HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
exit(0);
}
}
Solution B
/opt/ids/response/privB
A setuid-root program with mode 4550, owned by
root:ids
Code for privB program
#include <stdlib.h> /* atoi(3C) */
#include <unistd.h> /* setresuid(2) */
#include <signal.h> /* kill(2) */
/* This program is assumed to be a setuid-root program */
int main(int argc, char **argv)
{
int pid;
/* Turn off root privilege but save euid */
if( setresuid(-1, getuid(), geteuid()) == -1)
{
perror(“setresuid”);
exit(1);
}
/* Determine if a file modification alert */
if (atoi(argv[1]) == 2)
{
/* Determine if the target of the attack is /etc/passwd */
if (strcmp(argv[17],”/etc/passwd”) == 0)
{
/* Obtain process ID */
pid = atoi(argv[11]);
if (pid < 0)
{
fprintf(stderr,”Unknown process modified /etc/passwd n”,pid);
exit(1);
}
fprintf(stderr,”Process %d running %s modified
/etc/passwd n”,pid,argv[24]);
/* Turn on root privilege */
if( setresuid(-1, 0, -1) == -1)
{
perror(“setresuid”);
exit(1);
}
/* Kill offending process */
if (kill((pid_t)pid,SIGKILL) == -1)
Programming Guidelines 169