[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
+ i am doing a script that acts like a daemon and kills of a user
+ who tries buffer overflow exploits. unfortunately, it is too dumb. it
+ kills all the setuid processes a user executes. So, my question is how do
+ i make a program differentiate between a normal setuid program ( chfn,
+ passwd ) and a buffer overflow exploit ( pam.sh , sendmail exploit ) ?
That should be a fabulous script, boss. Could you please shed some more
light on how would the script know if a genuine buffer exploit is
happening? Trying to figure out somehow if someone is running something
I think you can do this:
- Club all setuid progs in a common directory.
- Dont mark this directory in '$PATH' so that the user has to explicitely
name whole path for invoking a prog.
- when a user tries to launch some other thing, not in this list (match
the command line, you kill that. You can check gid, egid, too.
This is just a trivial thing, not much secure.