Hi kernel developers,
one thing that has bothered me for a long time already is the
complete lack of a security boundary between processes of the same
user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
default for all users, and especially for developers this is a good
thing.
However, a lot of programs that we have deal with passwords and other
secrets which deserve some protection, like passwords you type into
ssh, screensavers, seahorse, etc.
This problem has become more pressing with the advent of PolicyKit,
where even fewer processes have the in-built privilege separation
between root and users.
This concerns a scenario where you might have a rogue trojan in your
session (e. g. a malicious firefox plugin or an autostart shell
script). Admittedly, if an attacker gets that far he has almost won
the machine and can easily get more privileges with some social
engineering and spoofing, but I feel it is worth the small effort to
at least not allow reading passwords from other processes' memory
without making any noise at all. This would also greatly reduce the
potential of a local trojan spreading itself over existing ssh
connections to other hosts (provided that the ssh executable is
protected like that, which it should be anyway because it deals with
passwords).
What I want is the behaviour of suid/sgid executables (which do
something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
for that is less than ideal, since it requires a lot of code patching
(to reset the group) and packaging changes (to maintain the
sgid setting), as well as confusing security scanners, etc.
So I wonder whether we can define a flag in the ELF header which
triggers the same behaviour? Can we define an e_flags bit for that?
Thanks in advance for any comment or idea,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
O> one thing that has bothered me for a long time already is the
> complete lack of a security boundary between processes of the same
> user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
> default for all users, and especially for developers this is a good
> thing.
This is the normal Unix model.
> What I want is the behaviour of suid/sgid executables (which do
> something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
> like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
> for that is less than ideal, since it requires a lot of code patching
> (to reset the group) and packaging changes (to maintain the
> sgid setting), as well as confusing security scanners, etc.
This is an SELinux problem. In fact this kind of compartmentalisation is
exactly what SELinux is designed to provide.
> So I wonder whether we can define a flag in the ELF header which
> triggers the same behaviour? Can we define an e_flags bit for that?
If it were just ptrace it would be trivial, but its naiive to think that
is the case. Constraining things while not entirely compartmentalising is
a good thing, and policykit is the right path, but the security
components that are needed seem to already exist in SELinux and little ELF
binary header hacks don't do the job properly.
Alan