[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basically security of linux

On Friday 2009 January 16 14:45:44 Michael Loftis wrote:
>--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich
><johannes@physik.blm.tu-muenchen.de> wrote:
>> Boyd Stephen Smith Jr. wrote:
>>> What about hardlinking the suid-root binaries to a hidden location,
>>> waiting  for a security hole to be found/fixed, and then running the old
>>> binary to  exploit the hole?
>This is why compromised systems can't be trusted ever again.

No need to compromise the system in the default partition layout.  See below.

>Taht said, 
>there are utilities and methods for finding rogue SUID binaries.  Tripwire
>comes to mind, there are many others too.

Yes, I know, but there could ways to mitigate the attack vector in the core 
system so that (this feature of) tripwire isn't needed.

>> IIRC, a hard link is the same file called two different names. If
>> dpkg/apt change the file in one location (security update), the other
>> one will be changed as well [1]...
>That only holds true of edit-in-place.  Something that most packaging
>systems do not do, the reason being is that with the way modern
>systems/kernels execute code, this would modify running code (They
>generally mmap the code, readonly, into the processes address space).

Hrm, I didn't know you could patch running programs like this.  I assumed that 
the kernels actively prevented this through COW or other methods.

>FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error.

>However, you can't create a hard link on a file you don't own,

Not true.  You can create a hard link to any file as long as the new link is 
in directory to which you can write.

>you can't do 
>it across drives,

Right, but the default partitioning puts /sbin /usr/sbin etc. on the same 
filesystem as /home and /tmp, exposing the system to these attacks.

>and I don't think your hardlinked copy retains SUID 
>bits....The last bit I could be wrong though.

Yes, it does.  Permission bits are part of the file data (inodes), not part of 
the directory data (dirents) so the permissions/owner/group is the same on 
all (hard) links to a single file.

Transcript from my system:
$ sudo /bin/sh -c 'echo test > file'
root's password:
$ ln file my_file
$ ls -l *file
-rw-r--r-- 2 root root 5 2009-01-16 14:54 file
-rw-r--r-- 2 root root 5 2009-01-16 14:54 my_file
$ ls -ld .
drwxr-xr-x 99 bss users 5168 2009-01-16 14:54 .
$ sudo /bin/sh -c 'echo test > file'
$ ls -l *file
-rw-r--r-- 2 root root 0 2009-01-16 14:54 file
-rw-r--r-- 2 root root 0 2009-01-16 14:54 my_file
$ sudo chmod 7777 file
$ ls -l *file
-rwsrwsrwt 2 root root 0 2009-01-16 15:03 file
-rwsrwsrwt 2 root root 0 2009-01-16 15:03 my_file
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss@iguanasuicide.net                     ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.net/                      \_/     

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: