Re: RFC: disablenetwork facility. (v4)

From: Eric W. Biederman
Date: Tue Dec 29 2009 - 16:29:43 EST


Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> writes:

>> > Execute != read. The executable file may contain secrets which must not
>> > be available to the user running the setuid program. If you fail the
>> > setuid, the user will be able to ptrace() and then the secret is
>> > revealed.
>> >
>> > It's amazing how many security holes appear from what seems like a very
>> > simple request.
>>
>> Do we have a security hole in nosuid mount option?
>> Can someone write a patch to fix it?
>
> If a setuid app can read a key when its erroneously not set setuid then
> the user can read it too.
>
> Anything you can do with ptrace you can do yourself !

Now that I think about it this is really something completely separate
from setuid. This is about being able to read the text segment with
ptrace when you on have execute permissions on the file.

I just skimmed through fs/exec.c and we set the undumpable process
flag in that case so ptrace should not work in that case.

So short of a bug in the implementation we have no security hole.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/