Bug#712740: the default is fine

To: Kees Cook <kees@debian.org>, 712740@bugs.debian.org
Cc: Vincent Lefevre <vincent@vinc17.net>
Subject: Bug#712740: the default is fine
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 19 Jun 2013 20:31:53 +0100
Message-id: <[🔎] 20130619193152.GY4752@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 712740@bugs.debian.org
In-reply-to: <[🔎] 20130619174439.GA17379@outflux.net>
References: <[🔎] 20130619174439.GA17379@outflux.net>

On Wed, Jun 19, 2013 at 10:44:39AM -0700, Kees Cook wrote:
> This is what /etc/sysctl.d/ is for: changing defaults.
>
> There are, in fact, real protections with this change. Namely, the delay of
> attack expansion. Take the case of a server being attacked. If there are
> ssh connections left open from that machine, without the ptrace
> restrictions, an attacker can trivially jump down the existing connections,
> expanding the scope of the attack. With the restrictions, they must
> construct a trap for the user to fall into (.bashrc, etc) and wait for
> re-establishment of connections before credential theft can occur. The same
> is true for various desktop scenarios. Full user access is game-over from a
> technical perspective, but there are real-world situations where this
> restriction is an improvement.

Currently, the security benefit seems too minor to be worth the
problems it causes (as a default).  However:

> Debugging applications, by default, will not be able to attach to existing
> running processes, that is certainly a down-side to the restriction.
> However, running processes under a debugger is still possible, and doing
> live debugging as root is still possible. The root user using "strace -p"
> is a very common sysadmin workflow, and it's affected by this restriction.
> Ubuntu carries patches to gdb, strace, and ltrace that contain more helpful
> error messages, so maybe Debian could carry those as well.

Right, that's the sort of thing I would want in place before making
this the default.  It would be better still if you could get those
changes into the upstream versions.

> Unfortunately, many upstreams have repeatedly refused to use the "dumpable"
> flag like ssh-agent does (e.g. gpg), so it won't work as a general
> solution. Blocking sibling ptracing also improves container security.

What were the reasons given for that?

> This is a good default, and if specific system owners don't want it
> enabled, they can choose to turn it off in /etc/sysctl.d/, just like other
> things.

Of course, but they have to know about it first.

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus

Reply to:

References:
- Bug#712740: the default is fine
  - From: Kees Cook <kees@debian.org>

Prev by Date: Bug#712740: the default is fine
Next by Date: Bug#712740: the default is fine
Previous by thread: Bug#712740: the default is fine
Next by thread: Bug#712740: the default is fine
Index(es):
- Date
- Thread