Breaking Systems For Fun And Profit
Image by LoggaWiggler @ Pixabay

One in a Million

A lot of people love going to the casino. Many of those wish they could experience that thrill at work as well. As your friendly neighborhood systems admin you probably want to help them out. In this case that will take a couple of steps:

Enabling Systemtap on your system

The thrill of the casino requires Systemtap to be available on your system:

1
2
yum install systemtap kernel-devel-$(uname -r)
debuginfo-install kernel-$(uname -r)

If you do not want a compiler, debuginfo packages, and other development crap on your productions machines you can compile systemtap modules on one system, then deploy them to other systems and run them with the staprun command from systemtap-runtime

Creating the module

Create the following file as /root/one_in_a_million.stp:

1
2
3
4
5
#!/usr/bin/stap -g
probe kernel.function("may_open").return {
  chance = randint(1000000);
  if (euid() && !$return && chance >= 999999) $return = -13
}

Feel free to lower the 999999 number to make the module more fun.

Run the module

Either make the file you just created executable, or run the following command:

1
stap -vg /root/one_in_a_million.stp

What it does

One in a million file accesses that would normal succeed will now get a permission denied error.

Why it works

Systemtap allows probes to be attached in many, many places, both in the kernel and in userspace. When running in Guru mode (-g) variables can be altered as well from within those probes.

In our script we attach to the exit of the kernel may_open function. If that call would normally return success we now return error -13 (Permission Denied) based on a chance of 0.0001%.

TL;DR