From: Vasiliy Kulikov <segoon@openwall.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Greg KH <greg@kroah.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Eric Paris <eparis@parisplace.org>,
kernel-hardening@lists.openwall.com, Valdis.Kletnieks@vt.edu,
linux-kernel@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-security-module@vger.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to /proc/interrupts
Date: Tue, 8 Nov 2011 21:41:54 +0400 [thread overview]
Message-ID: <20111108174154.GA21436@albatros> (raw)
In-Reply-To: <20111108132326.214bcaf8@lxorguk.ukuu.org.uk>
On Tue, Nov 08, 2011 at 13:23 +0000, Alan Cox wrote:
> > /proc/{interrupts,stat} are 0444, which may be used by local attacker to
> > learn statistical information about user's keystrokes, including the
> > passwords.
>
> So the distro can chmod it 0400
Sorry, but I miss the logic. Why do you think it's better to leave the
known unsecure defaults and rely on distros fix the permissions? Why
not restrict it to the secure defaults and leave the decision who to
trust (i.e. all users, only current user, nobody) to distros? The
decision has to be done either way, but in the 1st case the harm of lack
of chmod is much more significant.
> > /dev/pts/* and /dev/tty* leak the same timing information in inode's
> > atime and mtime.
>
> That one is trickier. I don't think it is a real leak because the last
> update timing info is in seconds granularity so is pretty useless for
> that.
No, I see the precise counters:
S=''; while :; do N=`stat -L /dev/pts/3 | sed -n 5p`; [ "$N" != "$S" ] && echo "$N"; S=$N; done
Access: 2011-11-08 21:25:41.219869215 +0400
Access: 2011-11-08 21:25:41.249869259 +0400
Access: 2011-11-08 21:25:41.289869313 +0400
Access: 2011-11-08 21:25:41.329869368 +0400
Access: 2011-11-08 21:25:41.369869433 +0400
Access: 2011-11-08 21:25:41.399869479 +0400
Access: 2011-11-08 21:25:41.439869532 +0400
Access: 2011-11-08 21:25:41.479869591 +0400
Access: 2011-11-08 21:25:41.519869655 +0400
Access: 2011-11-08 21:25:41.549869697 +0400
> The atime/mtime behaviour is however required ABI and used by
> applications so can't simply go away.
Sure, we cannot remove atime/mtime from struct stat for ttys, but we can
leave these fields zero (or equal to any const sane date) if we know
that the tty owner and the process belong to different security domains
(euid check or smth. like may_ptrace()). The quesion here is: are there
users of checking time counters of _foreign_ ttys? If no, leaving these
counters blank will not break anything.
> > Do we want to restrict permissions of interrupts/stat and remove atime
> > and mtime from ttys and relax these permissions when revoke() is introduced?
>
> revoke makes no difference I can see to either of these, they appear to
> be a completely unrelated discussion.
/proc/$PID/* will certainly benefit from revoke() - all ptrace check
could be made at open time, not on every read()/write() invocation.
/proc/* will benefit from revoke() if the permission logic is
implemented as Linus wants to see it - as dynamically re-chown'ed files,
which invalidate old fds on re'chown.
tty issue is indeed unrelated, sorry for the confusion.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-11-08 17:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-07 17:45 [PATCH] proc: restrict access to /proc/interrupts Vasiliy Kulikov
2011-11-07 18:06 ` Valdis.Kletnieks
2011-11-07 19:01 ` Vasiliy Kulikov
2011-11-07 19:18 ` H. Peter Anvin
2011-11-07 19:29 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:48 ` Eric Paris
2011-11-07 19:50 ` H. Peter Anvin
2011-11-07 20:11 ` Vasiliy Kulikov
2011-11-07 20:47 ` H. Peter Anvin
2011-11-07 21:23 ` Linus Torvalds
2011-11-07 21:35 ` H. Peter Anvin
2011-11-07 23:07 ` Linus Torvalds
2011-11-07 23:21 ` Alan Cox
2011-11-07 23:27 ` Greg KH
2011-11-07 23:40 ` Theodore Tso
2011-11-07 23:45 ` Alan Cox
2011-11-07 23:45 ` Greg KH
2011-11-08 20:07 ` Ted Ts'o
2011-11-09 16:14 ` Greg KH
2011-11-08 9:11 ` Vasiliy Kulikov
2011-11-08 13:23 ` Alan Cox
2011-11-08 17:41 ` Vasiliy Kulikov [this message]
2011-11-08 17:06 ` John Stoffel
2011-11-07 19:54 ` Vasiliy Kulikov
2011-11-07 20:10 ` Valdis.Kletnieks
2011-11-07 20:19 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111108174154.GA21436@albatros \
--to=segoon@openwall.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=eparis@parisplace.org \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox