How to implement a http(apache)-access-only system

[lovecrea...@gmail.com]

I encountered such an requirement of implementing a system that:

1. system accounts including root can't directly access file or data
on this system;
2. only specific application, ie. http server (apache) can access file
on this system; (so apache linux user ie. www-data should be allowed
on it)
3. apache passes web user accounts (not linux system account ie. root)
to this system; and this system will present the apache application
with the files (in format of linux file system hierarchy) related to
the specified web users;

And I have some queries about it:

Is there conceptual wrong in this requirement?
Can it be done in way of linux kernel file system, ie. ext2, ext3?
How to program this kind of customized file system?

Thank you for your time.

[Edwin van den Oetelaar]

lovecrea...@gmai1.c0m wrote:
> I encountered such an requirement of implementing a system that:
>
> 1. system accounts including root can't directly access file or data
> on this system;

That would be strange.
You could use a userspace application that does encrypting/decrypting of files on disk.
This way, the root user can read the *file* but not decrypt its *contents* (data). Deleting the file
is still possible.

> 2. only specific application, ie. http server (apache) can access file
> on this system; (so apache linux user ie. www-data should be allowed
> on it)

If you do your encryption/decryption/authentication inside the application that would work.

> 3. apache passes web user accounts (not linux system account ie. root)
> to this system; and this system will present the apache application
> with the files (in format of linux file system hierarchy) related to
> the specified web users;
>

Does not compute, but take a look at FUSE, maybe filesystems in UserSpace help you.

>
> And I have some queries about it:
>
> Is there conceptual wrong in this requirement?

I think so. Instead of making the whole system more secure it introduces a lot of complexity that
can break in unexpected ways. If you use normal setup with *sane* security setup it would be easier
to setup and maintain.

> Can it be done in way of linux kernel file system, ie. ext2, ext3?
> How to program this kind of customized file system?
>
> Thank you for your time.

Where / Why is this strange setup required? Is the rest of the system as secure? SSH/Certificates etc?

Regards,
Edwin

[Dagon]

>lovecrea...@gmai1.c0m wrote:
>> 1. system accounts including root can't directly access file or data
>> on this system;

Edwin van den Oetelaar <newsg...@oetelaar.com> wrote:
>That would be strange.

Agreed. Securing against root is somewhere between very difficult and
impossible, depending on exact OS you're using. Even with hardware encryption
support, a clever root user can find ways to get the keys.

Move such sensitive data to a system you can secure for real by not making
root available to people with lower priveleges.

>You could use a userspace application that does encrypting/decrypting of
>files on disk.
>This way, the root user can read the *file* but not decrypt its
>*contents* (data). Deleting the file
>is still possible.

Root can still get the keys or data out of memory, and/or patch the
application to alter the data at runtime. Among other things.

>> 2. only specific application, ie. http server (apache) can access file
>> on this system; (so apache linux user ie. www-data should be allowed
>> on it)

>If you do your encryption/decryption/authentication inside the
>application that would work.

Nope. Root has control over the application.

>> Is there conceptual wrong in this requirement?

>I think so.

>Where / Why is this strange setup required? Is the rest of the system as
>secure? SSH/Certificates etc?

Agreed. This set of requirements is broken. Don't secure a system against
root, instead move the system to a secure one with different root access.
Having your webserver(s) be on different physical host(s) than your data
storage and security system(s) is fairly reasonable. Having them on the same
box and secure from root abuse is nigh impossible.

If you do what you're asking, you're guaranteed to get it wrong, and be no
more secure than if you just ignored the requirement to start with. Actually,
you'll be less secure because there's a class of threats you think you're
protected against when you're not.
--
Mark Rafn da...@dagon.net <http://www.dagon.net/>

[lovecrea...@gmail.com]

On Nov 10, 6:26 pm, Edwin van den Oetelaar <newsgro...@oetelaar.com>
wrote:

> lovecreatesbea...@gmai1.c0m wrote:
> > I encountered such an requirement of implementing a system that:
>
> > 1. system accounts including root can't directly access file or data
> > on this system;
>
> That would be strange.
> You could use a userspace application that does encrypting/decrypting of files on disk.
> This way, the root user can read the *file* but not decrypt its *contents* (data). Deleting the file
> is still possible.
>

Thank you.

I proposed ccrypt for it but it was not adopted.

> > 2. only specific application, ie. http server (apache) can access file
> > on this system; (so apache linux user ie. www-data should be allowed
> > on it)
>
> If you do your encryption/decryption/authentication inside the application that would work.
>
> > 3. apache passes web user accounts (not linux system account ie. root)
> > to this system; and this system will present the apache application
> > with the files (in format of linux file system hierarchy) related to
> > the specified web users;
>
> Does not compute, but take a look at FUSE, maybe filesystems in UserSpace help you.
>

Fuse faq 1.5[1] states a situation that users including root can't
access filesystems mounted by other users. I tried fuse example
hello.c. Other problem is that I don't figure out

how to make files in fuse persistent to physical media? or
how to map (mount?) fuse with a existing file system? or
how to format a fuse file system to physical media (we can format ext3
but not fuse)?

> > And I have some queries about it:
>
> > Is there conceptual wrong in this requirement?
>
> I think so. Instead of making the whole system more secure it introduces a lot of complexity that
> can break in unexpected ways. If you use normal setup with *sane* security setup it would be easier
> to setup and maintain.
>
> > Can it be done in way of linux kernel file system, ie. ext2, ext3?
> > How to program this kind of customized file system?
>

> Where / Why is this strange setup required? Is the rest of the system as secure? SSH/Certificates etc?

I am supervised by an amateurish supervisor and I myself am not
professional enough to convey all the plans and ideas to correct
solutions on linux with C quickly enough. It seems that I / We are
doing some fake projects.

[1] http://sourceforge.net/apps/mediawiki/fuse/index.php?title=FAQ#Why_don.27t_other_users_have_access_to_the_mounted_filesystem.3F

[Wanna-Be Sys Admin]

lovecrea...@gmai1.c0m wrote:

Easily enough done, except the one aspect where you want a non
privileged user access to things and to deny root. Why not just set it
up to work how you want and accept that root can still do what root
should be able to do? If you can't trust root user, host the
application on your own server and lock root down (you'll likely find
more issues with trying to keep the system secure and sane with
thinking the Apache user can be controlled, to not have to worry so
much about root).
--
Not really a wanna-be, but I don't know everything.

[David Schwartz]

On Nov 9, 7:47 pm, "lovecreatesbea...@gmai1.c0m"
<lovecreatesbea...@gmail.com> wrote:

> 1. system accounts including root can't directly access file or data
> on this system;

[snip]

> Is there conceptual wrong in this requirement?
> Can it be done in way of linux kernel file system, ie. ext2, ext3?
> How to program this kind of customized file system?

Linux is not the right operating system for meeting requirements like
these. Linux is fundamentally built around a "root can do anything"
model.

However, I think this sounds like a nonsensical set of requirements.
What would the rationale for requirement 1 be? To prevent root from
deliberately causing problems? But he'll just do things indirectly, so
stopping him from doing things directly makes little sense. To prevent
him from accidentally accessing file or data? What does "directly"
even mean in this context?

DS

[Rainer Weikusat]

David Schwartz <dav...@webmaster.com> writes:
> On Nov 9, 7:47�pm, "lovecreatesbea...@gmai1.c0m"
> <lovecreatesbea...@gmail.com> wrote:
>
>> 1. system accounts including root can't directly access file or data
>> on this system;
> [snip]
>> Is there conceptual wrong in this requirement?
>> Can it be done in way of linux kernel file system, ie. ext2, ext3?
>> How to program this kind of customized file system?
>
> Linux is not the right operating system for meeting requirements like
> these. Linux is fundamentally built around a "root can do anything"
> model.

This is not correct. The traditional UNIX(*) security model includes
the notion of a superuser which has unrestricted access to
everything. Insofar particular privileged operations are supposed to
be made available to otherwise unprivileged users, this policy
descision is supposed to be implemented in application code. This is a
simple and unlimitedly flexible model which has been proven to be
sufficient for many real-world applications. It, howevers, suffers
from two important drawbacks:

- the TCB (trusted computing base) is extended to application
code, which is a very ill fit for 'the hack on it until it
works, although nobody knows how or why, and then move one
to the next problem' common development paradigm.

- it is simple. People who desire 'security' are likely to
have a bureaucratic mindset and 'simplictly' is inherently
un-bureaucratic.

Therefore, the 'Linux' security model is built around an ever growing
set of 'capabilites', ie particular tasks someone considers to be
'special' for some more-or-less random reason and which can be revoked
and granted to entities scheduled by the kernel ('threads' and
single-threaded processes) by using the corresponding system calls
according to a fairly elaborate model[*]. Details are documented in
capabilities(7), an online copy is available here:

http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html

According to the documentation, it should be possible to meet the file
access requirement in this way. Another option would be to use
mandatory access control, ie SELinux (AppArmor loses another big set
of points because of people who try to play games with Wikipedia).

[*] So far, the most notable achievement of this 'new and
improved design' have been 'new and moderately interesting
ways to accomplish privilege escalation'.

[lovecrea...@gmail.com]

On Nov 11, 9:44 am, "lovecreatesbea...@gmai1.c0m"

> [1]http://sourceforge.net/apps/mediawiki/fuse/index.php?title=FAQ#Why_do...

I add some code in vfs. For example, it allows apache to access /var/
www but prevents root user from accessing /var/www/index.html by vi.
My supervisor prefers this kind of solution. But I am a little upset
on rough change like this.

--- a\linux-2.6.30.4\fs\open.c 2009-07-31 06:34:48.000000000 +-0800
+++ b\linux-2.6.30.4\fs\open.c 2009-11-13 14:34:45.000000000 +-0800
@@ -1026,12 +1026,20 @@
EXPORT_SYMBOL(fd_install);

long do_sys_open(int dfd, const char __user *filename, int flags, int
mode)
{
char *tmp = getname(filename);
int fd = PTR_ERR(tmp);
+ char *s1 = "/var/www";
+ char *s2 = "apache2";
+
+ if (strstr(filename, s1) && strcmp(s2, current->comm)){
+ printk("%s:%d, %s, %s\n", __FILE__, __LINE__,
+ current->comm, filename);
+ return fd;
+ }

if (!IS_ERR(tmp)) {
fd = get_unused_fd_flags(flags);
if (fd >= 0) {
struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
if (IS_ERR(f)) {

[Rainer Weikusat]

"lovecrea...@gmai1.c0m" <lovecrea...@gmail.com> writes:

[...]

> I add some code in vfs. For example, it allows apache to access /var/
> www but prevents root user from accessing /var/www/index.html by vi.
> My supervisor prefers this kind of solution. But I am a little upset
> on rough change like this.
>
>
> --- a\linux-2.6.30.4\fs\open.c 2009-07-31 06:34:48.000000000 +-0800
> +++ b\linux-2.6.30.4\fs\open.c 2009-11-13 14:34:45.000000000 +-0800
> @@ -1026,12 +1026,20 @@
> EXPORT_SYMBOL(fd_install);
>
> long do_sys_open(int dfd, const char __user *filename, int flags, int
> mode)
> {
> char *tmp = getname(filename);
> int fd = PTR_ERR(tmp);
> + char *s1 = "/var/www";
> + char *s2 = "apache2";
> +
> + if (strstr(filename, s1) && strcmp(s2, current->comm)){
> + printk("%s:%d, %s, %s\n", __FILE__, __LINE__,
> + current->comm, filename);
> + return fd;
> + }

The most glaring problem with this is that this will (probably, I
haven't tested it) allow access to any process whose corresponding
binary is named apache2. Try

cd /bin
ln ed apache2
./apache2 /var/www/index.html

as root for a demonstration (assuming /bin/ed exists, of course).

You really should be using the existing facilities for extended access
control, such as capabilities or one of the MAC-frameworks instead of
trying to 'roll your own' in a that crude fashion.

[Gordon Burditt]

>> I add some code in vfs. For example, it allows apache to access /var/
>> www but prevents root user from accessing /var/www/index.html by vi.

So what prevents root from using su to apache? What prevents root
from replacing apache with vi (while the real apache is still running)?
What prevents root from taking that code out of the kernel?

[Rainer Weikusat]

gordon...@burditt.org (Gordon Burditt) writes:
>>> I add some code in vfs. For example, it allows apache to access /var/
>>> www but prevents root user from accessing /var/www/index.html by vi.
>
> So what prevents root from using su to apache?

You are overestmating the techical sophistication of this change:

current->comm is a member of the struct task_struct defined in
current->include/linux/sched.h and documented as quoted below:

char comm[TASK_COMM_LEN]; /* executable name excluding path

[Wanna-Be Sys Admin]

lovecrea...@gmai1.c0m wrote:

What good does that do? The root user can use any alternative binary or
command to do whatever they want anyway, not to mention to install or
download the binary and replace the one you've modified. Sure, a root
owned process might not be able to access, read or modify a file using
a binary that says "if you're uid 0, then end the process", but that
doesn't mean a thing. That is not a solution by any stretch.

[David Schwartz]

On Nov 13, 2:49 am, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:

> >  long do_sys_open(int dfd, const char __user *filename, int flags, int
> > mode)
> >  {
> >    char *tmp = getname(filename);
> >    int fd = PTR_ERR(tmp);
> > +  char *s1 = "/var/www";
> > +  char *s2 = "apache2";
> > +
> > +  if (strstr(filename, s1) && strcmp(s2, current->comm)){
> > +          printk("%s:%d, %s, %s\n", __FILE__, __LINE__,
> > +                                          current->comm, filename);
> > +          return fd;
> > +  }

> The most glaring problem with this is that this will (probably, I
> haven't tested it) allow access to any process whose corresponding
> binary is named apache2. Try
>
> cd /bin
> ln ed apache2
> ./apache2 /var/www/index.html
>
> as root for a demonstration (assuming /bin/ed exists, of course).

And, of course, 'root' can open the files indirectly by grabbing hooks
to them from the 'proc' filesystem when Apache opens them. The 'root'
user could even write a program to scan the 'proc' filesystem for
Apache open files and copy out each file as 'Apache' opens it using
its '/proc/<pid>/fd/<num>' name which won't match your 'strstr' test.

That code is, frankly, sheer idiocy.

That's not even a sensible way if the intent is to prevent 'root' from
accessing it by accident and is sure as heck isn't sensible if the
intent is to prevent 'root' from doing so maliciously.

DS

[Wanna-Be Sys Admin]

David Schwartz wrote:

Agreed, I just don't understand the point of any of this goal. Why not
just host on your own system, where only you are root and add all of
the appropriate hoops to jump through if you want to make it more
difficult to get root, if you're concerned someone else might get root.
Why have root not have read/write normally, if you can trust it can be
fine to sit there on its own, unused (for all intents and purposes).
Then, who cares? If you can't trust root, you shouldn't use the
system. If you can, what's the issue? You'll need super user access
on a system to try and get around all of these things anyway, to try
and make it work how you want, and for what? I just don't understand?
Are you just trying to prevent root user from making a mistake?

[Golden California Girls]

Wanna-Be Sys Admin wrote:
> Agreed, I just don't understand the point of any of this goal. Why not
> just host on your own system, where only you are root and add all of
> the appropriate hoops to jump through if you want to make it more
> difficult to get root, if you're concerned someone else might get root.
> Why have root not have read/write normally, if you can trust it can be
> fine to sit there on its own, unused (for all intents and purposes).
> Then, who cares? If you can't trust root, you shouldn't use the
> system. If you can, what's the issue? You'll need super user access
> on a system to try and get around all of these things anyway, to try
> and make it work how you want, and for what? I just don't understand?
> Are you just trying to prevent root user from making a mistake?

Likely some government requirement that anyone who can access the data be a
citizen of their country and their company has outsourced the admin of their
boxes to elsewhere. Called shooting your foot off.

[lovecrea...@gmail.com]

On Nov 13, 6:49 pm, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:
>
> The most glaring problem with this is that this will (probably, I
> haven't tested it) allow access to any process whose corresponding
> binary is named apache2. Try
>
> cd /bin
> ln ed apache2
> ./apache2 /var/www/index.html
>
> as root for a demonstration (assuming /bin/ed exists, of course).
>
> You really should be using the existing facilities for extended access
> control, such as capabilities or one of the MAC-frameworks instead of

> trying to 'roll your own' in a that crude fashion.- Hide quoted text -
>

Thank you.

I didn't get the full pathname of filename in the previous code. It
doesn't handle this situation:

# cd /var
# vi www/index.html

Did you also mean this point? My new code:

(I rebuilt the source and reinstalled the kernel successfully on
debian hosted on VMWare. After I increased memory from 1536M to 2048M
in VMWare and reboot, I got: Kernel panic: no init found. Try passing
init= option to kernel. Dunno why.)

--- a\linux-2.6.26\fs\open.c 2008-07-14 05:51:30.000000000 +-0800
+++ b\linux-2.6.26\fs\open.c 2009-11-25 15:59:25.000000000 +-0800
@@ -1078,16 +1078,74 @@
rcu_assign_pointer(fdt->fd[fd], file);
spin_unlock(&files->file_lock);
}

EXPORT_SYMBOL(fd_install);

+/* strrvs is by jian hua li, http://www.grex.org/~jhl/miscc.txt */
+static unsigned char *strrvs(unsigned char *p)
+{
+ unsigned char *p1, *p2, ch;
+
+ for (p1 = p; *(p1 + 1); p1++) ;
+ for (p2 = p; p2 < p1; p2++, p1--)
+ ch = *p2, *p2 = *p1, *p1 = ch;
+ return p;
+}
+

long do_sys_open(int dfd, const char __user *filename, int flags, int
mode)
{
char *tmp = getname(filename);
int fd = PTR_ERR(tmp);
+ char *s1 = "/var/www";
+ char *s2 = "apache2";

+ unsigned char fullname[2048] = {'\0'}; /* temporary length */
+ struct dentry *dentry = current->fs->pwd.dentry;
+
+ if (filename[0] != '/'){
+ strncat(fullname, strrvs(filename), sizeof fullname - 1);
+ if (filename[0] == '.' && filename[1] == '.'){
+ /* ../a.c: drop ../ */
+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ } else {
+ /* a.c, ./a.c: plus dentry->d_name.name */
+ strncat(fullname, "/", sizeof fullname - 1);
+ strncat(fullname, strrvs(dentry->d_name.name), sizeof fullname -
1);
+ strrvs(dentry->d_name.name);
+ }
+ while (dentry->d_parent->d_name.name[0] != '/'){
+ strncat(fullname, "/", sizeof fullname - 1);
+ strncat(fullname, strrvs(dentry->d_parent->d_name.name), sizeof
fullname - 1);
+ strrvs(dentry->d_parent->d_name.name);
+ dentry = dentry->d_parent;
+ }
+ strncat(fullname, strrvs(dentry->d_parent->d_name.name), sizeof
fullname - 1);
+ strrvs(dentry->d_parent->d_name.name);
+ }
+
+ if (strstr(fullname, s1) && strcmp(current->comm, s2)){
+ printk("%s:%d, %s, %s, %s\n", __FILE__, __LINE__, current->comm,
filename,
+ current->fs->pwd.dentry->d_parent->d_iname);
+ return -EPERM;
+ }

if (!IS_ERR(tmp)) {
fd = get_unused_fd_flags(flags);
if (fd >= 0) {

struct file *f = do_filp_open(dfd, tmp, flags, mode);
if (IS_ERR(f)) {

[lovecrea...@gmail.com]

On Nov 25, 5:01 pm, "lovecreatesbea...@gmai1.c0m"
<lovecreatesbea...@gmail.com> wrote:

[..]

[ 1.541280] Kernel panic - not syncing: No init found. Try passing
init= option to kernel.

It seems caused by my code.

I add init=3 in menu.lst as:

kernel/boot/vmlinuz-2.6.26 root=/dev/sda1 ro quiet init=3

Still it has the problem.

[Bill Marcum]

["Followup-To:" header set to comp.os.linux.development.system.]

The file /sbin/init is missing, or you have the wrong partition chosen
for root=. Try booting from a live CD of the same distro and copy that
file.

[Rainer Weikusat]

"lovecrea...@gmai1.c0m" <lovecrea...@gmail.com> writes:
> On Nov 13, 6:49 pm, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:
>>
>> The most glaring problem with this is that this will (probably, I
>> haven't tested it) allow access to any process whose corresponding
>> binary is named apache2. Try
>>
>> cd /bin
>> ln ed apache2
>> ./apache2 /var/www/index.html
>>
>> as root for a demonstration (assuming /bin/ed exists, of course).
>>
>> You really should be using the existing facilities for extended access
>> control, such as capabilities or one of the MAC-frameworks instead of
>> trying to 'roll your own' in a that crude fashion.- Hide quoted text -
>>
>
> Thank you.
>
> I didn't get the full pathname of filename in the previous code. It
> doesn't handle this situation:
>
> # cd /var
> # vi www/index.html
>
> Did you also mean this point?

No. But this really doesn't matter since the approach you insist on
using cannot ever work.

[...]

> My new code:

[...]

> +/* strrvs is by jian hua li, http://www.grex.org/~jhl/miscc.txt */
> +static unsigned char *strrvs(unsigned char *p)
> +{
> + unsigned char *p1, *p2, ch;
> +
> + for (p1 = p; *(p1 + 1); p1++) ;
> + for (p2 = p; p2 < p1; p2++, p1--)
> + ch = *p2, *p2 = *p1, *p1 = ch;
> + return p;
> +}
> +
> long do_sys_open(int dfd, const char __user *filename, int flags, int
> mode)
> {
> char *tmp = getname(filename);
> int fd = PTR_ERR(tmp);
> + char *s1 = "/var/www";
> + char *s2 = "apache2";
> + unsigned char fullname[2048] = {'\0'}; /* temporary length */
> + struct dentry *dentry = current->fs->pwd.dentry;
> +
> + if (filename[0] != '/'){
> + strncat(fullname, strrvs(filename), sizeof fullname - 1);

Leaving the issue with the trashed dentries aside, I assume that a
file named tini/nibs/ simply doesn't exist on your system. But don't
worry to much about that --- since the system won't boot anymore,
files have successfully been secured against accesses of any user
without a screwdriver ...

This must be satire, right?

[lovecreatesb...@gmail.com]

Stupid, there is never such usage of 'init', either "init 3",
or "init=/bin/what_ever_shell".

[lovecreatesb...@gmail.com]

On 11/25/09 17:01, "lovecrea...@gmai1.c0m" <lovecrea...@gmail.com> wrote:
> On Nov 13, 6:49 pm, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:
>>
>> The most glaring problem with this is that this will (probably, I
>> haven't tested it) allow access to any process whose corresponding
>> binary is named apache2. Try
>>
>> cd /bin
>> ln ed apache2
>> ./apache2 /var/www/index.html
>>
>> as root for a demonstration (assuming /bin/ed exists, of course).
>>
>> You really should be using the existing facilities for extended access
>> control, such as capabilities or one of the MAC-frameworks instead of
>> trying to 'roll your own' in a that crude fashion.- Hide quoted text -
>>
>
> Thank you.
>
> I didn't get the full pathname of filename in the previous code. It
> doesn't handle this situation:
>
> # cd /var
> # vi www/index.html
>
> Did you also mean this point? My new code:

After checking some previous emails in this thread, I think you
should try SELinux or AppArmor, definitely you're going to a wrong
direction.

>
> (I rebuilt the source and reinstalled the kernel successfully on
> debian hosted on VMWare. After I increased memory from 1536M to 2048M
> in VMWare and reboot, I got: Kernel panic: no init found. Try passing
> init= option to kernel. Dunno why.)

Obviously it's nothing to do with your physical memory size.

<snip stupid code>

You are definitely implementing a policy in kernel, and it's too stupid.
Stop.

[lovecrea...@gmail.com]

On Nov 25, 9:29 pm, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:
> Leaving the issue with the trashed dentries aside, I assume that a
> file named tini/nibs/ simply doesn't exist on your system. But don't

thanks. I also saw that before myself. I thought I've fixed it.

if it can boot, how can you see that :)

[lovecrea...@gmail.com]

On Nov 25, 11:19 pm, lovecreatesbeautifulgi...@gmail.com wrote:
> You are definitely implementing a policy in kernel, and it's too stupid.
> Stop.

I admit that it's a bit dangerous, but isn't the thing - custom kernel
done this way?

[lovecrea...@gmail.com]

On Nov 25, 5:01 pm, "lovecreatesbea...@gmai1.c0m"
<lovecreatesbea...@gmail.com> wrote:
[..]

correction: (similar code applied to sys_unlink and sys_rename in
namei.c also)

--- a\linux-2.6.26\fs\open.c 2008-07-14 05:51:30.000000000 +-0800

+++ b\linux-2.6.26\fs\open.c 2009-11-27 12:46:54.000000000 +-0800
@@ -1078,17 +1078,65 @@

rcu_assign_pointer(fdt->fd[fd], file);
spin_unlock(&files->file_lock);
}

EXPORT_SYMBOL(fd_install);

+/* strrvs is by jian hua li, http://www.grex.org/~jhl/miscc.txt */
+static unsigned char *strrvs(unsigned char *p)
+{
+ unsigned char *p1, *p2, ch;
+
+ for (p1 = p; *(p1 + 1); p1++) ;
+ for (p2 = p; p2 < p1; p2++, p1--)
+ ch = *p2, *p2 = *p1, *p1 = ch;
+ return p;
+}
+
long do_sys_open(int dfd, const char __user *filename, int flags, int
mode)
{
char *tmp = getname(filename);
int fd = PTR_ERR(tmp);
+ char *s1 = "/var/www";
+ char *s2 = "apache2";
+ unsigned char fullname[2048] = {'\0'};

+ unsigned char s[2048] = {'\0'};

+ struct dentry *dentry = current->fs->pwd.dentry;

+ if (filename[0] != '/'){

+ strncpy(s, filename, sizeof s - 1);
+ strncpy(fullname, strrvs(s), sizeof fullname - 1);

+ if (filename[0] == '.' && filename[1] == '.'){
+ /* ../a.c: drop ../ */
+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ } else {
+ /* a.c, ./a.c: plus dentry->d_name.name */
+ strncat(fullname, "/", sizeof fullname - 1);

+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ }

+ while (dentry->d_parent->d_name.name[0] != '/'){
+ strncat(fullname, "/", sizeof fullname - 1);

+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);

+ dentry = dentry->d_parent;
+ }

+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ strrvs(fullname);
+ } else
+ strncpy(fullname, filename, sizeof fullname - 1);

+ if (strstr(fullname, s1) && strcmp(current->comm, s2)){
+ printk("%s:%d, %s, %s, %s\n", __FILE__, __LINE__, current->comm,
filename,
+ current->fs->pwd.dentry->d_parent->d_iname);
+ return -EPERM;
+ }
if (!IS_ERR(tmp)) {
fd = get_unused_fd_flags(flags);
if (fd >= 0) {
struct file *f = do_filp_open(dfd, tmp, flags, mode);
if (IS_ERR(f)) {

put_unused_fd(fd);

[Wanna-Be Sys Admin]

lovecrea...@gmai1.c0m wrote:

> On Nov 25, 5:01 pm, "lovecreatesbea...@gmai1.c0m"
> <lovecreatesbea...@gmail.com> wrote:
> [..]
>
> correction: (similar code applied to sys_unlink and sys_rename in
> namei.c also)
>

...

Why are you still trying this solution? If you said so, I didn't see a
reply. Can you TRUST the root user? Are you just trying to make root
"think before doing"? You do realize root can do a ton of things to
circumvent this attempt at keeping root out of a directory/partition
that you only want Apache to have access to. This will never work.
You simply can not keep root from doing anything they want. Not in
this environment anyway. So, exactly what are you trying to keep root
out for? If it's just to make it so root run automated processes or
commands someone might run without thinking from doing things, then it
could work okay, but if you can't trust root, then you are screwed no
matter what you're trying. Anyway, it would be simple enough for root
to either unload a module, replacing it with another, upload their own
kernel, boot into a different one, or just run any of their processes
they want to read that directory as the Apache user anyway (which
instantly takes away all of your attempts to stop them from
read/access), and they needn't do anything special or complicated to do
that. So, what's the point of this?

[Rainer Weikusat]

Wanna-Be Sys Admin <sysa...@example.com> writes:
> lovecrea...@gmai1.c0m wrote:
>
>> On Nov 25, 5:01�pm, "lovecreatesbea...@gmai1.c0m"
>> <lovecreatesbea...@gmail.com> wrote:
>> [..]
>>
>> correction: (similar code applied to sys_unlink and sys_rename in
>> namei.c also)
>>
> ...
>
> Why are you still trying this solution? If you said so, I didn't see a
> reply. Can you TRUST the root user? Are you just trying to make root
> "think before doing"? You do realize root can do a ton of things to
> circumvent this attempt at keeping root out of a directory/partition
> that you only want Apache to have access to. This will never work.

It should be possible using either capabilities or some 'MAC
facility', eg, SELinux. The way a Linux-kernel works by default means
that 'a UNIX(*) superuser' is emulated. But this could be changed.

[lovecrea...@gmail.com]

On Nov 29, 5:48 am, Wanna-Be Sys Admin <sysad...@example.com> wrote:
>
> Why are you still trying this solution? If you said so, I didn't see a
> reply. Can you TRUST the root user? Are you just trying to make root
> "think before doing"? You do realize root can do a ton of things to
> circumvent this attempt at keeping root out of a directory/partition
> that you only want Apache to have access to. This will never work.
> You simply can not keep root from doing anything they want. Not in
> this environment anyway. So, exactly what are you trying to keep root
> out for? If it's just to make it so root run automated processes or
> commands someone might run without thinking from doing things, then it
> could work okay, but if you can't trust root, then you are screwed no
> matter what you're trying. Anyway, it would be simple enough for root
> to either unload a module, replacing it with another, upload their own
> kernel, boot into a different one, or just run any of their processes
> they want to read that directory as the Apache user anyway (which
> instantly takes away all of your attempts to stop them from
> read/access), and they needn't do anything special or complicated to do
> that. So, what's the point of this?
>

I proposed an encryption solution with some crypt tools. The smart
brain doesn't think so. In China many powerful men like these are in
charge of projects and they affect our salary. We are forced to act
more stupidly before we can find a company like yours.

[Wanna-Be Sys Admin]

Rainer Weikusat wrote:

SeLinux will not stop root from doing anything, but if you can use some
virtual emulator/env where root is only root on the VPS or whatever.
But, there's still root on the main node that can take over. The OP
needs to be clear about why they need this.

[Wanna-Be Sys Admin]

lovecrea...@gmai1.c0m wrote:

Encryption wouldn't help, since you need some program/daemon or
_something_ to decrypt or read or write to the partition, file system
or file, which root would have access to. Or, do you mean that only
already encrypted data is stored, uploaded or downloaded to that file
system and there's no area on the web service that will encrypt or
decrypt (where it's only done on the originating system or those whom
download files?) If so, that would be a good solution if you have to
use a shared server where you're not root or can't trust root.

So, I'm asking, what is the intent of not allowing root access? Is it
just to prevent someone running a root process or command and making a
dumb mistake, or to actual protect the data from root? If the latter,
forget it, literally forget it. You have to trust the server
owner/root user on a system, there's no way around it. If you can't,
you need to ensure only you have root user access and take steps to
make it more difficult to have anyone else gain root user access. That
is the solution (unless the above encrypted files/data idea is
plausible).

[lovecrea...@gmail.com]

On Dec 1, 7:24 am, Wanna-Be Sys Admin <sysad...@example.com> wrote:
>
> Encryption wouldn't help, since you need some program/daemon or
> _something_ to decrypt or read or write to the partition, file system
> or file, which root would have access to. Or, do you mean that only
> already encrypted data is stored, uploaded or downloaded to that file
> system and there's no area on the web service that will encrypt or
> decrypt (where it's only done on the originating system or those whom
> download files?) If so, that would be a good solution if you have to
> use a shared server where you're not root or can't trust root.
>

Thank you very much for concern.

Even if the machine is for storing already encrypted data, there's
chance for root/hacker to try on the machine some de-encrypt on the
encrypted data. Don't you think so : )

The encryption idea wasn't taken by the smart and small brain, and I
don't understand what they want to do. My shame.

[Rainer Weikusat]

Wanna-Be Sys Admin <sysa...@example.com> writes:
> Rainer Weikusat wrote:
>> Wanna-Be Sys Admin <sysa...@example.com> writes:
>>> lovecrea...@gmai1.c0m wrote:
>>>
>>>> On Nov 25, 5:01�pm, "lovecreatesbea...@gmai1.c0m"
>>>> <lovecreatesbea...@gmail.com> wrote:
>>>> [..]
>>>>
>>>> correction: (similar code applied to sys_unlink and sys_rename in
>>>> namei.c also)
>>>>
>>> ...
>>>
>>> Why are you still trying this solution? If you said so, I didn't see
>>> a
>>> reply. Can you TRUST the root user? Are you just trying to make
>>> root
>>> "think before doing"? You do realize root can do a ton of things to
>>> circumvent this attempt at keeping root out of a directory/partition
>>> that you only want Apache to have access to. This will never work.
>>
>> It should be possible using either capabilities or some 'MAC
>> facility', eg, SELinux. The way a Linux-kernel works by default means
>> that 'a UNIX(*) superuser' is emulated. But this could be changed.
>
> SeLinux will not stop root from doing anything,

Accordding to http://www.nsa.gov/research/selinux/faqs.shtml, this is
wrong:

This confinement mechanism operates independently of the traditional
Linux access control mechanisms. It has no concept of a "root"
super-user,

Further, 'root' (still) does not exist on Linux. The default
configuration of the capabilities system emulates 'UNIX(*) security'
in this respect. This default configuration can be changed to not do
this, see capailities(7) and related man pages.

Since this is at least the third time I write this, I am starting to
suspect a "Wow that's really COMPLICATED stuff! This surely isn't
needed. Probably, it also isn't true..."-attitude problem here ...

[Wanna-Be Sys Admin]

Rainer Weikusat wrote:

Well, it wasn't the concept of actual root user so much, but just this
overall access to prevent any other (even prived) user from accessing
what a global Apache user is supposed to be limited to. Okay, I'll try
and be more clear. If this issue exists due to access, I have to
question if the OP is at all concerned about anyone with physical
access, access to a KVM, or any access that could allow any remote
connection to be compromised to allow someone to bypass the booted OS.

[Wanna-Be Sys Admin]

lovecrea...@gmai1.c0m wrote:

> On Dec 1, 7:24 am, Wanna-Be Sys Admin <sysad...@example.com> wrote:
>>
>> Encryption wouldn't help, since you need some program/daemon or
>> _something_ to decrypt or read or write to the partition, file system
>> or file, which root would have access to. Or, do you mean that only
>> already encrypted data is stored, uploaded or downloaded to that file
>> system and there's no area on the web service that will encrypt or
>> decrypt (where it's only done on the originating system or those whom
>> download files?) If so, that would be a good solution if you have to
>> use a shared server where you're not root or can't trust root.
>>
>
> Thank you very much for concern.
>
> Even if the machine is for storing already encrypted data, there's
> chance for root/hacker to try on the machine some de-encrypt on the
> encrypted data. Don't you think so : )

This is always true, but it would protect you. And, honestly, it's just
just encryption or not, so I was not sure what was wanted. Anyway, I
would believe encryption would be a great option for user-encrypted
(sharing the same key, for example) and uploaded files, so long as the
server itself doesn't retain anything like a key to decrypt. It would
be very, very, very difficult to crack the right encryption. So, if the
trusted end-users are the only one's uploading and downloading already
encrypted data, you probably could consider root harmless. The data
could be worthless. And, I want to be clear, if it was super important
data, I would use my own crypt routine that is completely unique in
every way (I've done this previously, it's not difficult, it doesn't
take a lot to do it right), and then take that data and encrypt it with
a high encryption. If anyone _ever_ broke that encryption, then they'd
have to contend with a completely customized and unique codex that I'd
be amazed if someone could pull off by breaking both custom and high.

I.e., a file that reads such as 0.345 0.230 2.351 for a few thousand
lines (to serve as an example only) that requires about 5 steps of
personalized, custom code and have that with high encryption, I'd think
you could sleep well.

> The encryption idea wasn't taken by the smart and small brain, and I
> don't understand what they want to do. My shame.

I'm sorry to hear that, I think it's your best option. Not to mention
that any important data, especially if accessible by a global, non priv
user is the solution, should be encrypted anyway, regardless (but
especially then), even if you can manage to lock root out. I'm sure
you agree with this. I think it's insane that the people whom make the
calls are forcing you to try and do a very difficult task when there's
such an easy, better method that you've already suggested.
Unfortunately, I believe we've all been there.

[Rainer Weikusat]

Wanna-Be Sys Admin <sysa...@example.com> writes:
> Rainer Weikusat wrote:

[...]

>> Further, 'root' (still) does not exist on Linux. The default
>> configuration of the capabilities system emulates 'UNIX(*) security'
>> in this respect. This default configuration can be changed to not do
>> this, see capailities(7) and related man pages.

[...]

> Well, it wasn't the concept of actual root user so much, but just this
> overall access to prevent any other (even prived) user from accessing
> what a global Apache user is supposed to be limited to. Okay, I'll try
> and be more clear. If this issue exists due to access, I have to
> question if the OP is at all concerned about anyone with physical
> access, access to a KVM, or any access that could allow any remote
> connection to be compromised to allow someone to bypass the booted
> OS.

I would even go one step further in this respect: 'Really secret
stuff' shouldn't be kept on time-shared systems untrusted people have
access to. But I assume the NSA (and lots of 'other entities') sees
this differently ...

[lovecrea...@gmail.com]

On Dec 1, 8:40 pm, Rainer Weikusat <rweiku...@mssgmbh.com> wrote:

> Wanna-Be Sys Admin <sysad...@example.com> writes:
>
>
>
>
>
> > Rainer Weikusat wrote:

> >> Wanna-Be Sys Admin <sysad...@example.com> writes:

> >>> lovecreatesbea...@gmai1.c0m wrote:
>
> >>>> On Nov 25, 5:01 pm, "lovecreatesbea...@gmai1.c0m"
> >>>> <lovecreatesbea...@gmail.com> wrote:
> >>>> [..]
>
> >>>> correction: (similar code applied to sys_unlink and sys_rename in
> >>>> namei.c also)
>
> >>> ...
>
> >>> Why are you still trying this solution?  If you said so, I didn't see
> >>> a
> >>> reply.  Can you TRUST the root user?  Are you just trying to make
> >>> root
> >>> "think before doing"?  You do realize root can do a ton of things to
> >>> circumvent this attempt at keeping root out of a directory/partition
> >>> that you only want Apache to have access to.  This will never work.
>
> >> It should be possible using either capabilities or some 'MAC
> >> facility', eg, SELinux. The way a Linux-kernel works by default means
> >> that 'a UNIX(*) superuser' is emulated. But this could be changed.
>
> > SeLinux will not stop root from doing anything,
>

> Accordding tohttp://www.nsa.gov/research/selinux/faqs.shtml, this is

> wrong:
>
>         This confinement mechanism operates independently of the traditional
>         Linux access control mechanisms. It has no concept of a "root"
>         super-user,
>
> Further, 'root' (still) does not exist on Linux. The default
> configuration of the capabilities system emulates 'UNIX(*) security'
> in this respect. This default configuration can be changed to not do
> this, see capailities(7) and related man pages.
>
> Since this is at least the third time I write this, I am starting to
> suspect a "Wow that's really COMPLICATED stuff! This surely isn't
> needed. Probably, it also isn't true..."-attitude problem here ...

I got a hTC mobile. It uses Android Linux and has a root user. I am
postting this on my new phone.

[lovecrea...@gmail.com]

On Nov 27, 1:05 pm, "lovecreatesbea...@gmai1.c0m"
<lovecreatesbea...@gmail.com> wrote:
>

update.

diff -uprN linux-2.6.18.orig/fs/namei.c linux-2.6.18/fs/namei.c
--- linux-2.6.18.orig/fs/namei.c 2009-12-01 16:20:12.000000000 +0800
+++ linux-2.6.18/fs/namei.c 2009-12-11 16:27:48.000000000 +0800
@@ -37,6 +37,9 @@

#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])

+extern char fs_uit_wdsk_access_app[];
+extern char fs_uit_wdsk_access_pth[];
+
/* [Feb-1997 T. Schoebel-Theuer]
* Fundamental changes in the pathname lookup mechanisms (namei)
* were necessary because of omirr. The reason is that omirr needs
@@ -2075,6 +2078,17 @@ int vfs_unlink(struct inode *dir, struct
return error;
}

+/* strrvs is by jian hua li, http://www.grex.org/~jhl/miscc.txt */
+static unsigned char *strrvs(unsigned char *p)
+{
+ unsigned char *p1, *p2, ch;
+
+ for (p1 = p; *(p1 + 1); p1++) ;
+ for (p2 = p; p2 < p1; p2++, p1--)
+ ch = *p2, *p2 = *p1, *p1 = ch;
+ return p;
+}
+

/*
* Make sure that the actual truncation of the file will occur
outside its
* directory's i_mutex. Truncate can take a long time if there is a
lot of
@@ -2088,6 +2102,64 @@ static long do_unlinkat(int dfd, const c
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
+ char *s1 = fs_uit_wdsk_access_pth; /*"/var/www;/root;/home/jhl"*/
+ char *s2 = fs_uit_wdsk_access_app; /*"apache2;tomcat;blahblah"*/
+ unsigned char fullname[512] = {'\0'};
+ unsigned char s[512] = {'\0'};
+ struct dentry *dent = current->fs->pwd /* .dentry */;
+ unsigned char *p;
+ unsigned int cnt = 0;
+
+ if (pathname[0] != '/'){
+ strncpy(s, pathname, sizeof s - 1);

+ strncpy(fullname, strrvs(s), sizeof fullname - 1);

+ if (pathname[0] == '.' && pathname[1] == '.'){
+ /* ../../a.c: drop all ../../ so drop three letters ../ then other
three, etc */
+ while (fullname[strlen(fullname) - 1] == '.' && fullname[strlen
(fullname) - 2] == '.'){
+ cnt++;

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ }

+ while (--cnt){
+ p = strrchr(fullname, '/');
+ *p = '\0';
+ }
+ } else if (pathname[0] == '.' && pathname[1] == '/'){
+ /* ./a.c: drop ./ and plus dentry->d_name.name */

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);

+ strncpy(s, dent->d_name.name, sizeof s - 1);

+ strncat(fullname, strrvs(s), sizeof fullname - 1);

+ } else {
+ /* a.c: plus dentry->d_name.name */

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);

+ strncpy(s, dent->d_name.name, sizeof s - 1);

+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ }

+ while (dent->d_parent->d_name.name[0] != '/'){

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);

+ strncpy(s, dent->d_parent->d_name.name, sizeof s - 1);

+ strncat(fullname, strrvs(s), sizeof fullname - 1);

+ dent = dent->d_parent;

+ }
+ memset(s, '\0', sizeof s);

+ strncpy(s, dent->d_parent->d_name.name, sizeof s - 1);

+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ strrvs(fullname);
+ } else

+ strncpy(fullname, pathname, sizeof fullname - 1);
+ p = strrchr(fullname, '/');
+ *p = '\0';
+ p = strstr(s1, fullname);
+ if (p && p[strlen(fullname)] == ';' && !strstr(s2, current->comm)){
+ printk("%s:%d, %s, %s, %s, %s\n", __FILE__, __LINE__, current-
>comm, fullname, s2, s1);
+ return -EPERM;
+ }

name = getname(pathname);
if(IS_ERR(name))
@@ -2529,6 +2601,64 @@ asmlinkage long sys_renameat(int olddfd,
int error;
char * from;
char * to;
+ char *s1 = fs_uit_wdsk_access_pth; /*"/var/www;/root;/home/jhl"*/
+ char *s2 = fs_uit_wdsk_access_app; /*"apache2;tomcat;blahblah"*/
+ unsigned char fullname[512] = {'\0'};
+ unsigned char s[512] = {'\0'};
+ struct dentry *dentry = current->fs->pwd /* .dentry */;
+ unsigned char *p;
+ unsigned int cnt = 0;
+
+ if (oldname[0] != '/'){
+ strncpy(s, oldname, sizeof s - 1);

+ strncpy(fullname, strrvs(s), sizeof fullname - 1);

+ if (oldname[0] == '.' && oldname[1] == '.'){
+ /* ../../a.c: drop all ../../ so drop three letters ../ then other
three, etc */
+ while (fullname[strlen(fullname) - 1] == '.' && fullname[strlen
(fullname) - 2] == '.'){
+ cnt++;

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ }

+ while (--cnt){
+ p = strrchr(fullname, '/');
+ *p = '\0';
+ }
+ } else if (oldname[0] == '.' && oldname[1] == '/'){
+ /* ./a.c: drop ./ and plus dentry->d_name.name */

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);

+ } else {
+ /* a.c: plus dentry->d_name.name */

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ }
+ while (dentry->d_parent->d_name.name[0] != '/'){
+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ dentry = dentry->d_parent;
+ }
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ strrvs(fullname);
+ } else

+ strncpy(fullname, oldname, sizeof fullname - 1);
+ p = strrchr(fullname, '/');
+ *p = '\0';
+ p = strstr(s1, fullname);
+ if (p && p[strlen(fullname)] == ';' && !strstr(s2, current->comm)){
+ printk("%s:%d, %s, %s, %s, %s\n", __FILE__, __LINE__, current-
>comm, fullname, s2, s1);
+ return -EPERM;
+ }

from = getname(oldname);
if(IS_ERR(from))
diff -uprN linux-2.6.18.orig/fs/open.c linux-2.6.18/fs/open.c
--- linux-2.6.18.orig/fs/open.c 2009-12-01 16:20:12.000000000 +0800
+++ linux-2.6.18/fs/open.c 2009-12-11 16:28:12.000000000 +0800
@@ -31,6 +31,9 @@

#include <asm/unistd.h>

+char fs_uit_wdsk_access_app[1024] = {'\0'};
+char fs_uit_wdsk_access_pth[1024] = {'\0'};
+
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
{
int retval = -ENODEV;
@@ -1075,10 +1078,79 @@ void fastcall fd_install(unsigned int fd

EXPORT_SYMBOL(fd_install);

+/* strrvs is by jian hua li, http://www.grex.org/~jhl/miscc.txt */
+static unsigned char *strrvs(unsigned char *p)
+{
+ unsigned char *p1, *p2, ch;
+
+ for (p1 = p; *(p1 + 1); p1++) ;
+ for (p2 = p; p2 < p1; p2++, p1--)
+ ch = *p2, *p2 = *p1, *p1 = ch;
+ return p;
+}
+
long do_sys_open(int dfd, const char __user *filename, int flags, int
mode)
{
char *tmp = getname(filename);
int fd = PTR_ERR(tmp);

+ char *s1 = fs_uit_wdsk_access_pth; /*"/var/www;/root;/home/jhl"*/
+ char *s2 = fs_uit_wdsk_access_app; /*"apache2;tomcat;blahblah"*/
+ unsigned char fullname[512] = {'\0'};
+ unsigned char s[512] = {'\0'};
+ struct dentry *dentry = current->fs->pwd /* .dentry */;
+ unsigned char *p;
+ unsigned int cnt = 0;
+

+ if (filename[0] != '/'){
+ strncpy(s, filename, sizeof s - 1);
+ strncpy(fullname, strrvs(s), sizeof fullname - 1);
+ if (filename[0] == '.' && filename[1] == '.'){

+ /* ../../a.c: drop all ../../ so drop three letters ../ then other
three, etc */
+ while (fullname[strlen(fullname) - 1] == '.' && fullname[strlen
(fullname) - 2] == '.'){
+ cnt++;

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';
+ }

+ while (--cnt){
+ p = strrchr(fullname, '/');
+ *p = '\0';
+ }
+ } else if (filename[0] == '.' && filename[1] == '/'){
+ /* ./a.c: drop ./ and plus dentry->d_name.name */

+ fullname[strlen(fullname) - 1] = '\0';
+ fullname[strlen(fullname) - 1] = '\0';

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);

+ } else {
+ /* a.c: plus dentry->d_name.name */

+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ }
+ while (dentry->d_parent->d_name.name[0] != '/'){
+ strncat(fullname, "/", sizeof fullname - 1);
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ dentry = dentry->d_parent;
+ }
+ memset(s, '\0', sizeof s);
+ strncpy(s, dentry->d_parent->d_name.name, sizeof s - 1);
+ strncat(fullname, strrvs(s), sizeof fullname - 1);
+ strrvs(fullname);
+ } else
+ strncpy(fullname, filename, sizeof fullname - 1);

+ p = strrchr(fullname, '/');
+ *p = '\0';
+ p = strstr(s1, fullname);
+ if (p && p[strlen(fullname)] == ';' && !strstr(s2, current->comm)){
+ printk("%s:%d, %s, %s, %s, %s\n", __FILE__, __LINE__, current-
>comm, fullname, s2, s1);
+ return -EPERM;
+ }

if (!IS_ERR(tmp)) {
fd = get_unused_fd();
diff -uprN linux-2.6.18.orig/include/linux/sysctl.h linux-2.6.18/
include/linux/sysctl.h
--- linux-2.6.18.orig/include/linux/sysctl.h 2009-12-01
16:20:12.000000000 +0800
+++ linux-2.6.18/include/linux/sysctl.h 2009-12-03 09:33:06.000000000
+0800
@@ -794,6 +794,8 @@ enum
FS_AIO_NR=18, /* current system-wide number of aio requests */
FS_AIO_MAX_NR=19, /* system-wide maximum number of aio requests */
FS_INOTIFY=20, /* inotify submenu */
+ FS_UIT_WDSK_ACCESS_APP=21, /* UIT WDSK access app */
+ FS_UIT_WDSK_ACCESS_PTH=22, /* UIT WDSK access pth */
};

/* /proc/sys/fs/quota/ */
diff -uprN linux-2.6.18.orig/kernel/sysctl.c linux-2.6.18/kernel/
sysctl.c
--- linux-2.6.18.orig/kernel/sysctl.c 2009-12-01 16:20:11.000000000
+0800
+++ linux-2.6.18/kernel/sysctl.c 2009-12-03 09:32:06.000000000 +0800
@@ -162,6 +162,10 @@ extern ctl_table inotify_table[];
int sysctl_legacy_va_layout;
#endif

+/* UIT WDSK access */
+extern char fs_uit_wdsk_access_app[];
+extern char fs_uit_wdsk_access_pth[];
+
/* /proc declarations: */

#ifdef CONFIG_PROC_FS
@@ -1030,6 +1034,24 @@ static ctl_table fs_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+ {
+ .ctl_name = FS_UIT_WDSK_ACCESS_APP,
+ .procname = "wdsk_app",
+ .data = fs_uit_wdsk_access_app,
+ .maxlen = 1024 - 1,
+ .mode = 0644,
+ .proc_handler = &proc_dostring,
+ .strategy = &sysctl_string,
+ },
+ {
+ .ctl_name = FS_UIT_WDSK_ACCESS_PTH,
+ .procname = "wdsk_pth",
+ .data = fs_uit_wdsk_access_pth,
+ .maxlen = 1024 - 1,
+ .mode = 0644,
+ .proc_handler = &proc_dostring,
+ .strategy = &sysctl_string,
+ },
#ifdef CONFIG_DNOTIFY
{
.ctl_name = FS_DIR_NOTIFY,