unable to attach to setuid program that as reverted it privilege
Tavis Ormandy
taviso@sdf.lonestar.org
Mon Apr 14 16:45:00 GMT 2008
On Mon, Apr 14, 2008 at 09:32:34AM -0400, Reynolds, Brandon wrote:
> > This is documented as allowing core files to be created for setuid
> > programs. What I am using it for is to allow gdb run as a non-root
> > user to connect to setuid programs that have _permanently_ given up
> > their root privilege. Without suid_dumpable enabled, gdb will fail
> > with a EPERM error even tho the target program is no longer running as
> > root and can not reacquire root privilege ( a good default behavior ).
>
Consider the suid root ping program, it aquires a SOCK_RAW socket, and
then drops privileges. If you were allowed to attach to it after it has
dropped privileges, you could wait for it to get the socket, then
PTRACE_ATTACH and PTRACE_POKE in your own code, which now has a raw
socket that it can use for any purpose it likes.
Obviously, this cannot be permitted (i'm sure some operating systems get
it wrong though :-)).
Thanks, Tavis.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
More information about the Gdb
mailing list