Providing an ELF flag for disabling LD_PRELOAD/ptrace() - Kernel

This is a discussion on Providing an ELF flag for disabling LD_PRELOAD/ptrace() - Kernel ; Hi kernel developers, one thing that has bothered me for a long time already is the complete lack of a security boundary between processes of the same user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by default for ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Providing an ELF flag for disabling LD_PRELOAD/ptrace()

  1. Providing an ELF flag for disabling LD_PRELOAD/ptrace()

    Hi kernel developers,

    one thing that has bothered me for a long time already is the
    complete lack of a security boundary between processes of the same
    user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
    default for all users, and especially for developers this is a good
    thing.

    However, a lot of programs that we have deal with passwords and other
    secrets which deserve some protection, like passwords you type into
    ssh, screensavers, seahorse, etc.

    This problem has become more pressing with the advent of PolicyKit,
    where even fewer processes have the in-built privilege separation
    between root and users.

    This concerns a scenario where you might have a rogue trojan in your
    session (e. g. a malicious firefox plugin or an autostart shell
    script). Admittedly, if an attacker gets that far he has almost won
    the machine and can easily get more privileges with some social
    engineering and spoofing, but I feel it is worth the small effort to
    at least not allow reading passwords from other processes' memory
    without making any noise at all. This would also greatly reduce the
    potential of a local trojan spreading itself over existing ssh
    connections to other hosts (provided that the ssh executable is
    protected like that, which it should be anyway because it deals with
    passwords).

    What I want is the behaviour of suid/sgid executables (which do
    something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
    like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
    for that is less than ideal, since it requires a lot of code patching
    (to reset the group) and packaging changes (to maintain the
    sgid setting), as well as confusing security scanners, etc.

    So I wonder whether we can define a flag in the ELF header which
    triggers the same behaviour? Can we define an e_flags bit for that?

    Thanks in advance for any comment or idea,

    Martin

    --
    Martin Pitt http://www.piware.de
    Ubuntu Developer http://www.ubuntu.com
    Debian Developer http://www.debian.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHYVzQDecnbV4Fd/IRAsjNAJ9zPD3FZK/IUzPy6JJpRiprdrGsfwCgnS+9
    7zjxVmXY9CZBv7ehNGHSvO0=
    =crjf
    -----END PGP SIGNATURE-----


  2. Re: Providing an ELF flag for disabling LD_PRELOAD/ptrace()

    O> one thing that has bothered me for a long time already is the
    > complete lack of a security boundary between processes of the same
    > user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
    > default for all users, and especially for developers this is a good
    > thing.


    This is the normal Unix model.

    > What I want is the behaviour of suid/sgid executables (which do
    > something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
    > like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
    > for that is less than ideal, since it requires a lot of code patching
    > (to reset the group) and packaging changes (to maintain the
    > sgid setting), as well as confusing security scanners, etc.


    This is an SELinux problem. In fact this kind of compartmentalisation is
    exactly what SELinux is designed to provide.

    > So I wonder whether we can define a flag in the ELF header which
    > triggers the same behaviour? Can we define an e_flags bit for that?


    If it were just ptrace it would be trivial, but its naiive to think that
    is the case. Constraining things while not entirely compartmentalising is
    a good thing, and policykit is the right path, but the security
    components that are needed seem to already exist in SELinux and little ELF
    binary header hacks don't do the job properly.

    Alan
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread