Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

To: debian-devel@lists.debian.org, "Martin Pitt" <mpitt@debian.org>
Subject: Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
From: "Bryan Donlan" <bdonlan@gmail.com>
Date: Mon, 28 Apr 2008 04:11:57 -0400
Message-id: <[🔎] 3e8340490804280111s331ef361jb453dd38f3711b2d@mail.gmail.com>
In-reply-to: <20071207181811.GA2720@piware.de>
References: <20071207181811.GA2720@piware.de>

On Fri, Dec 7, 2007 at 2:18 PM, Martin Pitt <mpitt@debian.org> wrote:
> Hi all,
>
>  one thing that has bothered me for a long time already is the
>  complete lack of a security boundary between processes of the same
>  user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
>  default for all users, and especially for developers this is a good
>  thing.
[snip]
>  One easy solution that comes to my mind is to install those affected
>  programs setgid, and drop the additional group immediately after
>  program start with setgid(getgid()). For this we should introduce a
>  new static group into base-passwd, like "noptrace", to not abuse
>  existing groups and not confuse auditing tools.

What happens if a malicious whatever uses LD_PRELOAD to change the
exec* family of functions to check for this bit, and if set, make a
copy of the executable in question, without setgid, to execute? Same
applies for ptrace - it can alter the path to be executed on the fly
to point to a traceable (or even binary-patched) version.

Reply to:

Prev by Date: Re: How do I trace aptitude dependencies?
Next by Date: Re: DEP1: Clarifying policies and workflows for Non Maintainer Uploads
Previous by thread: Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
Next by thread: Package with hardening support FTBFS on amd64 and i386
Index(es):
- Date
- Thread