OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Knut Eckstein (knutacm.org)
Date: Sun Jan 20 2002 - 14:40:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello all,

    during the last weeks I ported tct-1.09 to HP-UX 10.20.

    You can download the patch from

    http://www.isd.uni-stuttgart.de/~knut.eckstein/tct-hp.html

    You will also find there a summary of the tests I ran
    in order to verify the correct functioning of the port.

    A big thank you goes to Andreas Thuemmel who wrote two
    utility programs that are helpful when testing unrm on
    large files. You can also download them from the URL above.

    Further thanks go to Brian Carrier and Wietse Venema for answering
    questions I that occured during the port.

    During the tests I found two interesting problems. Maybe
    a HP-UX expert out there can point me to a solution:

    1. The pcat program in TCT uses ptrace(READDATA) to copy the TEXT,
    DATA and STACK segment of a process. It returns with EIO when trying
    to read the STACK area of the init process (PID==1). Therefore pcat
    will only return the TEXT and DATA segment of that particular process.
    I observed similar behaviour with "/bin/sh" and
    "/usr/dt/bin/dtrc". The inital ptrace(ATTACH) works fine as do the
    read operations on the TEXT and DATA segments. I know that OpenBSD and
    Linux flat out refuse a ptrace(ATTACH) to the init process for
    security reasons, but this seems to be a slightly different issue
    here. I also looked at the pst_vm_status.pst_flags and the
    pst_vm_status.pst_permission bits returned for each segment by
    pstat_getprocvm, but I can't see any differences between these
    "troublemaking" processes and others.

    2. When deleting a file that is still opened by a process, HP-UX does
    delete the directory entry but does not decrement the refcount to zero
    in the on-disk inode. Therefore, ils cannot report such a file, as
    they look like a normal file on disk. Why does this behaviour differ
    from other Unix implementations? As far as I know, all other platforms
    that TCT is available for, do not exhibit this behaviour.

    Further plans:

    - port tctutils
    - include support for HP-UX 11.00
    - look at acl(5) implementation and how to incorporate that
       information into TCT

    As this is a freetime project, I won't say anything about a schedule :-)

    Have fun (and send feedback/bug reports),

    Knut

    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com