On Thursday 12 September 2013 09:23:13 Colin Walters wrote:
> On Thu, 2013-09-12 at 10:01 +0300, Oron Peled wrote:
> > * From pid you can find the real executable (/proc/pid/cmd).
>
> And this is the step that's worthless:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=533493
Thanks, that was a very good read.
However, there may be still way out for some cases...
* First, let's talk about the primary mentioned attack vector --
LD_PRELOAD/ptrace attacks:
- These should be ignored by suid/sgid binaries on modern Linux systems
(sans kernel bugs).
- So if we can sgid all these binaries to a specific group -- this threat
is mitigated.
- Actually, with this, the service can simply talk to clients running
in this "firewalld-control" group.
- Obviously, SELinux (which was mentioned in the URL) is a better solution
along the same lines (labeling), but I think it wouldn't be easy to
upstream a solution that can only work with SELinux.
* But thinking more about attack vectors, I got a more depressing picture:
- Assume a valid UI controller get subverted *during* run-time.
- Examples: a buffer overrun, dlopen() malicious plugin, loading other
dynamic code (e.g: via embedded python interpreter), etc.
- This looks pretty hopeless to me in any case (be it SELinux or what's-not)
As the same trusted process instantly becomes a "bad-guy".
- This isn't very different than a hypothetical security hole in ssh that
would
enable attacker to steal my private key.
- *BUT*, since typical GUI programs are far bigger than ssh (including the
whole UI library stacks), the risks for buffer overruns are not marginal.
- This means that any privileged service controlled by GUI client (e.g:
NetworkManager) is still only as secure as it's controller (e.g:
nm-applet).
- It's true that this is somewhat better than the old suid-root GUI wrappers
that could do *anything* to your system. But still, we have no idea how
to protect system-wide services *if* they need GUI control.
- Or am I missing something here?
--
Oron Peled Voice: +972-4-8228492
o...@actcom.co.il http://users.actcom.co.il/~oron
"Your fair use of this book is restricted"
"You may only read this book once"
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
