| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Joshua Brindle wrote: |
| 5 |
|
| 6 |
>> Dan Margolis wrote: |
| 7 |
>> |
| 8 |
> |
| 9 |
>>>> Joshua Brindle wrote: |
| 10 |
>>>> |
| 11 |
>>>> |
| 12 |
>>>> |
| 13 |
>> |
| 14 |
>>>>>> This isn't a weakness at all, presumably the attacker had root |
| 15 |
and could |
| 16 |
>>>>>> have put these files anywhere, he just chose /dev/shm. |
| 17 |
>>>>>> |
| 18 |
>> |
| 19 |
>>>> |
| 20 |
>>>> |
| 21 |
>>>> According to Eric, it was a valid user. |
| 22 |
>>>> |
| 23 |
>>>> |
| 24 |
>>>> |
| 25 |
> |
| 26 |
>> doesn't matter, for the rootkit to have done anything to the system it |
| 27 |
>> would have to be running the escalated privleges. If it was running with |
| 28 |
>> the users privs then who cares? |
| 29 |
|
| 30 |
|
| 31 |
True, but the point of TPE (or any other restrictions) is to be a |
| 32 |
stopgap to prevent other exploits. If he was running an ancient kernel |
| 33 |
with a ptrace vulnerability, granted, he should upgrade, but on the |
| 34 |
other hand, preventing the execution of rootkits *can* prevent a |
| 35 |
successful exploit. |
| 36 |
|
| 37 |
|
| 38 |
>> This is not a comment about grsec. This is merely a comment about the |
| 39 |
>> security model behind trusted path. |
| 40 |
|
| 41 |
|
| 42 |
Fair enough. I would agree that it's not terribly useful in most |
| 43 |
situations. |
| 44 |
|
| 45 |
|
| 46 |
>> wrong, anything you can read you can execute. trusted path is a broken |
| 47 |
>> model, ld.so is just one example of how to get around it. |
| 48 |
|
| 49 |
|
| 50 |
It's entirely possible to set up a restricted system which only allows |
| 51 |
certain kinds of access, and limit that access to the execution of |
| 52 |
specific programs, even if this involves whitelisting if necessary. TPE |
| 53 |
(the way GRSec does it, at least) allows one to whitelist a directory, |
| 54 |
which is (or should be) effective. If you can tell me how it's not, I'd |
| 55 |
appreciate it (not that I use such measures on any of my own machines, |
| 56 |
but I am curious). |
| 57 |
|
| 58 |
|
| 59 |
>> It isn't a bug in the documentation. |
| 60 |
|
| 61 |
|
| 62 |
It is either a bug in the documentation to be incomplete when |
| 63 |
recommending noexec, or, as you say, perhaps a bug in the documentation |
| 64 |
to recommend noexec at all. Either way, it's internally inconsistent, |
| 65 |
which means it's a bug (i.e. there's no reason to recommend |
| 66 |
nosuid/noexec for only some partitions it can be used on, whether or not |
| 67 |
those flags are even useful). |
| 68 |
|
| 69 |
-----BEGIN PGP SIGNATURE----- |
| 70 |
Version: GnuPG v1.2.4 (Darwin) |
| 71 |
|
| 72 |
iQEVAwUBQXAob7DO2aFJ9pv2AQK0Cwf/Tc5wdvtPNKnrL1p0+kEQONvLRjniNvhH |
| 73 |
68lLNLIHZ7MLG/fWsEKvh3XVA+RxAJrPGsD2FEe5loY82/5THot/aybhkoG/3SJs |
| 74 |
4rZHPFz46JB4gZJxi8tgqOfNNo03C/up++BKbJARoNIUBFFMd21YS9WyjznTluLR |
| 75 |
HhRCnMKz4gp6g8C+CVZhbDVyzFFK8kz+cURnA8UFGaclBJRNXuOjLarxXYb5ok5u |
| 76 |
oGmzU60SPkI0tKjqmeF2OccqVIsGyB3g07RCB62lq5z2vpMnTG/Z5eIyBxid9ULy |
| 77 |
ROzQ3Vs3oE8J9+2oH3voS/ncslQv5hCmI3WblR1xUiL2eGEMMi34uw== |
| 78 |
=Elbw |
| 79 |
-----END PGP SIGNATURE----- |
| 80 |
|
| 81 |
-- |
| 82 |
gentoo-hardened@g.o mailing list |
Archives