lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m1hbl1eta6.fsf@fess.ebiederm.org>
Date:	Thu, 17 Jun 2010 05:29:53 -0700
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Kees Cook <kees.cook@...onical.com>
Cc:	linux-kernel@...r.kernel.org, Randy Dunlap <rdunlap@...otime.net>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Jiri Kosina <jkosina@...e.cz>,
	Dave Young <hidave.darkstar@...il.com>,
	Martin Schwidefsky <schwidefsky@...ibm.com>,
	Roland McGrath <roland@...hat.com>,
	Oleg Nesterov <oleg@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	David Howells <dhowells@...hat.com>,
	Ingo Molnar <mingo@...e.hu>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	linux-doc@...r.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope

Kees Cook <kees.cook@...onical.com> writes:

> As Linux grows in popularity, it will become a larger target for
> malware. One particularly troubling weakness of the Linux process
> interfaces is that a single user is able to examine the memory and
> running state of any of their processes. For example, if one application
> (e.g. Pidgin) was compromised, it would be possible for an attacker to
> attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
> etc) to extract additional credentials and continue to expand the scope
> of their attack without resorting to user-assisted phishing.
>
> This is not a theoretical problem. SSH session hijacking
> (http://www.storm.net.nz/projects/7) and arbitrary code injection
> (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already
> exist and remain possible if PTRACE is allowed to operate as before.
> PTRACE is not commonly used by non-developers and non-admins, so system
> builders should be allowed the option to disable this debugging system.
>
> For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to
> specifically disallow such PTRACE attachment (e.g. ssh-agent), but many
> do not. A more general solution is to only allow PTRACE directly from a
> parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still
> work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID"
> still work as root).
>
> This patch is based on the patch in grsecurity. It includes a sysctl
> to enable the behavior via /proc/sys/kernel/ptrace_scope.  This could
> be expanded in the future to further restrict PTRACE to, for example,
> only CAP_SYS_PTRACE (scope 2) or only init (scope 3).

This is ineffective.  As an attacker after I gain access to a users
system on ubuntu I can wait around until a package gets an update,
and then run sudo and gain the power to do whatever I want.

Either that or I can inject something nasty into the suid pulse-audio.

I tell you what.  If you really want something effective, help Serge
and I finish getting the cross namespace issues fixed for the user
namespace.  When complete, it will possible for an unprivileged process
to create a new one, and since kernel capabilities along with everything
else will be local to it, running pidgin, or firefox, or another network
facing potentially buggy application in such a namespace will ensure that
even if the process is compromised it won't have privileges to ptrace another
process or do much else on the system.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ