1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Joshua Brindle wrote: |
5 |
|
6 |
>> Dan Margolis wrote: |
7 |
>> |
8 |
> |
9 |
>>>> Joshua Brindle wrote: |
10 |
>>>> |
11 |
>>>> |
12 |
>>>> |
13 |
>> |
14 |
>>>>>> This isn't a weakness at all, presumably the attacker had root |
15 |
and could |
16 |
>>>>>> have put these files anywhere, he just chose /dev/shm. |
17 |
>>>>>> |
18 |
>> |
19 |
>>>> |
20 |
>>>> |
21 |
>>>> According to Eric, it was a valid user. |
22 |
>>>> |
23 |
>>>> |
24 |
>>>> |
25 |
> |
26 |
>> doesn't matter, for the rootkit to have done anything to the system it |
27 |
>> would have to be running the escalated privleges. If it was running with |
28 |
>> the users privs then who cares? |
29 |
|
30 |
|
31 |
True, but the point of TPE (or any other restrictions) is to be a |
32 |
stopgap to prevent other exploits. If he was running an ancient kernel |
33 |
with a ptrace vulnerability, granted, he should upgrade, but on the |
34 |
other hand, preventing the execution of rootkits *can* prevent a |
35 |
successful exploit. |
36 |
|
37 |
|
38 |
>> This is not a comment about grsec. This is merely a comment about the |
39 |
>> security model behind trusted path. |
40 |
|
41 |
|
42 |
Fair enough. I would agree that it's not terribly useful in most |
43 |
situations. |
44 |
|
45 |
|
46 |
>> wrong, anything you can read you can execute. trusted path is a broken |
47 |
>> model, ld.so is just one example of how to get around it. |
48 |
|
49 |
|
50 |
It's entirely possible to set up a restricted system which only allows |
51 |
certain kinds of access, and limit that access to the execution of |
52 |
specific programs, even if this involves whitelisting if necessary. TPE |
53 |
(the way GRSec does it, at least) allows one to whitelist a directory, |
54 |
which is (or should be) effective. If you can tell me how it's not, I'd |
55 |
appreciate it (not that I use such measures on any of my own machines, |
56 |
but I am curious). |
57 |
|
58 |
|
59 |
>> It isn't a bug in the documentation. |
60 |
|
61 |
|
62 |
It is either a bug in the documentation to be incomplete when |
63 |
recommending noexec, or, as you say, perhaps a bug in the documentation |
64 |
to recommend noexec at all. Either way, it's internally inconsistent, |
65 |
which means it's a bug (i.e. there's no reason to recommend |
66 |
nosuid/noexec for only some partitions it can be used on, whether or not |
67 |
those flags are even useful). |
68 |
|
69 |
-----BEGIN PGP SIGNATURE----- |
70 |
Version: GnuPG v1.2.4 (Darwin) |
71 |
|
72 |
iQEVAwUBQXAob7DO2aFJ9pv2AQK0Cwf/Tc5wdvtPNKnrL1p0+kEQONvLRjniNvhH |
73 |
68lLNLIHZ7MLG/fWsEKvh3XVA+RxAJrPGsD2FEe5loY82/5THot/aybhkoG/3SJs |
74 |
4rZHPFz46JB4gZJxi8tgqOfNNo03C/up++BKbJARoNIUBFFMd21YS9WyjznTluLR |
75 |
HhRCnMKz4gp6g8C+CVZhbDVyzFFK8kz+cURnA8UFGaclBJRNXuOjLarxXYb5ok5u |
76 |
oGmzU60SPkI0tKjqmeF2OccqVIsGyB3g07RCB62lq5z2vpMnTG/Z5eIyBxid9ULy |
77 |
ROzQ3Vs3oE8J9+2oH3voS/ncslQv5hCmI3WblR1xUiL2eGEMMi34uw== |
78 |
=Elbw |
79 |
-----END PGP SIGNATURE----- |
80 |
|
81 |
-- |
82 |
gentoo-hardened@g.o mailing list |