Re: GNOME privilege library



On Thu, 2005-01-13 at 19:33 +0100, Xavier Bestel wrote:
> Le jeudi 13 janvier 2005 à 13:06 -0500, Sean Middleditch a écrit :
> > On Thu, 2005-01-13 at 18:55 +0100, Xavier Bestel wrote:
> > > Le jeudi 13 janvier 2005 à 12:48 -0500, Sean Middleditch a écrit :
> > > > No.  In order to start any of these with privileges, you need a
> > > > privileged helper program - i.e., setuid.  LD_PRELOAD is disabled for
> > > > setuid binaries.
> > > 
> > > What I meant is, ~/Downloads/random-trojan can start
> > > LD_PRELOAD=/tmp/trojan-crafted-lib.so /usr/bin/gnome-procman
> > > and then executes itself with procman's name.
> > 
> > And how would that in anyway let the trojan invoke the backends with
> > privileges?  The setuid helper would be responsible for determining that
> > its parent (who launched it) is allowed to execute the target backend,
> > perhaps using the infromation in /proc (on Linux).
> 
> Yes, that means you want to forbid applications that don't use only
> system libraries (i.e. from /usr/lib or /lib), so:
> - no custom libs from LD_LIBRARY_PATH
> - no custom theme engine
> - the application isn't allowed to load custom plugins
> 
> which all makes sense (no running of user code), but it is very
> inconvenient. Maybe it's better to just be sure that the suid helper is
> safe to be called by anyone.

Yes, it's still possible for arbitrary code to get access to the
backends.  Limiting which binaries can execute which backend isn't a
brick wall - it's just a deterrent.  That deterrent *can* be made more
powerful - disable all use of LD_PRELOAD, only let apps load
plugins/theme-engines if they are owned by root and/or installed
in /usr, and so on.  Those measures are useless if the framework doesn't
let you take advantage of them, though.

It's still useful to require the backends to be registered, though,
since you then at least remove the possibility of trojans injecting
arbitrary code that runs with privileges.

I'll make this clear - I do not claim that any measure I listed will on
its own halt security breaches.  They simply provide means that,
combined with additional security measures in the lower-level OS itself,
can greatly enhance security. 

> 
> 	Xav
> 
> 
> 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]