User: Password:
Subscribe / Log in / New account

Removing setuid

Removing setuid

Posted Nov 23, 2010 23:57 UTC (Tue) by cjwatson (subscriber, #7322)
In reply to: Removing setuid by talex
Parent article: Ghosts of Unix past, part 4: High-maintenance designs

It would be nice to have a replacement for the somewhat niche use of set-id to prevent a process being ptraced. ssh-agent (at least in Debian - I don't recall the upstream setup right now) is setgid to a single-purpose group, and drops that privilege on startup, purely to prevent an attacker ptracing the agent and extract cleartext keys. It helps to have this in the filesystem so that there's no vulnerable window at startup.

(Yes, if the compromise is long-term then the attacker can just install a keylogger and wait, but sometimes attackers only have a short window of opportunity and it doesn't hurt to make them work harder.)

(Log in to post comments)

Removing setuid

Posted Nov 25, 2010 18:13 UTC (Thu) by talex (subscriber, #19139) [Link]

That's an interesting example.

As you say, the current situation isn't great anyway. I wonder how Capsicum deals with tracing? I assume that you'd need to have a process descriptor to ptrace a process, so by default you'd only be able to trace your children.

If a process wanted to trace something else, it would have to ask a service (e.g your session manager) for a handle to the target. The session manager could refuse to hand over the handle to the ssh-agent process (or some stricter policy, like always confirming with the user).

Removing setuid

Posted Nov 26, 2010 14:35 UTC (Fri) by Yorick (subscriber, #19241) [Link]

For a capability-based system, I would imagine tracing the user's own processes to be a question for his powerbox. I don't remember if the Capsicum papers discuss the design of a powerbox to go with the rest of the system.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds