LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 11-18-2003, 07:22 AM   #1
gearoid
Member
 
Registered: Nov 2003
Location: Ireland
Distribution: Red Hat 9
Posts: 49

Rep: Reputation: 15
Question Customizing Bash


hey,

right, I have a little query.... I want to write a security feature that will monitor all calls and commands made during a bash session on the terminal on my local machine. To do this I was thinking of altering the source code for bash, so whenever I or someone else types on the command line and tries to execute any command, that command is checked to see if it is allowed. My thinking behind this is that any system calls could then be intercepted and checked to ensure that they are allowed before being executed in Kernel Space.

As an aside, nothing has to be logged as such, but only just to ensure no unwanted (only predefined and allowed) system calls are allowed to execute.

However...... I am new to Linux and am not sure if this is even possible. Can the Bash script be modified in this way to catch system calls before they are excuted. And how would the bash script know what a system call was, without having to delve into Kernel code to look out trap calls? Is this approach stupid or would a Kernel based approach be better??

Any help, suggestions, or "what are you, stupid??!!" comments would be greatly appreciated...

yours in hope,
Gearoid
 
Old 11-18-2003, 09:28 AM   #2
jim mcnamara
Member
 
Registered: May 2002
Posts: 964

Rep: Reputation: 36
It might be simpler if you restricted root access to yourself, and grant privileged access to one group of users, and put all of the users in other groups. That is the original design concept for unix anyway.

Maybe if you defined what your problem is, we could give you a simple solution. re-writing bash is NOT a simple solution. It sounds a like a basic sysadmin problem to me.
 
Old 11-18-2003, 09:46 AM   #3
gearoid
Member
 
Registered: Nov 2003
Location: Ireland
Distribution: Red Hat 9
Posts: 49

Original Poster
Rep: Reputation: 15
what I am trying to do though is to create a type of bash terminal "sandbox", from which user commands and program invokations will be screened and protected. The customised shell will check the command (which may have embedded system calls) and execute it if allowed. So any applications allowed to be launched from this shell will then be spawned / forked from this shell and will always interact with the shell before trying to acces the Kernel and make OS / system calls....

Yeah, that brings me to another point though.... This sounds really awkard but if a program (say a web browser) was then launched from this shell could subsequent system calls from this app also be monitored through the tailored shell?

It is really just a curious question into if this can be done and how, as opposed to actually doing it for a sys admin fix to be totally functional.

Does this make any sence or am I going about this the totally ass-ways?
 
Old 11-19-2003, 04:10 AM   #4
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
The standard security provided by Linux will be sufficient I would imagine. It won't check what system calls a program is going to make, but with properly set read/write permissions, any nasties will be rendered ineffective... i.e. a program that attempts to read the shadow password file will be unable to, as will any attempts to change any system files. In light of this, is there any need for the system you are describing.
Outline a hypothetical situation and how your proposed system would counter it, and I'll try and outline how standard Unix security would deal with the same situation.
 
Old 11-19-2003, 04:30 AM   #5
gearoid
Member
 
Registered: Nov 2003
Location: Ireland
Distribution: Red Hat 9
Posts: 49

Original Poster
Rep: Reputation: 15
I know this sounds like unnecessary overkill given te inbuilt security already in Linux / Unix but it is something I need to look into as part of my masters thesis. So, a hypothetical situation...

Say a web browser accesses some web page and code is passed back through to my local machine and attemps to run some unwanted program. Or say some user downloads some program form the web thinking it does one thing and when it run it starts to do something else (calling system calls to disrupt the O/S, etc.). Well, for each user (and maybe each / some applications) there will be an "allowed list". This will have to be checked each time a user or application (whether knowingly or unknowingly) tries to perform a system call or some other predefined action.

I was wondering though could programs be run and have each step of their execution checked from within a shell. Could a shell be implemented or modified in such a way. I'm not asking anyone to tell me how, just wondering if it is possible to begin with.

This is for a project so it doesn't have to be totally functional, it's just one approach I am investigating. The problem is I'm not sure if it is possible or even any way practical.
 
Old 11-19-2003, 04:41 AM   #6
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
I'm sure what you're describing would be possible... GDB intercepts calls in this way.
Standard security would nullify the threats you describe above. If permissions are set properly, no program will be able to 'disrupt the O/S' or do anything else unwanted. Everything vulnerable should be protected by having write/execute (and sometimes read) priveleges restricted to the root user.
 
Old 11-19-2003, 04:45 AM   #7
gearoid
Member
 
Registered: Nov 2003
Location: Ireland
Distribution: Red Hat 9
Posts: 49

Original Poster
Rep: Reputation: 15
ok cool, thanks. I'm gonna have my work cut out trying to understand and re-engineer the bash code though....
 
Old 11-19-2003, 05:42 AM   #8
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
I'm in Ireland too... if there's any help I can give you, email or PM me.
 
Old 11-19-2003, 05:46 AM   #9
gearoid
Member
 
Registered: Nov 2003
Location: Ireland
Distribution: Red Hat 9
Posts: 49

Original Poster
Rep: Reputation: 15
aw, sweet deal, thanks for that!!!
 
Old 11-19-2003, 07:29 AM   #10
worldmagic
Member
 
Registered: Oct 2003
Location: Europe/Sweden
Distribution: RedHat
Posts: 78

Rep: Reputation: 15
Most programs uses libc.. well .. all do.. maybe one could add an security "layer" ontop of libc? .. Then replace the old libc with your "secured" libc.
 
Old 11-19-2003, 07:33 AM   #11
worldmagic
Member
 
Registered: Oct 2003
Location: Europe/Sweden
Distribution: RedHat
Posts: 78

Rep: Reputation: 15
You could look how libtrash works.. It preloads its signtures before libc.. And overrides calls to "unlink".. The library moves files to a trash directory instead of unlinking them (removing them)... and this without any change to "rm -rf /". Check this link: http://www.m-arriaga.net/software/libtrash/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Customizing Sk8trf69 Linux - General 6 06-05-2005 11:16 PM
customizing bash prompt? sunshine Mandriva 1 03-08-2004 09:18 PM
Customizing a more "secure" Bash gearoid Linux - Security 5 11-18-2003 06:12 PM
Customizing SnowSurfAir Linux - Software 11 06-05-2003 07:43 AM
Customizing iHeru Linux - Newbie 3 05-08-2003 08:05 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 11:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration