[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

Colin Watson [2008-04-27 13:19 +0100]:
> > Can't you do something against ptrace in the binary itself and only
> > for critical sections?
> You can (use prctl() to disable PR_SET_DUMPABLE), but it's only checked
> on ptrace_attach so that would be racy.

That's what the current Ubuntu version of libpolkit does (patch
attached FYI). So far my feeling is that this is good enough for
PolicyKit and the applications that use it. It prevents passwords from
accidentally leaking to core dumps and programs which randomly
ptrace() other processes from silently abusing gained PK privileges.

In the end I did not worry too much about the startup race condition.
If there is already a Trojan in the user's session, it is trivial to
circumvent PR_SET_DUMPABLE, of course (by running the target
application through gdb right from the start). But it is easy to call
the PK dialog (or gksu/kdesu) with some crafted application
name/reason as well, i. e. do some social engineering/phishing.

So, having a standard group which sensitive applications could sgid to
would be handy and fix the race on startup, but I consider it
low-priority as long as we still have the 'fake UI' problem. A truly
good solution for this is the "press Ctrl+Alt+Del before entering your
password" schema, but even Windows abandonded it again, for usability
reasons I guess.


Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Attachment: signature.asc
Description: Digital signature

Reply to: