Firewall blocking desktop features
oron at actcom.co.il
Thu Sep 12 23:26:24 UTC 2013
On Thursday 12 September 2013 09:23:13 Colin Walters wrote:
> On Thu, 2013-09-12 at 10:01 +0300, Oron Peled wrote:
> > * From pid you can find the real executable (/proc/pid/cmd).
> And this is the step that's worthless:
Thanks, that was a very good read.
However, there may be still way out for some cases...
* First, let's talk about the primary mentioned attack vector -- LD_PRELOAD/ptrace attacks:
- These should be ignored by suid/sgid binaries on modern Linux systems
(sans kernel bugs).
- So if we can sgid all these binaries to a specific group -- this threat
- Actually, with this, the service can simply talk to clients running
in this "firewalld-control" group.
- Obviously, SELinux (which was mentioned in the URL) is a better solution
along the same lines (labeling), but I think it wouldn't be easy to
upstream a solution that can only work with SELinux.
* But thinking more about attack vectors, I got a more depressing picture:
- Assume a valid UI controller get subverted *during* run-time.
- Examples: a buffer overrun, dlopen() malicious plugin, loading other
dynamic code (e.g: via embedded python interpreter), etc.
- This looks pretty hopeless to me in any case (be it SELinux or what's-not)
As the same trusted process instantly becomes a "bad-guy".
- This isn't very different than a hypothetical security hole in ssh that would
enable attacker to steal my private key.
- *BUT*, since typical GUI programs are far bigger than ssh (including the
whole UI library stacks), the risks for buffer overruns are not marginal.
- This means that any privileged service controlled by GUI client (e.g:
NetworkManager) is still only as secure as it's controller (e.g: nm-applet).
- It's true that this is somewhat better than the old suid-root GUI wrappers
that could do *anything* to your system. But still, we have no idea how
to protect system-wide services *if* they need GUI control.
- Or am I missing something here?
Oron Peled Voice: +972-4-8228492
oron at actcom.co.il http://users.actcom.co.il/~oron
"Your fair use of this book is restricted"
"You may only read this book once"
More information about the devel