[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <eou39g$a8r$1@taverner.cs.berkeley.edu>
Date: Sat, 20 Jan 2007 21:58:08 +0000 (UTC)
From: daw@...berkeley.edu (David Wagner)
To: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Undo some of the pseudo-security madness
Samium Gromoff wrote:
>This patch removes the dropping of ADDR_NO_RANDOMIZE upon execution of setuid
>binaries.
>
>Why? The answer consists of two parts:
>
>Firstly, there are valid applications which need an unadulterated memory map.
>Some of those which do their memory management, like lisp systems (like SBCL).
>They try to achieve this by setting ADDR_NO_RANDOMIZE and reexecuting
>themselves.
>
>Secondly, there also are valid reasons to want those applications to be setuid
>root. Like poking hardware.
This has the unfortunate side-effect of making it easier for local
attackers to mount privilege escalation attacks against setuid binaries
-- even those setuid binaries that don't need unadulterated memory maps.
There's a cleaner solution to the problem case you mentioned. Rather than
re-exec()ing itself, the application could be split into two executables:
the first is a tiny setuid-root wrapper which sets ADDR_NO_RANDOMIZE and
then executes the second program; the second is not setuid-anything and does
all the real work. Such a decomposition is often better for security
for other reasons, too (such as the fact that the wrapper can drop all
unneeded privileges before exec()ing the second executable).
Why would you need an entire lisp system to be setuid root? That sounds
like a really bad idea. I fail to see why that is a relevant example.
Perhaps the fact that such a lisp system breaks if you have security features
enabled should tell you something.
It may be possible to defeat address space randomization in some cases,
but that doesn't mean address space randomization is worthless.
It sounds like there is a tradeoff between security and backwards
compatibility. I don't claim to know how to choose between those tradeoffs,
but I think one ought to at least be aware of the pros and cons on both
sides.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists