[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

On Fri, Dec 7, 2007 at 2:18 PM, Martin Pitt <mpitt@debian.org> wrote:
> Hi all,
>  one thing that has bothered me for a long time already is the
>  complete lack of a security boundary between processes of the same
>  user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
>  default for all users, and especially for developers this is a good
>  thing.
>  One easy solution that comes to my mind is to install those affected
>  programs setgid, and drop the additional group immediately after
>  program start with setgid(getgid()). For this we should introduce a
>  new static group into base-passwd, like "noptrace", to not abuse
>  existing groups and not confuse auditing tools.

What happens if a malicious whatever uses LD_PRELOAD to change the
exec* family of functions to check for this bit, and if set, make a
copy of the executable in question, without setgid, to execute? Same
applies for ptrace - it can alter the path to be executed on the fly
to point to a traceable (or even binary-patched) version.

Reply to: