All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees.cook@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jiri Kosina <jkosina@suse.cz>,
	Dave Young <hidave.darkstar@gmail.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Roland McGrath <roland@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	linux-doc@vger.kernel.org,
	Linux Containers <containers@lists.osdl.org>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Thu, 17 Jun 2010 14:14:41 -0700	[thread overview]
Message-ID: <20100617211440.GZ24749@outflux.net> (raw)
In-Reply-To: <m1typ175ip.fsf@fess.ebiederm.org>

On Thu, Jun 17, 2010 at 01:45:02PM -0700, Eric W. Biederman wrote:
> Kees Cook <kees.cook@canonical.com> writes:
> > On Thu, Jun 17, 2010 at 05:29:53AM -0700, Eric W. Biederman wrote:
> >> Kees Cook <kees.cook@canonical.com> writes:
> >> > running state of any of their processes. For example, if one application
> >> > (e.g. Pidgin) was compromised, it would be possible for an attacker to
> >> > attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
> >> > etc) to extract additional credentials and continue to expand the scope
> >> > of their attack without resorting to user-assisted phishing.
> >> 
> >> This is ineffective.  As an attacker after I gain access to a users
> >> system on ubuntu I can wait around until a package gets an update,
> >> and then run sudo and gain the power to do whatever I want.
> >
> > I doesn't stop phishing, correct.  But it does stop immediate expansion of
> > an attack using already-existing credentials.
> 
> sudo last I checked caches your password for a couple of seconds.
> So if you can probe the system to see when those couple of seconds
> are.

Sure, that's a downside of sudo, which is why privilege elevation has been
tending to move towards PolicyKit, FWIW.

> The archives of the containers list.
> https://lists.linux-foundation.org/pipermail/containers/ or just
> looking.

I'll go dig around.

>   Things like /proc/sys/ will be default stay in the same user_namespace
>   and root in other user namespaces will only get world permissions when
>   accessing files.

Excellent.  I'll move my questions about this to the containers mailing
list.

-Kees

-- 
Kees Cook
Ubuntu Security Team

  reply	other threads:[~2010-06-17 21:14 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22   ` Kees Cook
2010-06-17 13:45     ` James Morris
2010-06-17 17:04       ` Kees Cook
2010-06-17 20:53         ` Alan Cox
2010-06-17 21:06           ` Randy Dunlap
2010-06-17 21:16             ` Kees Cook
2010-06-17 22:18               ` Alan Cox
2010-06-17 22:25                 ` Kees Cook
2010-06-17 22:34                   ` Alan Cox
2010-06-17 21:18             ` Alan Cox
2010-06-17 21:51               ` Kees Cook
2010-06-17 22:30                 ` Alan Cox
2010-06-17 23:03                   ` James Morris
2010-06-18  3:10                   ` Casey Schaufler
2010-06-18 10:54                     ` Theodore Tso
2010-06-18 13:50                       ` Eric W. Biederman
2010-06-18 14:29                         ` Serge E. Hallyn
2010-06-19  2:23                         ` Casey Schaufler
2010-06-19  2:49                           ` Eric W. Biederman
2010-06-21  0:52                       ` James Morris
2010-06-21  2:16                         ` Valdis.Kletnieks
2010-06-18 17:58                   ` Kees Cook
2010-06-19  2:15                 ` Tetsuo Handa
2010-06-19  3:19                 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39   ` Kees Cook
2010-06-17  0:11     ` Roland McGrath
2010-06-17  0:46       ` Kees Cook
2010-06-18 12:36       ` Serge E. Hallyn
2010-06-17 12:29 ` Eric W. Biederman
2010-06-17 16:59   ` Kees Cook
2010-06-17 20:45     ` Eric W. Biederman
2010-06-17 21:14       ` Kees Cook [this message]
2010-06-17 22:50       ` Serge E. Hallyn
2010-06-17 23:11         ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100617211440.GZ24749@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=containers@lists.osdl.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=hidave.darkstar@gmail.com \
    --cc=hpa@zytor.com \
    --cc=jkosina@suse.cz \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=oleg@redhat.com \
    --cc=rdunlap@xenotime.net \
    --cc=roland@redhat.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.