[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: trust [was Re: Open Xlock as root]

Pavel Kankovsky writes:
>On Thu, 16 Dec 1999, Michael K. Johnson wrote:
>> In order to be safe from this particular form of abuse, it is at least
>> necessary that untrusted users be unable to add the executable bit to
>> any file, or make the executable bit meaningless in areas that the user
>> can write.  That is most often done by mounting /home, /tmp, /var/tmp,
>> etc. with the noexec option.
>...and that is often a completely useless contermeasure thanks to a crowd
>of interpreters (from sh to python) and other programs (e.g. Linux dynamic
>linker) allowing the users to circumvent this restriction. :)

Yeah, I knew I was missing things.  That's why I said "at least".  :-)

As has also been pointed out, if you don't trust users with console
access, you better have everything well locked down so that they do not
walk away with it.

Furthermore, even if you compile everything static (try that with PAM
now that Andrew removed my static PAM code!) and remove the dynamic
linker from the system, EVERY possible buffer overflow on the system
(not just in set{u,g}id programs) becomes a potential security hole,
because users not allowed to make executables would just
export SOMEVARIABLE=reallyreallylongstringwithcustombufferoverflow
and do what they want.  It would be a relatively simple attack to set
up a vlock-like trojan in this case -- only a few system calls would
be needed, and it would fit within a reasonable buffer overflow

The moral?  Don't give console access to folks who you don't trust
at least minimally.  Alternatively, prepare for an unending fight
that will probably involve custom kernel hacking...

There are compartment patches that, combined with proper use of
capabilities, might make it possible to limit such attacks.  But
that's probably some way off from general availability.

My real point is that given physical access, trusted paths rarely
are.  :-)


"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []