. I think I have a completely wrong idea of what MAC does. > -- > Peter Jeremy > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
