linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
	Oleg Nesterov <oleg@redhat.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Michal Hocko <mhocko@kernel.org>, Jann Horn <jann@thejh.net>,
	Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
Date: Thu, 17 Nov 2016 21:47:07 +0100	[thread overview]
Message-ID: <20161117204707.GB10421@1wt.eu> (raw)
In-Reply-To: <87inrmavax.fsf_-_@xmission.com>

On Thu, Nov 17, 2016 at 11:08:22AM -0600, Eric W. Biederman wrote:
> 
> It is the reasonable expectation that if an executable file is not
> readable there will be no way for a user without special privileges to
> read the file.  This is enforced in ptrace_attach but if we are
> already attached there is no enforcement if a readonly executable
> is exec'd.

I'm really scared by this Eric. At least you want to make it a hardening
option that can be disabled at run time, otherwise it can easily break a
lot of userspace :

admin@aloha:~$ ll /bin/bash /bin/coreutils /bin/ls /usr/bin/telnet
-r-xr-x--x 1 root adm 549272 Oct 28 16:25 /bin/bash
-rwx--x--x 1 root adm 765624 Oct 28 16:27 /bin/coreutils
lrwxrwxrwx 1 root root 9 Oct 28 16:27 /bin/ls -> coreutils
-r-xr-x--x 1 root adm  70344 Oct 28 16:34 /usr/bin/telnet

And I've not invented it, I've being taught to do this more than 20
years ago and been doing this since on any slightly hardened server
just because in pratice it's efficient at stopping quite a bunch of
rootkits which require to copy and modify your executables. Sure
they could get the contents using ptrace, but using cp is much more
common than ptrace in scripts and that works. This has prooven quite
efficient in field at stopping some rootkits several times over the
last two decades and I know I'm not the only one to do it. In fact
I *never* install an executable with read permissions for users if
there's no need for random users to copy it. Does it mean that
nobody should be able to see why their favorite utility doesn't
work anymore ? Not in my opinion, at least not by default.

So here I fear that we'll break strace at many places where strace
precisely matters to debug things.

However I'd love to have this feature controlled by a sysctl (to
enforce it by default where possible).

Thanks,
Willy

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

  reply	other threads:[~2016-11-17 20:47 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-17 16:39 [REVIEW][PATCH] mm: Add a user_ns owner to mm_struct and fix ptrace_may_access Eric W. Biederman
2016-10-17 17:25 ` Jann Horn
2016-10-17 17:33   ` Eric W. Biederman
2016-10-18 13:50 ` Michal Hocko
2016-10-18 13:57   ` Jann Horn
2016-10-18 14:56   ` Eric W. Biederman
2016-10-18 15:05     ` Jann Horn
2016-10-18 15:35       ` Eric W. Biederman
2016-10-18 19:12         ` Jann Horn
2016-10-18 21:07           ` Eric W. Biederman
2016-10-18 21:15             ` [REVIEW][PATCH] exec: Don't exec files the userns root can not read Eric W. Biederman
2016-10-19  6:13               ` Amir Goldstein
2016-10-19 13:33                 ` Eric W. Biederman
2016-10-19 17:04                   ` Eric W. Biederman
2016-10-19 15:30               ` Andy Lutomirski
2016-10-19 16:52                 ` Eric W. Biederman
2016-10-19 17:29                   ` Jann Horn
2016-10-19 17:32                     ` Andy Lutomirski
2016-10-19 17:55                       ` Eric W. Biederman
2016-10-19 18:38                         ` Andy Lutomirski
2016-10-19 21:26                           ` Eric W. Biederman
2016-10-19 23:17                             ` Andy Lutomirski
2016-11-17 17:02                               ` [REVIEW][PATCH 0/3] Fixing ptrace vs exec vs userns interactions Eric W. Biederman
2016-11-17 17:05                                 ` [REVIEW][PATCH 1/3] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Eric W. Biederman
2016-11-17 23:14                                   ` Kees Cook
2016-11-18 18:56                                     ` Eric W. Biederman
2016-11-17 23:27                                   ` Andy Lutomirski
2016-11-17 23:44                                     ` Eric W. Biederman
2016-11-17 17:08                                 ` [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file Eric W. Biederman
2016-11-17 20:47                                   ` Willy Tarreau [this message]
2016-11-17 21:07                                     ` Kees Cook
2016-11-17 21:32                                       ` Willy Tarreau
2016-11-17 21:51                                         ` Eric W. Biederman
2016-11-17 22:50                                           ` [REVIEW][PATCH 2/3] ptrace: Don't allow accessing an undumpable mm Eric W. Biederman
2016-11-17 23:17                                             ` Kees Cook
2016-11-17 23:28                                       ` [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file Andy Lutomirski
2016-11-17 23:29                                   ` Andy Lutomirski
2016-11-17 23:55                                     ` Eric W. Biederman
2016-11-18  0:10                                       ` Andy Lutomirski
2016-11-18  0:35                                         ` Eric W. Biederman
2016-11-17 17:10                                 ` [REVIEW][PATCH 3/3] exec: Ensure mm->user_ns contains the execed files Eric W. Biederman
2016-11-19  7:17                                 ` [REVIEW][PATCH 0/3] Fixing ptrace vs exec vs userns interactions Willy Tarreau
2016-11-19  9:28                                   ` Willy Tarreau
2016-11-19  9:33                                     ` Willy Tarreau
2016-11-19 18:44                                     ` Eric W. Biederman
2016-11-19 18:35                                   ` Eric W. Biederman
2016-11-19 18:37                                     ` Eric W. Biederman
2016-10-19 18:36                   ` [REVIEW][PATCH] exec: Don't exec files the userns root can not read Andy Lutomirski
2016-10-18 18:06     ` [REVIEW][PATCH] mm: Add a user_ns owner to mm_struct and fix ptrace_may_access Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161117204707.GB10421@1wt.eu \
    --to=w@1wt.eu \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=jann@thejh.net \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@amacapital.net \
    --cc=mhocko@kernel.org \
    --cc=oleg@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).