Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
On Sun, Apr 27, 2008 at 10:52:38AM +0200, Josselin Mouette wrote:
> Le vendredi 07 décembre 2007 à 19:18 +0100, Martin Pitt a écrit :
> > one thing that has bothered me for a long time already is the
> > complete lack of a security boundary between processes of the same
> > user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
> > default for all users, and especially for developers this is a good
> > thing.
> > However, a lot of programs that we have deal with passwords and other
> > secrets which deserve some protection, like passwords you type into
> > ssh, screensavers, seahorse, etc.
> > One easy solution that comes to my mind is to install those affected
> > programs setgid, and drop the additional group immediately after
> > program start with setgid(getgid()). For this we should introduce a
> > new static group into base-passwd, like "noptrace", to not abuse
> > existing groups and not confuse auditing tools.
> Given that it seems unlikely that we obtain another solution, should we
> start right now with that stuff?
> Colin, as base-passwd maintainer, do you have anything against creating
> such a group?
I think it was my suggestion to Martin in the first place, so no, I
don't have any objection. :-) I haven't been following the thread,
though - has there been general consensus on this?
Colin Watson [firstname.lastname@example.org]