From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10259 invoked by alias); 3 Apr 2002 15:32:29 -0000 Mailing-List: contact gdb-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sources.redhat.com Received: (qmail 10252 invoked from network); 3 Apr 2002 15:32:28 -0000 Received: from unknown (HELO xcncgw.mariani.ws) (208.176.14.66) by sources.redhat.com with SMTP; 3 Apr 2002 15:32:28 -0000 Received: from mariani.ws (IDENT:gianni@bulli.mariani.ws [216.98.238.112]) by xcncgw.mariani.ws (8.11.6/8.11.6) with ESMTP id g33GWFs15003; Wed, 3 Apr 2002 08:32:15 -0800 Message-ID: <3CAB208A.5060805@mariani.ws> Date: Wed, 03 Apr 2002 07:32:00 -0000 From: Gianni Mariani User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204 X-Accept-Language: en-us MIME-Version: 1.0 To: Kris Warkentin CC: gdb@sources.redhat.com Subject: Re: gdb and suid binaries - security? References: <097201c1db23$feef79d0$b6010c0a@catdog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2002-04/txt/msg00015.txt.bz2 To attach to a process, the kernel requires you have appropriate permissions. Starting program: /bin/su /bin/su: Operation not permitted. This is the same with strace: strace `which su` execve("/bin/su", ["/bin/su"], [/* 60 vars */]) = 0 strace: exec: Operation not permitted It's basically a hole that's been closed by the OS. Kris Warkentin wrote: >Is it true that if gdb is debugging a suid binary then any calls they make >from the debugger are executed as that user? Couldn't one then execute >arbitrary instructions as root if you debugged something like su? Or even >worse, just call setuid(0) and let the program run to completion. > >Oddly enough I've noticed that this actually fails on both FreeBSD and Linux >but it almost seems to be some mechanism outside of gdb. Does anyone know >how this works? > >cheers, > >Kris >