Colin Watson [2008-04-27 13:19 +0100]: > > Can't you do something against ptrace in the binary itself and only > > for critical sections? > > You can (use prctl() to disable PR_SET_DUMPABLE), but it's only checked > on ptrace_attach so that would be racy. That's what the current Ubuntu version of libpolkit does (patch attached FYI). So far my feeling is that this is good enough for PolicyKit and the applications that use it. It prevents passwords from accidentally leaking to core dumps and programs which randomly ptrace() other processes from silently abusing gained PK privileges. In the end I did not worry too much about the startup race condition. If there is already a Trojan in the user's session, it is trivial to circumvent PR_SET_DUMPABLE, of course (by running the target application through gdb right from the start). But it is easy to call the PK dialog (or gksu/kdesu) with some crafted application name/reason as well, i. e. do some social engineering/phishing. So, having a standard group which sensitive applications could sgid to would be handy and fix the race on startup, but I consider it low-priority as long as we still have the 'fake UI' problem. A truly good solution for this is the "press Ctrl+Alt+Del before entering your password" schema, but even Windows abandonded it again, for usability reasons I guess. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Attachment:
signature.asc
Description: Digital signature