public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees.cook@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jiri Kosina <jkosina@suse.cz>,
	Dave Young <hidave.darkstar@gmail.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Roland McGrath <roland@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	linux-doc@vger.kernel.org,
	Linux Containers <containers@lists.osdl.org>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Thu, 17 Jun 2010 14:14:41 -0700	[thread overview]
Message-ID: <20100617211440.GZ24749@outflux.net> (raw)
In-Reply-To: <m1typ175ip.fsf@fess.ebiederm.org>

On Thu, Jun 17, 2010 at 01:45:02PM -0700, Eric W. Biederman wrote:
> Kees Cook <kees.cook@canonical.com> writes:
> > On Thu, Jun 17, 2010 at 05:29:53AM -0700, Eric W. Biederman wrote:
> >> Kees Cook <kees.cook@canonical.com> writes:
> >> > running state of any of their processes. For example, if one application
> >> > (e.g. Pidgin) was compromised, it would be possible for an attacker to
> >> > attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
> >> > etc) to extract additional credentials and continue to expand the scope
> >> > of their attack without resorting to user-assisted phishing.
> >> 
> >> This is ineffective.  As an attacker after I gain access to a users
> >> system on ubuntu I can wait around until a package gets an update,
> >> and then run sudo and gain the power to do whatever I want.
> >
> > I doesn't stop phishing, correct.  But it does stop immediate expansion of
> > an attack using already-existing credentials.
> 
> sudo last I checked caches your password for a couple of seconds.
> So if you can probe the system to see when those couple of seconds
> are.

Sure, that's a downside of sudo, which is why privilege elevation has been
tending to move towards PolicyKit, FWIW.

> The archives of the containers list.
> https://lists.linux-foundation.org/pipermail/containers/ or just
> looking.

I'll go dig around.

>   Things like /proc/sys/ will be default stay in the same user_namespace
>   and root in other user namespaces will only get world permissions when
>   accessing files.

Excellent.  I'll move my questions about this to the containers mailing
list.

-Kees

-- 
Kees Cook
Ubuntu Security Team

  reply	other threads:[~2010-06-17 21:16 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22   ` Kees Cook
2010-06-17 13:45     ` James Morris
2010-06-17 17:04       ` Kees Cook
2010-06-17 20:53         ` Alan Cox
2010-06-17 21:06           ` Randy Dunlap
2010-06-17 21:16             ` Kees Cook
2010-06-17 22:18               ` Alan Cox
2010-06-17 22:25                 ` Kees Cook
2010-06-17 22:34                   ` Alan Cox
2010-06-17 21:18             ` Alan Cox
2010-06-17 21:51               ` Kees Cook
2010-06-17 22:30                 ` Alan Cox
2010-06-17 23:03                   ` James Morris
2010-06-18  3:10                   ` Casey Schaufler
2010-06-18 10:54                     ` Theodore Tso
2010-06-18 13:50                       ` Eric W. Biederman
2010-06-18 14:29                         ` Serge E. Hallyn
2010-06-19  2:23                         ` Casey Schaufler
2010-06-19  2:49                           ` Eric W. Biederman
2010-06-21  0:52                       ` James Morris
2010-06-21  2:16                         ` Valdis.Kletnieks
2010-06-18 17:58                   ` Kees Cook
2010-06-19  2:15                 ` Tetsuo Handa
2010-06-19  3:19                 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39   ` Kees Cook
2010-06-17  0:11     ` Roland McGrath
2010-06-17  0:46       ` Kees Cook
2010-06-18 12:36       ` Serge E. Hallyn
2010-06-17 12:29 ` Eric W. Biederman
2010-06-17 16:59   ` Kees Cook
2010-06-17 20:45     ` Eric W. Biederman
2010-06-17 21:14       ` Kees Cook [this message]
2010-06-17 22:50       ` Serge E. Hallyn
2010-06-17 23:11         ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100617211440.GZ24749@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=containers@lists.osdl.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=hidave.darkstar@gmail.com \
    --cc=hpa@zytor.com \
    --cc=jkosina@suse.cz \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=oleg@redhat.com \
    --cc=rdunlap@xenotime.net \
    --cc=roland@redhat.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox