Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add new group_writable option to sysctl

Enabled by default, this check determines whether to deny execution based on a
file/directory being writable by the group.
  • Loading branch information...
commit 1ac064ad6d46a87d8f0faa23afee4e960ef9a598 1 parent a9239a7
@cormander authored
Showing with 14 additions and 1 deletion.
  1. +1 −0  README
  2. +1 −1  core.c
  3. +1 −0  module.h
  4. +11 −0 sysctl.c
View
1  README
@@ -103,6 +103,7 @@ values in this proc directory:
softmode - log what would be denied but don't actually deny. default off
strict - enforce some TPE features even on trusted users. default on
check_file - check file owner/mode in addition to directory. default on
+group_writable - check if the file/directory is group writable. default on
kill - kill the offending process and its parent when it gets denied
execution from TPE, unless it's root. default off
log - whether to log denied execs to the ring buffer. default on
View
2  core.c
@@ -137,7 +137,7 @@ int log_denied_exec(const struct file *file, const char *method, const char *rea
// get down to business and check that this file is allowed to be executed
#define UID_IS_TRUSTED(uid) (uid == 0 || in_group_p(tpe_trusted_gid))
-#define INODE_IS_WRITABLE(inode) ((inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))
+#define INODE_IS_WRITABLE(inode) ((inode->i_mode & S_IWOTH) || (tpe_group_writable && inode->i_mode & S_IWGRP))
#define INODE_IS_TRUSTED(inode) \
(inode->i_uid == 0 || \
(tpe_admin_gid && inode->i_gid == tpe_admin_gid) || \
View
1  module.h
@@ -93,6 +93,7 @@ extern int tpe_admin_gid;
extern int tpe_dmz_gid;
extern int tpe_strict;
extern int tpe_check_file;
+extern int tpe_group_writable;
extern int tpe_paranoid;
extern char tpe_hardcoded_path[];
extern int tpe_kill;
View
11 sysctl.c
@@ -7,6 +7,7 @@ int tpe_admin_gid = 0;
int tpe_dmz_gid = 0;
int tpe_strict = 1;
int tpe_check_file = 1;
+int tpe_group_writable = 1;
int tpe_paranoid = 0;
char tpe_hardcoded_path[TPE_HARDCODED_PATH_LEN] = "";
int tpe_kill = 0;
@@ -126,6 +127,16 @@ static ctl_table tpe_table[] = {
.proc_handler = &proc_dointvec,
},
{
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
+ .ctl_name = CTL_UNNUMBERED,
+#endif
+ .procname = "group_writable",
+ .data = &tpe_group_writable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
+ {
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
.ctl_name = CTL_UNNUMBERED,
#endif
Please sign in to comment.
Something went wrong with that request. Please try again.