[PATCH] UBUNTU: SAUCE: ptrace: restrict ptrace scope to children
Scott James Remnant
scott at ubuntu.com
Thu May 13 08:13:27 UTC 2010
On Wed, 2010-05-12 at 15:22 -0700, Kees Cook wrote:
> As Linux grows in popularity, it will become a growing target for
> malware. One particularly troubling weakness of the Linux process
> interfaces is that a single user is able to examine the memory and
> running state of any of their processes. For example, if one application
> (e.g. Empathy) was compromised, it would be possible for an attacker to
> attach to other processes (e.g. Firefox) to extract additional credentials
> and continue to expand the scope of their attack.
>
This is completely possible anyway, even with your patch. I would do
the following:
- send SIGSTOP to the compositor to disable screen updates
- send command to firefox to save browser state and exit
(or SIGKILL)
- fork/exec firefox again (will reappear on the screen as it was
before)
- firefox is now your child, ptrace
- send SIGCONT to the compositor to resume screen updates
Firefox is now being ptraced, but the user never knows what happens.
So your patch adds inconvenience for no additional security, thus I
object to this.
Scott
--
Scott James Remnant
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20100513/33726f5a/attachment.sig>
More information about the kernel-team
mailing list