Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

To: debian-devel@lists.debian.org, Martin Pitt <mpitt@debian.org>
Subject: Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
From: Thomas Viehmann <tv@beamnet.de>
Date: Mon, 10 Dec 2007 20:01:57 +0100
Message-id: <[🔎] 475D8D25.6070709@beamnet.de>
In-reply-to: <[🔎] 20071207181811.GA2720@piware.de>
References: <[🔎] 20071207181811.GA2720@piware.de>

Hi Martin,

Martin Pitt wrote:
> One easy solution that comes to my mind is to install those affected
> programs setgid, and drop the additional group immediately after
> program start with setgid(getgid()). For this we should introduce a
> new static group into base-passwd, like "noptrace", to not abuse
> existing groups and not confuse auditing tools.

excuse my ignorance, but is this the hack it sounds like? If so, I would
not be exactly thrilled to see this sprinkled across the distribution
unless it solves a severe problem and there are no alternatives of
"doing things right", which I am not sure is the care here.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Reply to:

References:
- Using sgid binaries to defend against LD_PRELOAD/ptrace()
  - From: Martin Pitt <mpitt@debian.org>

Prev by Date: Re: -Wl,--as-needed considered possibly harmful
Next by Date: Re: -Wl,--as-needed considered possibly harmful
Previous by thread: Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
Next by thread: Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
Index(es):
- Date
- Thread