From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: ptrace_scope now set to 0 by default Date: Sun, 12 Apr 2015 15:49:55 +0200 Message-ID: <87zj6dtq0s.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35046) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YhIGv-0001lq-6I for guix-devel@gnu.org; Sun, 12 Apr 2015 09:50:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YhIGr-0000JT-QQ for guix-devel@gnu.org; Sun, 12 Apr 2015 09:50:00 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:39085) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YhIGr-0000JK-MQ for guix-devel@gnu.org; Sun, 12 Apr 2015 09:49:57 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:45383 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1YhIGr-0004om-6O for guix-devel@gnu.org; Sun, 12 Apr 2015 09:49:57 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Guix-devel While debugging an elfutils build failure, I discovered a Linux restriction that I had been papering over using sudo for some time. Starting from Linux 3.4 or so, the default policy is to disallow users to attach (with PTRACE_ATTACH) to their own processes. Only CAP_SYS_PTRACE processes (i.e., root) or the target process=E2=80=99 parent= s can attach. This is =E2=80=9Cfor security reasons=E2=80=9D, as noted in Linux=E2=80=99s= Yama.txt: ptrace_scope: As Linux grows in popularity, it will become a larger target for malware. One particularly troubling weakness of the Linux process interfaces is that a single user is able to examine the memory and running state of any of their processes. For example, if one application (e.g. Pidgin) was compromised, it would be possible for an attacker to attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, etc) to extract additional credentials and continue to expand the scope of their attack without resorting to user-assisted phishing. This is not a theoretical problem. SSH session hijacking (http://www.storm.net.nz/projects/7) and arbitrary code injection (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already exist and remain possible if ptrace is allowed to operate as before. Since ptrace is not commonly used by non-developers and non-admins, system builders should be allowed the option to disable this debugging system. For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to specifically disallow such ptrace attachment (e.g. ssh-agent), but many do not. A more general solution is to only allow ptrace directly from a parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=3DPID", and "strace -p PID" still work as root). But this sounds a little bit silly: it imposes a serious restriction on what users can do (they can no longer attach gdb and such to their own processes!) while providing dubious security improvements. First, we=E2=80=99re talking about attackers who have a user shell anyway, = so one could argue that PTRACE_ATTACH is just one option among many, many others the attacker could use. Second, the =E2=80=9Cright fix=E2=80=9D is = known: security-sensitive applications such as agent can explicitly ask not be to attachable. There seem to be quite a few people on the intertubes who question this security policy along these lines. See for instance: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D712740 https://bugzilla.redhat.com/show_bug.cgi?id=3D1210966 So commit b158f1d restores the original PTRACE_ATTACH behavior by default. If you think this is wrong, let=E2=80=99s discuss it! :-) Thanks, Ludo=E2=80=99.