Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759403AbXFURqV (ORCPT ); Thu, 21 Jun 2007 13:46:21 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756432AbXFURqO (ORCPT ); Thu, 21 Jun 2007 13:46:14 -0400 Received: from faui03.informatik.uni-erlangen.de ([131.188.30.103]:55881 "EHLO faui03.informatik.uni-erlangen.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755978AbXFURqN (ORCPT ); Thu, 21 Jun 2007 13:46:13 -0400 Date: Thu, 21 Jun 2007 19:46:13 +0200 From: Alexander Wuerstlein To: Arjan van de Ven Cc: linux-kernel@vger.kernel.org, arw@arw.name Subject: Re: [PATCH] Check files' signatures before doing suid/sgid [2/4] Message-ID: <20070621174612.GG9741@cip.informatik.uni-erlangen.de> References: <11824417551424-git-send-email-arw@arw.name> <1182446251.2704.0.camel@laptopd505.fenrus.org> <20070621172557.GE9741@cip.informatik.uni-erlangen.de> <1182446983.2704.4.camel@laptopd505.fenrus.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1182446983.2704.4.camel@laptopd505.fenrus.org> X-Echelon-Scan: plutonium bomb dirty irak allah satan bush victory c4 cocaine saddam wtc holy war believe god cia nsa X-Echelon-Result: Terrorist User-Agent: Mutt/1.5.15 (2007-05-02) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1996 Lines: 46 On 070621 19:33, Arjan van de Ven wrote: > On Thu, 2007-06-21 at 19:25 +0200, Alexander Wuerstlein wrote: > > On 070621 19:21, Arjan van de Ven wrote: > > > On Thu, 2007-06-21 at 18:02 +0200, Alexander Wuerstlein wrote: > > > > Modified task_struct to hold a 'signed flag' which is set on exec(), inherited > > > > on fork() and checked during exec before giving the new process suid/sgid > > > > privileges. > > > > > > > > > > > > > > > > do you also check the signature of glibc and every other shared library > > > that the app uses (or dlopens)? if not.. the entire exercise is rather > > > pointless... > > > > We do check that, that is patch [3/4]. > > > > Of course we can only check mmap-ed files, if there is no file like with JIT > > compilers we are out of luck. > > or if the process uses read() not mmap(). If a process uses read() it needs some executable and writable memory. We do check for this in mprotect(). There is a problem with the i386-architecture, because it allows execution of any readable page (except with newer processors). But beyond that ugliness of i386, it should not be possible to execute anything without us noticing it (hopefully). Scripting languages are of course problematic. In the suid-case you could just call anyone insane who wants to use a suid-shellscript. But in other cases one might want signed binaries for, we do have a problem. With java or shell one would need an interpreter/vm which is signed and reasonably trustworthy itself and checks the signature of the shellscript or classfile it executes. The (probably not all too complicated) writing of such an interpreter is left as an exercise to the reader ;) Ciao, Alexander Wuerstlein. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/