Re: using capabilities to allow debug of suid-root programs

mukesh agrawal (agrawal@ais.org)
Sat, 17 Apr 1999 13:48:37 -0400


At 1:17 AM -0400 4/17/99, peeterj@ca.ibm.com wrote:
>Hi Andrew,
>
>I was looking into the use of linux capabilities to allow debugging of
>setuid root programs by allowing cap_sys_ptrace.
>
>I have built and installed libcap on a machine running 2.2, but now that I
>have done so I am not exactly sure how to go about allowing selective
>ptrace. The first place I looked into was the faq, but the link
>(ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt) seems to be
>dead. Do you know of an updated url?
>
>The reason that I want to do this is because Linux seems to not allow
>debugging of a suid root program even after dropping all root authorities
>(even after calling ALL of set[ug]id, sete[ug]id, and setre[ug]id to not
>root group and id). However, we need to allow our programmers to debug and
>don't neccessarily want to start passing out the root password all over the
>place.
>
>By cc to any kernel developers, is this ptrace behaviour a linux bug, and
>if not what is the rational (is more needed then dropping the root
>uid/gid?).

The process may have acquired resources by virtue of being suid. Consider
an executable called demo

exec("/bin/demo")
open("/etc/passwd")
/* drop root privileges using setXid/seteXid/setreXid */

then you launch the tracing process

exec("/bin/cracker")
ptrace(PTRACE_ATTACH, /bin/demo's pid)

cracker can then manipulate the passwd file however it would like.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/