* gdb and suid binaries - security?
@ 2002-04-03 7:26 Kris Warkentin
2002-04-03 7:32 ` Gianni Mariani
0 siblings, 1 reply; 3+ messages in thread
From: Kris Warkentin @ 2002-04-03 7:26 UTC (permalink / raw)
To: gdb
Is it true that if gdb is debugging a suid binary then any calls they make
from the debugger are executed as that user? Couldn't one then execute
arbitrary instructions as root if you debugged something like su? Or even
worse, just call setuid(0) and let the program run to completion.
Oddly enough I've noticed that this actually fails on both FreeBSD and Linux
but it almost seems to be some mechanism outside of gdb. Does anyone know
how this works?
cheers,
Kris
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: gdb and suid binaries - security?
2002-04-03 7:26 gdb and suid binaries - security? Kris Warkentin
@ 2002-04-03 7:32 ` Gianni Mariani
0 siblings, 0 replies; 3+ messages in thread
From: Gianni Mariani @ 2002-04-03 7:32 UTC (permalink / raw)
To: Kris Warkentin; +Cc: gdb
To attach to a process, the kernel requires you have appropriate
permissions.
Starting program: /bin/su
/bin/su: Operation not permitted.
This is the same with strace:
strace `which su`
execve("/bin/su", ["/bin/su"], [/* 60 vars */]) = 0
strace: exec: Operation not permitted
It's basically a hole that's been closed by the OS.
Kris Warkentin wrote:
>Is it true that if gdb is debugging a suid binary then any calls they make
>from the debugger are executed as that user? Couldn't one then execute
>arbitrary instructions as root if you debugged something like su? Or even
>worse, just call setuid(0) and let the program run to completion.
>
>Oddly enough I've noticed that this actually fails on both FreeBSD and Linux
>but it almost seems to be some mechanism outside of gdb. Does anyone know
>how this works?
>
>cheers,
>
>Kris
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: gdb and suid binaries - security?
@ 2002-04-03 7:52 Michael Elizabeth Chastain
0 siblings, 0 replies; 3+ messages in thread
From: Michael Elizabeth Chastain @ 2002-04-03 7:52 UTC (permalink / raw)
To: gdb, kewarken
This is a well known case. The kernel does a permission check at the
time that the parent starts tracing the child (or Process A attaches to
Process B). In the linux kernel, this check is in "ptrace_attach"
in file kernel/ptrace.c.
> Oddly enough I've noticed that this actually fails on both FreeBSD
> and Linux but it almost seems to be some mechanism outside of gdb.
> Does anyone know how this works?
gdb is an unprivileged process. It just calls ptrace() a lot, or it
reads and write /proc a lot. It's the kernel's job to deny gdb from
attaching to privileged processes, just as it's the kernel's job to deny
"cat > /etc/passwd" for unprivileged users.
Michael C
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-04-03 15:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-04-03 7:26 gdb and suid binaries - security? Kris Warkentin
2002-04-03 7:32 ` Gianni Mariani
2002-04-03 7:52 Michael Elizabeth Chastain
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox