Help with an idea for user impersionalisation kernel module

From: Ivan Ristic
Date: Sat Dec 06 2003 - 09:38:41 EST



Hi, I am looking for someone willing to spend some time helping
me determine whether an idea for a kernel module I have is valid
(since I don't have the necessary kernel & i386 knowledge to
determine that for myself). If you don't think the topic is of
interest to the other list recipients please reply to my private
address (BTW, I am not subscribed to the list so if you are responding
please include me in the list of recipients). Here is the idea:

I would like to develop a kernel module that would allow a process
to become a different user and then safely go back to be the original
user again. This would be very useful in a virtual hosting environments.
I believe that in the long run each user will have a complete virtual
server so shared virtual hosting security won't be an issue as such,
but this idea still seems interesting to play with in the short run.
The idea is not mine but of Scott Deming (he is doing a similar thing
on FreeBSD, see http://makefile.com/dp/node/view/1).

Becoming a different user is not a problem, I know that. However,
going back is another matter. Untrusted code could initiate the
transition to the original user and continue to run with its
privileges. I have an idea on how to prevent this:

1. A new system call will be introduced.

2. A first call to it would change the uid into something else,
remember the user space address from which the call was made,
and return control to an entry point in the user space where
the code to be executed as a different user resides.

3. The second call by the same process would revert back
to the original user but return to the address in the user space
from which the first system call was made. This would ensure that
only trusted code is executed by the original user.

What bothers me is this: can the untrusted user modify the process
code so that when the control is returned back something else is
executed (eg the code inserted by the attacker)?

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/