| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jun 2010 05:29:53 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Kees Cook <kees.cook@...onical.com> Cc: linux-kernel@...r.kernel.org, Randy Dunlap <rdunlap@...otime.net>, Andrew Morton <akpm@...ux-foundation.org>, Jiri Kosina <jkosina@...e.cz>, Dave Young <hidave.darkstar@...il.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Roland McGrath <roland@...hat.com>, Oleg Nesterov <oleg@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, David Howells <dhowells@...hat.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, linux-doc@...r.kernel.org Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope Kees Cook <kees.cook@...onical.com> writes: > As Linux grows in popularity, it will become a larger target for > malware. One particularly troubling weakness of the Linux process > interfaces is that a single user is able to examine the memory and > running state of any of their processes. For example, if one application > (e.g. Pidgin) was compromised, it would be possible for an attacker to > attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, > etc) to extract additional credentials and continue to expand the scope > of their attack without resorting to user-assisted phishing. > > This is not a theoretical problem. SSH session hijacking > (http://www.storm.net.nz/projects/7) and arbitrary code injection > (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already > exist and remain possible if PTRACE is allowed to operate as before. > PTRACE is not commonly used by non-developers and non-admins, so system > builders should be allowed the option to disable this debugging system. > > For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to > specifically disallow such PTRACE attachment (e.g. ssh-agent), but many > do not. A more general solution is to only allow PTRACE directly from a > parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still > work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID" > still work as root). > > This patch is based on the patch in grsecurity. It includes a sysctl > to enable the behavior via /proc/sys/kernel/ptrace_scope. This could > be expanded in the future to further restrict PTRACE to, for example, > only CAP_SYS_PTRACE (scope 2) or only init (scope 3). This is ineffective. As an attacker after I gain access to a users system on ubuntu I can wait around until a package gets an update, and then run sudo and gain the power to do whatever I want. Either that or I can inject something nasty into the suid pulse-audio. I tell you what. If you really want something effective, help Serge and I finish getting the cross namespace issues fixed for the user namespace. When complete, it will possible for an unprivileged process to create a new one, and since kernel capabilities along with everything else will be local to it, running pidgin, or firefox, or another network facing potentially buggy application in such a namespace will ensure that even if the process is compromised it won't have privileges to ptrace another process or do much else on the system. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists