On Fri, Dec 7, 2007 at 2:18 PM, Martin Pitt <[EMAIL PROTECTED]> wrote: > Hi all, > > one thing that has bothered me for a long time already is the > complete lack of a security boundary between processes of the same > user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by > default for all users, and especially for developers this is a good > thing. [snip] > One easy solution that comes to my mind is to install those affected > programs setgid, and drop the additional group immediately after > program start with setgid(getgid()). For this we should introduce a > new static group into base-passwd, like "noptrace", to not abuse > existing groups and not confuse auditing tools.
What happens if a malicious whatever uses LD_PRELOAD to change the exec* family of functions to check for this bit, and if set, make a copy of the executable in question, without setgid, to execute? Same applies for ptrace - it can alter the path to be executed on the fly to point to a traceable (or even binary-patched) version. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
