From: Tavis Ormandy <taviso@sdf.lonestar.org>
To: "Reynolds, Brandon" <brandon.reynolds@lmco.com>
Cc: pottmi@gmail.com, gdb@sourceware.org
Subject: Re: unable to attach to setuid program that as reverted it privilege
Date: Mon, 14 Apr 2008 16:45:00 -0000 [thread overview]
Message-ID: <20080414134616.GA17924@sdf.lonestar.org> (raw)
In-Reply-To: <7ADDA4869AFB444695CDD37859452D5773AED1@emss04m21.us.lmco.com>
On Mon, Apr 14, 2008 at 09:32:34AM -0400, Reynolds, Brandon wrote:
> > This is documented as allowing core files to be created for setuid
> > programs. What I am using it for is to allow gdb run as a non-root
> > user to connect to setuid programs that have _permanently_ given up
> > their root privilege. Without suid_dumpable enabled, gdb will fail
> > with a EPERM error even tho the target program is no longer running as
> > root and can not reacquire root privilege ( a good default behavior ).
>
Consider the suid root ping program, it aquires a SOCK_RAW socket, and
then drops privileges. If you were allowed to attach to it after it has
dropped privileges, you could wait for it to get the socket, then
PTRACE_ATTACH and PTRACE_POKE in your own code, which now has a raw
socket that it can use for any purpose it likes.
Obviously, this cannot be permitted (i'm sure some operating systems get
it wrong though :-)).
Thanks, Tavis.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
next prev parent reply other threads:[~2008-04-14 13:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-14 13:46 Reynolds, Brandon
2008-04-14 16:32 ` Michael Potter
2008-04-14 16:45 ` Tavis Ormandy [this message]
2008-04-15 1:02 ` Reynolds, Brandon
2008-04-15 1:24 ` Michael Potter
-- strict thread matches above, loose matches on Subject: below --
2008-01-22 20:00 Michael Potter
2008-01-22 20:09 ` Daniel Jacobowitz
2008-01-22 20:24 ` Michael Potter
2008-01-23 17:52 ` Mark Kettenis
2008-01-23 18:48 ` Michael Potter
2008-01-23 20:26 ` Michael Potter
2008-01-23 20:42 ` Andreas Schwab
2008-01-24 5:05 ` Michael Potter
2008-01-24 9:18 ` Andreas Schwab
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080414134616.GA17924@sdf.lonestar.org \
--to=taviso@sdf.lonestar.org \
--cc=brandon.reynolds@lmco.com \
--cc=gdb@sourceware.org \
--cc=pottmi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox