[PATCH] Hal privilige seperation
David Zeuthen
david at fubar.dk
Fri Jan 20 16:24:36 PST 2006
On Fri, 2006-01-20 at 13:59 -0800, Artem Kachitchkine wrote:
> >>Kernel does not allow unprivileged users to trace/debug/modify
> >>setuid processes - see ptrace(2) man page.
> >
> > No one is talking about using setuid binaries here.
>
> Neither do I. I mean root processes that drop privileges using setuid(2)
> system call, which hald presently does. ptrace(2) on hald process will
> fail for unprivileged users even after dropping privileges. You won't be
> able to alter process .text if you're not root.
I was thinking the attack vector would be hald handling a D-BUS message
in a way that would cause a buffer overflow thus allowing the
unprivileged caller to execute code in the hal daemon.
While this is pretty unlikely (D-BUS makes it hard with it API to start
with), it's still possible and the cool thing is that Sjoerd's patch
makes sure that this code don't run as uid 0 - it will only run as the
unprivileged haldaemon user. Yes, it can ask for certain hal helpers to
be invoked as uid 0 but that's pretty much it and not something we
should be too afraid of.
So.. that's why it'd be dangerous to allow our unprivileged process to
be able to regain super user privileges (malicious code could easily
become uid 0; bad) and why we need the hald-runner helper process.
Hope this clarifies.. and that I didn't miss the point :-)
David
More information about the hal
mailing list