Linux: restricting access to system call? - Unix

This is a discussion on Linux: restricting access to system call? - Unix ; Can I block access to certain system calls from non-privileged users? For example, restricting statfs() so normal users would not be able to see results of 'df' command. Regards, Pascal Damian...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Linux: restricting access to system call?

  1. Linux: restricting access to system call?

    Can I block access to certain system calls from non-privileged users?
    For example, restricting statfs() so normal users would not be able to
    see results of 'df' command.

    Regards,
    Pascal Damian


  2. Re: Linux: restricting access to system call?

    On Apr 22, 11:52 am, pascaldami...@gmail.com wrote:
    > Can I block access to certain system calls from non-privileged users?
    > For example, restricting statfs() so normal users would not be able to
    > see results of 'df' command.
    >
    > Regards,
    > Pascal Damian




    chmod 700 /bin/df ?

    zaher el siddik
    http://elsiddik.blogspot.com/


  3. Re: Linux: restricting access to system call?

    In article <1177223045.629046.81520@y80g2000hsf.googlegroups.c om>,
    elsiddik wrote:

    > On Apr 22, 11:52 am, pascaldami...@gmail.com wrote:
    > > Can I block access to certain system calls from non-privileged users?
    > > For example, restricting statfs() so normal users would not be able to
    > > see results of 'df' command.
    > >
    > > Regards,
    > > Pascal Damian

    >
    >
    >
    > chmod 700 /bin/df ?


    The user can simply copy it from another system or recompile it
    themselves. There's no security achieved by removing access to
    non-setuid programs.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  4. Re: Linux: restricting access to system call?

    pascaldamian2@gmail.com writes:

    > Can I block access to certain system calls from non-privileged users?


    Yes, but not easily.

    > For example, restricting statfs() so normal users would not be able to
    > see results of 'df' command.


    On Linux, you can patch your kernel source to return EACCESS from
    sys_statfs() unless 0 == current->uid.

    You can probably write a kernel module that will do the above patch
    at load time.

    You can also add a special interposer library that will return
    error from statfs64() unless 0 == getuid() [1], and arrange for
    that library to be preloaded everywhere via /etc/ld.so.preload

    However this last method is easily bypassed: the user could
    statically link his own copy of "df".

    Cheers,

    [1] better implement your own getuid() via direct syscall.
    If you do not, the user can preload his own interposer that answers
    0 to getuid(), bypassing your protection using the same trick you
    used to implement the protection.
    --
    In order to understand recursion you must first understand recursion.
    Remove /-nsp/ for email.

  5. Re: Linux: restricting access to system call?

    On Apr 21, 9:52 pm, pascaldami...@gmail.com wrote:
    > Can I block access to certain system calls from non-privileged users?
    > For example, restricting statfs() so normal users would not be able to
    > see results of 'df' command.
    >
    > Regards,
    > Pascal Damian


    OpenBSD, for example, provides systrace(1) where you can do
    all sort of cool things. There's also a shell implemented on top
    of that: http://www.monkey.org/~jose/software/stsh/
    I'd figure Linux would have something similar/close.
    --
    Nikolai


+ Reply to Thread