On Thu, Nov 17, 2016 at 12:47 PM, Willy Tarreau <w@xxxxxx> wrote: > On Thu, Nov 17, 2016 at 11:08:22AM -0600, Eric W. Biederman wrote: >> >> It is the reasonable expectation that if an executable file is not >> readable there will be no way for a user without special privileges to >> read the file. This is enforced in ptrace_attach but if we are >> already attached there is no enforcement if a readonly executable >> is exec'd. > > I'm really scared by this Eric. At least you want to make it a hardening > option that can be disabled at run time, otherwise it can easily break a > lot of userspace : > > admin@aloha:~$ ll /bin/bash /bin/coreutils /bin/ls /usr/bin/telnet > -r-xr-x--x 1 root adm 549272 Oct 28 16:25 /bin/bash > -rwx--x--x 1 root adm 765624 Oct 28 16:27 /bin/coreutils > lrwxrwxrwx 1 root root 9 Oct 28 16:27 /bin/ls -> coreutils > -r-xr-x--x 1 root adm 70344 Oct 28 16:34 /usr/bin/telnet > > And I've not invented it, I've being taught to do this more than 20 > years ago and been doing this since on any slightly hardened server > just because in pratice it's efficient at stopping quite a bunch of > rootkits which require to copy and modify your executables. Sure > they could get the contents using ptrace, but using cp is much more > common than ptrace in scripts and that works. This has prooven quite > efficient in field at stopping some rootkits several times over the > last two decades and I know I'm not the only one to do it. In fact > I *never* install an executable with read permissions for users if > there's no need for random users to copy it. Does it mean that > nobody should be able to see why their favorite utility doesn't > work anymore ? Not in my opinion, at least not by default. > > So here I fear that we'll break strace at many places where strace > precisely matters to debug things. > > However I'd love to have this feature controlled by a sysctl (to > enforce it by default where possible). I'm not opposed to a sysctl for this. Regardless, I think we need to embrace this idea now, though, since we'll soon end up with architectures that enforce executable-only memory, in which case ptrace will again fail. Almost better to get started here and then not have more surprises later. -Kees -- Kees Cook Nexus Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>