Providing an ELF flag for disabling LD_PRELOAD/ptrace()

From: Martin Pitt
Date: Thu Dec 13 2007 - 11:47:50 EST

Next message: Kok, Auke: "Re: [RFC] net: napi fix"
Previous message: Takashi Iwai: "Re: [patch 13/18] alsa: nopage"
Next in thread: Alan Cox: "Re: Providing an ELF flag for disabling LD_PRELOAD/ptrace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi kernel developers,

one thing that has bothered me for a long time already is the
complete lack of a security boundary between processes of the same
user. Things like LD_PRELOAD and ptrace() (IOW, gdb) are enabled by
default for all users, and especially for developers this is a good
thing.

However, a lot of programs that we have deal with passwords and other
secrets which deserve some protection, like passwords you type into
ssh, screensavers, seahorse, etc.

This problem has become more pressing with the advent of PolicyKit,
where even fewer processes have the in-built privilege separation
between root and users.

This concerns a scenario where you might have a rogue trojan in your
session (e. g. a malicious firefox plugin or an autostart shell
script). Admittedly, if an attacker gets that far he has almost won
the machine and can easily get more privileges with some social
engineering and spoofing, but I feel it is worth the small effort to
at least not allow reading passwords from other processes' memory
without making any noise at all. This would also greatly reduce the
potential of a local trojan spreading itself over existing ssh
connections to other hosts (provided that the ssh executable is
protected like that, which it should be anyway because it deals with
passwords).

What I want is the behaviour of suid/sgid executables (which do
something like an atomic prctl(PR_SET_DUMPABLE, 0) to disable vectors
like ptrace(), LD_PRELOAD, etc. However, making binaries setugid just
for that is less than ideal, since it requires a lot of code patching
(to reset the group) and packaging changes (to maintain the
sgid setting), as well as confusing security scanners, etc.

So I wonder whether we can define a flag in the ELF header which
triggers the same behaviour? Can we define an e_flags bit for that?

Thanks in advance for any comment or idea,

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Next message: Kok, Auke: "Re: [RFC] net: napi fix"
Previous message: Takashi Iwai: "Re: [patch 13/18] alsa: nopage"
Next in thread: Alan Cox: "Re: Providing an ELF flag for disabling LD_PRELOAD/ptrace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]