[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

On Sun, Apr 27, 2008 at 06:22:38PM +0200, Florian Weimer wrote:
> * Josselin Mouette:

> > Given that it seems unlikely that we obtain another solution, should we
> > start right now with that stuff? 

> I think it's a bit foolish to abuse SGID bits to take away permissions.
> This kind of restriction is essentially a configuration option, and
> applying it to the wrong program may break tools like fakeroot.  This
> information should not be stored under /usr.

> There has to be a cleaner solution, such as a sysctl that, when enabled,
> restricts ptrace to root.

... which will then be disabled on any system where a user needs to debug
any application, leaving everything vulnerable to ptrace attacks as before.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to: