[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

Steve Langasek <vorlon@debian.org> writes:

> There are no extra privileges; noptrace is intended to be a group that owns
> no files other than the sgid binaries, can write to none of them, contains
> no users, is unable to ptrace any other processes that it couldn't already,
> and doesn't grant privileges to kill any processes that the user couldn't
> already kill.  It's an extra group membership, but where do you see extra
> privileges here?

The key word is "intended" -- I can easily envision situations in
which group-noptrace-writable files exist, either due to
inconsistent uid/gid mappings across filesystem boundaries or due to
executables accidentally winding up mode 2755.  To be sure, both are
corner cases and arguably operator error, and exploiting them requires
additional bugs, but why take the chance?

Furthermore, it would be nice to be able to create a protected
executable for personal use without having special privileges, or to
be able to mount a filesystem nosuid without losing process

Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?amu@monk.mit.edu

Reply to: