lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 13 Dec 2007 17:24:48 +0100
From:	Martin Pitt <martin.pitt@...ntu.com>
To:	linux-kernel@...r.kernel.org
Cc:	Ben Collins <ben.collins@...ntu.com>
Subject: Providing an ELF flag for disabling LD_PRELOAD/ptrace()

Hi kernel developers,

one thing that has bothered me for a long time already is the
complete lack of a security boundary between processes of the same
user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
default for all users, and especially for developers this is a good
thing.

However, a lot of programs that we have deal with passwords and other
secrets which deserve some protection, like passwords you type into
ssh, screensavers, seahorse, etc.

This problem has become more pressing with the advent of PolicyKit,
where even fewer processes have the in-built privilege separation
between root and users.

This concerns a scenario where you might have a rogue trojan in your
session (e. g. a malicious firefox plugin or an autostart shell
script). Admittedly, if an attacker gets that far he has almost won
the machine and can easily get more privileges with some social
engineering and spoofing, but I feel it is worth the small effort to
at least not allow reading passwords from other processes' memory
without making any noise at all. This would also greatly reduce the
potential of a local trojan spreading itself over existing ssh
connections to other hosts (provided that the ssh executable is
protected like that, which it should be anyway because it deals with
passwords).

What I want is the behaviour of suid/sgid executables (which do
something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
for that is less than ideal, since it requires a lot of code patching
(to reset the group) and packaging changes (to maintain the
sgid setting), as well as confusing security scanners, etc.

So I wonder whether we can define a flag in the ELF header which
triggers the same behaviour? Can we define an e_flags bit for that?

Thanks in advance for any comment or idea,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ