[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1113774: Disabling -fcf-protection in sudo for bookworm

El 03/09/2025 a las 13:11, Marc Haber escribió:
> What I don't understand is why those people running those rather exotic
> machines don't just run another privilege escalation tool like runas or
> compile their own sudo package.

I am using a self-built version of "sudo" for that particular machine
with the fix applied, but it'd be probably nice for all other people that
need/want/like to use these machines that it'd all worked out of the box,
as most people using a x86 machine would expect.

El 03/09/2025 a las 13:20, Marc Haber escribió:
> So you're saying this compiled option could be disabled in sudo for i386
> without any loss of security regardless on what CPU the program runs and
> regardless whether it runs under a 32bit or a 64bit kernel, right?

Yes. IMHO two things could be done:

  - Apply only for x86-64, as upstream is doing now.

  - Specify "-fcf-protection=return" instead of just "-fcf-protection".
    That disables IBT (unsupported anyway) but keeps shadow stacks enabled
    for both 32-bit and 64-bit (as mentioned, only would protect users on
    amd64, but unlike IBT will not hurt compatibility on i386)

> Why isnt -fcf-protection a no-op in the toolchain on i386 then?

I am not sure because I am not a toolchain developer, but I assume it's
not the task of the toolchain to check if they are gonna have an effect on
your target or not.

As I already said, you could compile with -msse2 even if your CPU does not
support SSE2 either.

>> Note the kernel .config flag for one is "CONFIG_X86_USER_SHADOW_STACK"
>> vs "CONFIG_X86_KERNEL_IBT", as one works only in user mode, and the other
>> only in kernel mode.
> 
> Both settings are =Y in the x86_64 kernel in Debian unstable.

My point was that the name actually indicates whether they are supported
in user mode (_USER_) and kernel (_KERNEL_). IBT is, as indicated
by the config name, kernel-only.

You don't have to trust me on that - I send a couple minutes earlier a
program demonstrating that enabling IBT for user programs results in no
security protection whatsoever, not even in amd64:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#96

The test was actually conducted by someone that told me knows you, as my
main AMD 8745H desktop only supports shadow stack. Feel free to ask that
person directly.

Have a nice day,
Marcos
Reply to: