From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-kernel@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
Andrew Morton <akpm@linux-foundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Dave Young <hidave.darkstar@gmail.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Roland McGrath <roland@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
David Howells <dhowells@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH] ptrace: allow restriction of ptrace scope
Date: Thu, 17 Jun 2010 05:29:53 -0700 [thread overview]
Message-ID: <m1hbl1eta6.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20100616221833.GM24749@outflux.net> (Kees Cook's message of "Wed\, 16 Jun 2010 15\:18\:33 -0700")
Kees Cook <kees.cook@canonical.com> writes:
> As Linux grows in popularity, it will become a larger target for
> malware. One particularly troubling weakness of the Linux process
> interfaces is that a single user is able to examine the memory and
> running state of any of their processes. For example, if one application
> (e.g. Pidgin) was compromised, it would be possible for an attacker to
> attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
> etc) to extract additional credentials and continue to expand the scope
> of their attack without resorting to user-assisted phishing.
>
> This is not a theoretical problem. SSH session hijacking
> (http://www.storm.net.nz/projects/7) and arbitrary code injection
> (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already
> exist and remain possible if PTRACE is allowed to operate as before.
> PTRACE is not commonly used by non-developers and non-admins, so system
> builders should be allowed the option to disable this debugging system.
>
> For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to
> specifically disallow such PTRACE attachment (e.g. ssh-agent), but many
> do not. A more general solution is to only allow PTRACE directly from a
> parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still
> work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID"
> still work as root).
>
> This patch is based on the patch in grsecurity. It includes a sysctl
> to enable the behavior via /proc/sys/kernel/ptrace_scope. This could
> be expanded in the future to further restrict PTRACE to, for example,
> only CAP_SYS_PTRACE (scope 2) or only init (scope 3).
This is ineffective. As an attacker after I gain access to a users
system on ubuntu I can wait around until a package gets an update,
and then run sudo and gain the power to do whatever I want.
Either that or I can inject something nasty into the suid pulse-audio.
I tell you what. If you really want something effective, help Serge
and I finish getting the cross namespace issues fixed for the user
namespace. When complete, it will possible for an unprivileged process
to create a new one, and since kernel capabilities along with everything
else will be local to it, running pidgin, or firefox, or another network
facing potentially buggy application in such a namespace will ensure that
even if the process is compromised it won't have privileges to ptrace another
process or do much else on the system.
Eric
next prev parent reply other threads:[~2010-06-17 12:30 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-16 22:18 [PATCH] ptrace: allow restriction of ptrace scope Kees Cook
2010-06-16 23:01 ` Alan Cox
2010-06-16 23:22 ` Kees Cook
2010-06-17 13:45 ` James Morris
2010-06-17 17:04 ` Kees Cook
2010-06-17 20:53 ` Alan Cox
2010-06-17 21:06 ` Randy Dunlap
2010-06-17 21:16 ` Kees Cook
2010-06-17 22:18 ` Alan Cox
2010-06-17 22:25 ` Kees Cook
2010-06-17 22:34 ` Alan Cox
2010-06-17 21:18 ` Alan Cox
2010-06-17 21:51 ` Kees Cook
2010-06-17 22:30 ` Alan Cox
2010-06-17 23:03 ` James Morris
2010-06-18 3:10 ` Casey Schaufler
2010-06-18 10:54 ` Theodore Tso
2010-06-18 13:50 ` Eric W. Biederman
2010-06-18 14:29 ` Serge E. Hallyn
2010-06-19 2:23 ` Casey Schaufler
2010-06-19 2:49 ` Eric W. Biederman
2010-06-21 0:52 ` James Morris
2010-06-21 2:16 ` Valdis.Kletnieks
2010-06-18 17:58 ` Kees Cook
2010-06-19 2:15 ` Tetsuo Handa
2010-06-19 3:19 ` Frank Ch. Eigler
2010-06-16 23:10 ` Roland McGrath
2010-06-16 23:39 ` Kees Cook
2010-06-17 0:11 ` Roland McGrath
2010-06-17 0:46 ` Kees Cook
2010-06-18 12:36 ` Serge E. Hallyn
2010-06-17 12:29 ` Eric W. Biederman [this message]
2010-06-17 16:59 ` Kees Cook
2010-06-17 20:45 ` Eric W. Biederman
2010-06-17 21:14 ` Kees Cook
2010-06-17 22:50 ` Serge E. Hallyn
2010-06-17 23:11 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1hbl1eta6.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=hidave.darkstar@gmail.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=kees.cook@canonical.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=roland@redhat.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox