Aiee :)
Hello!
I was developing something using SOCK_RAW, so I had
to do it with root user.
Meanwhile I wanted to look into kernel internals (just a
little bit), so I though about an old kernel patch
(appeared on `phrack ezine') that deals with socket raw
creation.
So sraw.o is my LKM result for 2.2.X kernel.
I won't include the tarball here since I dunno if you're
interested in it, but I'll include the README so you
can get an idea about this kernel module.
I apologize about my bad english.
bye bye
-- gg sullivan
P.S.
If you find it interesting, please drop me a line so I can
put it online (not before monday however), or I can send you
privatly.
I'm wondering if this could be put as part of the next kernel release.
If so, I'll write Config diff et all stuff.
--
Lorenzo Cavallaro `Gigi Sullivan' <[EMAIL PROTECTED]>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
/*
* $sfcs-mark$
* $filename: README$
* $description: Manage SOCK_RAW/SOCK_PACKET creation.$
* $authors: Lorenzo Cavallaro 'Gigi Sullivan'$
* $copyright: Copyright (C) 1999 by Lorenzo Cavallaro$
* $license: This source file is under LGPL$
* $creation time: Thu Feb 10 03:06:37 CET 2000$
* $last modification time: Sat Feb 26 22:26:43 CET 2000$
* $revision: 2$
*/
Hello everybody!
This is just an example about how flexible and powerfull loadable
kernel modules (lkm) could be.
Unfortunatly I'm not a kernel hacker (sigh!) since I'm still learning
the kernel internals, so don't flame me for any errors you might find
in this little lkm, please.
Indeed (and however), if you find some errors or you have suggestions,
let me know. Thx ! :)
By default only the superuser, or someone who have CAP_NET_RAW capability
on, can open/create SOCK_RAW socket type.
If you want your users to run command like `ping', `traceroute'
(wich use SOCK_RAW socket type), you have to make those binaries
suid root.
This might be a security issue.
Solution:
- Give them root access (Uhm ... naaaaaa :))
- insmod sraw.o
By using sraw.o, you'll be able to:
- Allow/Deny SOCK_RAW socket type creation by a user.
You can achieve this by setting up a new group and by
adding that user to this new group.
- Log every attempt to create a SOCK_RAW socket type,
both succesfull and unsuccesfull creation
(read allow/deny).
- SOCK_RAW (AF_INET|PF_PACKET) and SOCK_PACKET (backward
compatibility)
creation groups are also tunable via /proc under
/proc/sys/sraw dir.
I wanted to put all that stuff under /proc/sys/net/ipv4 tree,
but
I had to modify some kernel sources/headers.
Since this is however a test module, I won't do it right now.
(Well, I'm not so sure about all sysctl stuff, so if I'm wrong
please point me out the right way, thx :))
Feel free to contact me at <[EMAIL PROTECTED]>
Uh BTW this is alpha code.
DISCLAIMER
I'm not responsible for any damage caused by this module.
However, if something goes wrong, let me know please, so
I can investigate about it.
I apologize for my bad english!
bye bye
-- gg sullivan
