[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: daemons

+ 	i am doing a script that acts like a daemon and kills of a user
+ who tries buffer overflow exploits. unfortunately, it is too dumb. it
+ kills all the setuid processes a user executes. So, my question is how do
+ i make a program differentiate between a normal setuid program ( chfn,
+ passwd ) and a buffer overflow exploit ( pam.sh , sendmail exploit ) ?

That should be a fabulous script, boss. Could you please shed some more 
light on how would the script know if a genuine buffer exploit is 
happening? Trying to figure out somehow if someone is running something
'setuid' eh..?

I think you can do this:

- Club all setuid progs in a common directory.
- Dont mark this directory in '$PATH' so that the user has to explicitely
  name whole path for invoking a prog.
- when a user tries to launch some other thing, not in this list (match
  the command line, you kill that. You can check gid, egid, too.

This is just a trivial thing, not much secure.