Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]

From: Alexander Wuerstlein
Date: Thu Jun 21 2007 - 13:46:22 EST

Next message: H. Peter Anvin: "Re: Adding subroot information to /proc/mounts, or obtaining thatthrough other means"
Previous message: Lennart Sorensen: "Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3"
In reply to: Arjan van de Ven: "Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]"
Next in thread: Arjan van de Ven: "Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 070621 19:33, Arjan van de Ven <arjan@xxxxxxxxxxxxx> wrote:
> On Thu, 2007-06-21 at 19:25 +0200, Alexander Wuerstlein wrote:
> > On 070621 19:21, Arjan van de Ven <arjan@xxxxxxxxxxxxx> wrote:
> > > On Thu, 2007-06-21 at 18:02 +0200, Alexander Wuerstlein wrote:
> > > > Modified task_struct to hold a 'signed flag' which is set on exec(), inherited
> > > > on fork() and checked during exec before giving the new process suid/sgid
> > > > privileges.
> > > >
> > >
> > >
> > >
> > > do you also check the signature of glibc and every other shared library
> > > that the app uses (or dlopens)? if not.. the entire exercise is rather
> > > pointless...
> >
> > We do check that, that is patch [3/4].
> >
> > Of course we can only check mmap-ed files, if there is no file like with JIT
> > compilers we are out of luck.
>
> or if the process uses read() not mmap().

If a process uses read() it needs some executable and writable memory. We do
check for this in mprotect(). There is a problem with the i386-architecture,
because it allows execution of any readable page (except with newer
processors). But beyond that ugliness of i386, it should not be possible to
execute anything without us noticing it (hopefully).

Scripting languages are of course problematic. In the suid-case you could just
call anyone insane who wants to use a suid-shellscript. But in other cases one
might want signed binaries for, we do have a problem. With java or shell one
would need an interpreter/vm which is signed and reasonably trustworthy itself
and checks the signature of the shellscript or classfile it executes. The
(probably not all too complicated) writing of such an interpreter is left as an
exercise to the reader ;)

Ciao,

Alexander Wuerstlein.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: Adding subroot information to /proc/mounts, or obtaining thatthrough other means"
Previous message: Lennart Sorensen: "Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3"
In reply to: Arjan van de Ven: "Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]"
Next in thread: Arjan van de Ven: "Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]