20CN网络安全小组 - a simply kernel patch

您当前的位置 >> 首页

a simply kernel patch

/ns/wz/sys/data/20020813013714.htm

a simply kernel patch

Author: e4gle
Email: e4gle@whitecell.org
Homepage:http://www.whitecell.org

废话少说了，其实是很简单的东东，/tmp目录是linux的临时文件存放的目录，对所有用户可访问。往往也是比较敏感
的目录，一些危险的操作及恶意的攻击都会以它为载体，所以做了一个非常简单的kernel patch来监控或者禁止在/tmp
目录create file或者link file，patch是再简单不过，关键是入口点，支持ext2,ext3文件系统：

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
logtmplink_patch-2.4.x.patch
tmp link log for ext2 patch:
//this simply kernel patch to watch insecure create file to /tmp for ext2
//for linux kernel version 2.4.x
//by e4gle <e4gle@whitecell.org>

--- fs/ext2/namei.c Sat Apr 13 11:55:21 2002
+++ ../linux-2.4/fs/ext2/namei.c Mon Jun 11 22:15:27 2001
@@ -169,10 +169,7 @@

if (inode->i_nlink >= EXT2_LINK_MAX)
return -EMLINK;
+//e4gle add
+ if (strcmp(dentry->d_parent->d_name.name,"tmp")==0)
+ printk(KERN_INFO "TMPLOG Created file :/%s/%s %o %o %o %d\n",dentry->d_parent->d_name.name,dentry->d_name,inode->i_mode,inode->i_mode,inode->i_mode,inode->i_uid);
+//end add
-
inode->i_ctime = CURRENT_TIME;
ext2_inc_count(inode);
atomic_inc(&inode->i_count);
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
tmp link log for ext3 patch:
//this simply kernel patch to watch insecure create file to /tmp for ext3
//for linux kernel version 2.4.x
//by e4gle <e4gle@whitecell.org>

--- fs/ext3/namei.c Sat Apr 13 12:21:45 2002
+++ ./n.c Sat Apr 13 12:21:18 2002
@@ -958,10 +958,6 @@

if (inode->i_nlink >= EXT3_LINK_MAX)
return -EMLINK;
-//e4gle add
- if (strcmp(dentry->d_parent->d_name.name,"tmp")==0)
- printk(KERN_INFO "TMPLOG Created file :/%s/%s %o %o %o %d\n",dentry->d_parent->d_name.name,dentry->d_name,inode->i_mode,inode->i_mode,inode->i_mode,inode->i_uid);
-//end add

handle = ext3_journal_start(dir, EXT3_DATA_TRANS_BLOCKS);
if (IS_ERR(handle))
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
notmplink_patch-2.4.16.patch
no tmp link for ext2 patch:
//this simply kernel patch to no permission to create file to /tmp for ext2
//for linux kernel version 2.4.x
//by e4gle <e4gle@whitecell.org

--- fs/ext2/namei.c Sat Apr 13 11:55:21 2002
+++ ../linux-2.4.16/fs/ext2/namei.c Mon Jun 11 22:15:27 2001
@@ -169,10 +169,7 @@

if (inode->i_nlink >= EXT2_LINK_MAX)
return -EMLINK;
+//e4gle add
+ if (strcmp(dentry->d_parent->d_name.name,"tmp")==0)
+ printk(KERN_INFO "LNKLOG Link Attempt creation in /tmp/%s %s.\n",dentry->d_name.name,symname);
+ return -EPERM;
+//end add
+
inode->i_ctime = CURRENT_TIME;
ext2_inc_count(inode);
atomic_inc(&inode->i_count);
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
no tmp link for ext3 patch:
//this simply kernel patch for no permission to create file to /tmp for ext3
//for linux kernel version 2.4.x
//by e4gle <e4gle@whitecell.org>

--- fs/ext3/namei.c Sat Apr 13 12:21:45 2002
+++ ./n.c Sat Apr 13 12:21:18 2002
@@ -958,10 +958,6 @@

if (inode->i_nlink >= EXT3_LINK_MAX)
return -EMLINK;
+//e4gle add
+ if (strcmp(dentry->d_parent->d_name.name,"tmp")==0)
+ printk(KERN_INFO "TMPLOG Created file :/%s/%s %o %o %o %d\n",dentry->d_parent->d_name.name,dentry->d_name,inode->i_mode,inode->i_mode,inode->i_mode,inode->i_uid);
+//end add

handle = ext3_journal_start(dir, EXT3_DATA_TRANS_BLOCKS);
if (IS_ERR(handle))

监控日志会被记在/var/log/messages里面。