From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10157 invoked by alias); 14 Apr 2008 13:46:49 -0000 Received: (qmail 10141 invoked by uid 22791); 14 Apr 2008 13:46:47 -0000 X-Spam-Check-By: sourceware.org Received: from mx.freeshell.ORG (HELO sdf.lonestar.org) (192.94.73.19) by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 14 Apr 2008 13:46:28 +0000 Received: from sdf.lonestar.org (IDENT:taviso@sverige.freeshell.org [192.94.73.4]) by sdf.lonestar.org (8.14.2/8.13.8) with ESMTP id m3EDkH7t001862; Mon, 14 Apr 2008 13:46:17 GMT Received: (from taviso@localhost) by sdf.lonestar.org (8.14.2/8.12.8/Submit) id m3EDkHiB000528; Mon, 14 Apr 2008 13:46:17 GMT Date: Mon, 14 Apr 2008 16:45:00 -0000 From: Tavis Ormandy To: "Reynolds, Brandon" Cc: pottmi@gmail.com, gdb@sourceware.org Subject: Re: unable to attach to setuid program that as reverted it privilege Message-ID: <20080414134616.GA17924@sdf.lonestar.org> References: <7ADDA4869AFB444695CDD37859452D5773AED1@emss04m21.us.lmco.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7ADDA4869AFB444695CDD37859452D5773AED1@emss04m21.us.lmco.com> User-Agent: Mutt/1.5.17 (2007-11-01) X-IsSubscribed: yes Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org X-SW-Source: 2008-04/txt/msg00115.txt.bz2 On Mon, Apr 14, 2008 at 09:32:34AM -0400, Reynolds, Brandon wrote: > > This is documented as allowing core files to be created for setuid > > programs. What I am using it for is to allow gdb run as a non-root > > user to connect to setuid programs that have _permanently_ given up > > their root privilege. Without suid_dumpable enabled, gdb will fail > > with a EPERM error even tho the target program is no longer running as > > root and can not reacquire root privilege ( a good default behavior ). > Consider the suid root ping program, it aquires a SOCK_RAW socket, and then drops privileges. If you were allowed to attach to it after it has dropped privileges, you could wait for it to get the socket, then PTRACE_ATTACH and PTRACE_POKE in your own code, which now has a raw socket that it can use for any purpose it likes. Obviously, this cannot be permitted (i'm sure some operating systems get it wrong though :-)). Thanks, Tavis. -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. -------------------------------------------------------