On Friday 2009 January 16 14:45:44 Michael Loftis wrote: >--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich ><johannes@physik.blm.tu-muenchen.de> wrote: >> Boyd Stephen Smith Jr. wrote: >>> What about hardlinking the suid-root binaries to a hidden location, >>> waiting for a security hole to be found/fixed, and then running the old >>> binary to exploit the hole? > >This is why compromised systems can't be trusted ever again. No need to compromise the system in the default partition layout. See below. >Taht said, >there are utilities and methods for finding rogue SUID binaries. Tripwire >comes to mind, there are many others too. Yes, I know, but there could ways to mitigate the attack vector in the core system so that (this feature of) tripwire isn't needed. >> IIRC, a hard link is the same file called two different names. If >> dpkg/apt change the file in one location (security update), the other >> one will be changed as well [1]... > >That only holds true of edit-in-place. Something that most packaging >systems do not do, the reason being is that with the way modern >systems/kernels execute code, this would modify running code (They >generally mmap the code, readonly, into the processes address space). Hrm, I didn't know you could patch running programs like this. I assumed that the kernels actively prevented this through COW or other methods. >FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error. >However, you can't create a hard link on a file you don't own, Not true. You can create a hard link to any file as long as the new link is in directory to which you can write. >you can't do >it across drives, Right, but the default partitioning puts /sbin /usr/sbin etc. on the same filesystem as /home and /tmp, exposing the system to these attacks. >and I don't think your hardlinked copy retains SUID >bits....The last bit I could be wrong though. Yes, it does. Permission bits are part of the file data (inodes), not part of the directory data (dirents) so the permissions/owner/group is the same on all (hard) links to a single file. Transcript from my system: $ sudo /bin/sh -c 'echo test > file' root's password: $ ln file my_file $ ls -l *file -rw-r--r-- 2 root root 5 2009-01-16 14:54 file -rw-r--r-- 2 root root 5 2009-01-16 14:54 my_file $ ls -ld . drwxr-xr-x 99 bss users 5168 2009-01-16 14:54 . $ sudo /bin/sh -c 'echo test > file' $ ls -l *file -rw-r--r-- 2 root root 0 2009-01-16 14:54 file -rw-r--r-- 2 root root 0 2009-01-16 14:54 my_file $ sudo chmod 7777 file $ ls -l *file -rwsrwsrwt 2 root root 0 2009-01-16 15:03 file -rwsrwsrwt 2 root root 0 2009-01-16 15:03 my_file -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.