this has been rolling around in my head for several days.
so I better post this so I can forget about it.
*** Warning only the truly security PARANOIDs will like this ***
Forcing registraction with a "machine assigned" magic cookie
in each binary before it could access superuser functions in the
kernel. With ever increasing security risks both system dependend
and indepenend. For example rogue Java scripts and programs,
viruses and the like specific to Linux (not that i have ever
seen such an animal).
The kernel would require machine dependent magic cookie to be
registered before programs would be allowed to access to suser
functions, The following are examples of programs that would
require modifications to run in this secure invironment
.i.e. fdformat, fdisk, setserial, etc. Once compiled the binaries
would be stored in a secure place (a non-loaded floppy disk)
example of changes to the suid programs (fdformat, fdisk, setserial, etc.
#include "/fd/magiccookie.h"
main()
{
registermagiccookie(sysCOOKIE);
.
.
. rest of the program continues as normal
.
changes to the kernel...
- if (!suser()) return -EACCES;
+ if (!suser() && !cookieregistered()) return -EACCES;
and a function to verify magic cookies
okay with that said i am now forgetting about such paranoid nonsense,
unless someone likes the idea and encourages me, hehehe
james
-- mack@wile.thetech.org (james diekens) The Tech BBS +1 408 279 7199 San Jose, CA