While I wanted to patch my Xfree,
I realized it would be easier to write a wrapper so I wrote a simple one.
It only works on arguments passed to the executable, no control is done
about environment variables. But its advantage over some other wrappers
is that you just have to compile it one and to maintain a reference table
which is a small file in /etc. This file is indexed by argv[0] (which could
be spoofed so be careful to what you put in!). It contains, for each entry,
the name of the real executable, desired EUID and/or EGID, maximum number of
args, maximum args length, and a log level which determines 5 possible
behaviours:
0 - log nothing, just truncate args.
1 - log only if too long an arg is given
2 - also log if too many args are passed
3 - systematically log any call to the prog
4 - wait a few seconds and quit if any error occurs
An other interesting aspect is that it can block during a fixed amount of
time before exiting, just to slow down automatic scripts. To make these
scripts harder (but not impossible) to use, all signals are ignored during
the pause (except of course, SIGKILL/SIGSTOP).
It really needs more work, but I won't be there till next week-end, and I
wanted to post this now. You could combine it with a message sender I wrote
a few months ago, which will pop up a window on you display with immediate
information about what's happening on your system.
Addresses:
SafeLoad (the wrapper):
http://www-miaif.lip6.fr/willy/pub/safeload/
Xmsg (message handler/sender):
http://www-miaif.lip6.fr/willy/pub/xmsg/
Buffer overflow tests:
http://www-miaif.lip6.fr/willy/security/
That's all for the moment. Please tell me if you make significant
modifications to the wrapper, or if you find security holes in it, because
it's to be suided root, of course, and I hope it won't need itself another
wrapper :-)
Willy
-- +---------------+-------------------------+---------------------------------+ | Willy Tarreau | tarreau@aemiaif.lip6.fr | http://www-miaif.lip6.fr/willy/ | | Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97 | +---------------------------------------------------------------------------+