Bugtraq mailing list archives

Re: Tracing by uid u after root does setuid(u)

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Wed, 13 Jan 1999 15:11:40 -0500


The possibility of attacks after setuid() has to be addressed by
any program that controls sensitive information.

For example, many years ago I fixed my version of the UNIX login
and other programs [1] so that they would not dump core. This to
avoid dumping core with stdio buffers containing shadow password
file information.

The use of ptrace hooks on once-privileged processes was discussed
in my Murphy USENIX paper [2]. At the time I could not offer a
fool-proof solution. If process tracing attacks can be stopped by
making executable files unreadable, then I have learned useful new
information from this list for which I am grateful.

Regarding the MMDF/Bellovin/Spafford gate program to chdir() through
a protected directory: it is my understanding that the gate program
is set-gid, and that it creates a user-owned file in a world-writable
submission subdirectory.

If the gate program can be kept simple enough that it can retain
set-gid privilege, then it should be immune to process tracing
attack regardless of executable file permissions.  And with set-gid
privilege retained by the submission program, the world-writable
submission subdirectory can be avoided entirely.

        Wietse

[1], [2]: See ftp://ftp.win.tue.nl/pub/security/index.html.

Current thread:

L0pht tmp tool and (mini) Advisory, (continued)
- - L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)
- Re: Anonymous Qmail Denial of Service Antonomasia (Jan 07)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
  - Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
  - Keeping Solaris up-to-date John RIddoch (Jan 11)
    - Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
    - Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
    - Re: Keeping any up-to-date? Peter May (Jan 15)
  - Administrivia Aleph One (Jan 12)
    - Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
    - Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
    - Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
    - Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)
    - Re: Tracing by uid u after root does setuid(u) Gene Spafford (Jan 13)
    - Solaris 7 naming... Isaac (Jan 12)
    - [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] David TILLOY (Jan 13)
    - Government report suggests backdoors for law enforcement Darren Reed (Jan 13)
  - Cyberspace Underwriters Laboratories Aleph One (Jan 12)