Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
On Fri, Dec 7, 2007 at 2:18 PM, Martin Pitt <mpitt@debian.org> wrote:
> Hi all,
>
> one thing that has bothered me for a long time already is the
> complete lack of a security boundary between processes of the same
> user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
> default for all users, and especially for developers this is a good
> thing.
[snip]
> One easy solution that comes to my mind is to install those affected
> programs setgid, and drop the additional group immediately after
> program start with setgid(getgid()). For this we should introduce a
> new static group into base-passwd, like "noptrace", to not abuse
> existing groups and not confuse auditing tools.
What happens if a malicious whatever uses LD_PRELOAD to change the
exec* family of functions to check for this bit, and if set, make a
copy of the executable in question, without setgid, to execute? Same
applies for ptrace - it can alter the path to be executed on the fly
to point to a traceable (or even binary-patched) version.
Reply to: