LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-16-2010, 11:22 AM   #1
sulekha
Member
 
Registered: Dec 2004
Location: India
Distribution: ubuntu 10.04 , centos 5.5 , Debian lenny, Freenas
Posts: 324

Rep: Reputation: 36
Question How to prevent the execution of malicious commands?


Hi all,

how to prevent the execution of the following commands or how to set a policy
or rule that prevents the execution of the following malicious commands

dd if=/dev/zero of=/dev/sda
rm -rf /
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 10-16-2010, 01:15 PM   #2
Guillermo Reisch
LQ Newbie
 
Registered: Mar 2010
Location: Montevideo
Distribution: Debian, Ubuntu, knoppix
Posts: 7

Rep: Reputation: 1
Already linux suport the prevention of that

You need to be root (or root level) to do " rm -rf / "
because: ls -la /
drwxr-xr-x 26 root root 4096 ago 21 19:04 .
only root (or sudoers) have r(Read)w(Write)x(eXecute) acces to "/"
Check who are in the sodoers group and a good pasword for root will prevent that malisios code

about: "dd if=/dev/zero of=/dev/sda"

ls -l /dev/sd*
brw-rw---- 1 root disk 8, 0 oct 16 14:53 /dev/sda
brw-rw---- 1 root disk 8, 1 oct 16 14:53 /dev/sda1
brw-rw---- 1 root disk 8, 2 oct 16 14:53 /dev/sda2
brw-rw---- 1 root disk 8, 3 oct 16 14:59 /dev/sda3
Only root (or sudoers) or people in "disk" group can kill your disk
So check who are in group "disk" and remove malicious users from that group

Saludos Guille
 
Old 10-16-2010, 01:40 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by sulekha View Post
how to prevent the execution of the following commands or how to set a policy or rule that prevents the execution of
Like in some of your previous threads you've posted nothing to show you've tried anything. Please make an effort next time. As said before, running 'rm -rf' or 'dd if=/dev/zero of=/dev/sda' as unprivileged user will result in a long stream of errors since the user is not allowed to delete files owned by others. Also note that moving these binaries to a custom location, changing access permissions or replacing these binaries with scripts are kludges in general require more maintenance than would be worth the effort (standards, updates). Asking for a policy or a rule requires knowing what MAC one uses (and you have given no information at all). GRSecurity has RBAC, there's SELinux and there's TOMOYO to name just a few.


With GRSecurity, given a first rule of
Code:
/ {
    / r
}
, this AFAIK should already keep '/bin/rm' from recursing into root and deleting anything. The 'dd' rule might look something like

Code:
/bin/dd {
    /dev/zero r
    /dev/sda r
}
Applying it to a specific user you could "bind" it to a role:
Code:
role unpriv u
    subject /
         / r
         /bin/dd rx
         /dev/zero r
         /dev/sda r
}
In addition GRSecurity includes Trusted Path Execution (TPE) meaning an unprivileged user introducing foreign binaries in the system (compiled elsewhere) will find he can not execute them when TPE is enabled. For more see http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System.


Using TOMOYO, which has a path-based view of the system, a rule of
Code:
<kernel> /sbin/mingetty /bin/login /bin/bash /bin/rm
use_profile 3
allow_read /
allow_read/write /home
should deny a user to write to / (no "allow_write" rule) but allow it to read and write in /home. A rule for your 'dd' question then might look something like:
Code:
<kernel> /sbin/mingetty /bin/login /bin/bash /bin/dd
use_profile 3
allow_read /
allow_read /dev
allow_read /dev/sda
For more see http://tomoyo.sourceforge.jp/2.3/.


SELinux works on top of the "common" (discretionary ) access rights. So if a binary is owned by root user and group with octal access mode 0500 then SELinux will not allow a user with a different context to execute the binary. The following rule
Code:
module deny 1.0.0;

require {
  type unconfined_t;
  type fixed_disk_device_t;
}

allow unconfined_t fixed_disk_device_t:file read;
will allow unprivileged users ("unconfined" context) to read files in /dev. Since there's no "write" rule writing to a device is denied. With SELinux you do not apply rules to a resource directly but to roles and contexts so this looks a bit different then the others. For more see http://fedoraproject.org/wiki/Docs/D...e/Introduction, http://mdious.fedorapeople.org/drafts/html/index.html and Dan Walsh excellent web log at http://danwalsh.livejournal.com/.


* If anyone spots any errors in the rules above please tell me.
 
2 members found this post helpful.
Old 10-16-2010, 06:15 PM   #4
zhaozhou
LQ Newbie
 
Registered: Oct 2009
Location: Sweden
Distribution: Gentoo
Posts: 23

Rep: Reputation: 1
Just a note, you should be fine using the DAC which Linux has built-in. No need for advanced access control lists such as unSpawn is suggesting, however, I would recommend you try them out.
They're great.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Malicious Distros? Robert Carnegie Linux - Security 15 03-26-2010 11:22 PM
Malicious Scripts justmehere Linux - Security 8 07-09-2009 12:19 PM
Is this JavaScript malicious? Doctorzongo Programming 6 07-21-2008 04:42 PM
deny commands execution pthug Linux - General 1 09-18-2005 03:12 PM
Cygwin commands execution max2878 Linux - General 3 05-29-2002 08:19 PM


All times are GMT -5. The time now is 04:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration