Firewall blocking desktop features

Oron Peled oron at actcom.co.il
Thu Sep 12 23:26:24 UTC 2013 

On Thursday 12 September 2013 09:23:13 Colin Walters wrote:
> On Thu, 2013-09-12 at 10:01 +0300, Oron Peled wrote:
> >  * From pid you can find the real executable (/proc/pid/cmd).
> 
> And this is the step that's worthless:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=533493

Thanks, that was a very good read.

However, there may be still way out for some cases...

* First, let's talk about the primary mentioned attack vector -- LD_PRELOAD/ptrace attacks:
  - These should be ignored by suid/sgid binaries on modern Linux systems
    (sans kernel bugs).

  - So if we can sgid all these binaries to a specific group -- this threat
    is mitigated.

  - Actually, with this, the service can simply talk to clients running
    in this "firewalld-control" group.

  - Obviously, SELinux (which was mentioned in the URL) is a better solution
    along the same lines (labeling), but I think it wouldn't be easy to
    upstream a solution that can only work with SELinux.

* But thinking more about attack vectors, I got a more depressing picture:

   - Assume a valid UI controller get subverted *during* run-time.

   - Examples: a buffer overrun, dlopen() malicious plugin, loading other
     dynamic code (e.g: via embedded python interpreter), etc.

   - This looks pretty hopeless to me in any case (be it SELinux or what's-not)
     As the same trusted process instantly becomes a "bad-guy".

   - This isn't very different than a hypothetical security hole in ssh that would
     enable attacker to steal my private key. 

   - *BUT*, since typical GUI programs are far bigger than ssh (including the
     whole UI library stacks), the risks for buffer overruns are not marginal.

   - This means that any privileged service controlled by GUI client (e.g:
     NetworkManager) is still only as secure as it's controller (e.g: nm-applet).

   - It's true that this is somewhat better than the old suid-root GUI wrappers
     that could do *anything* to your system. But still, we have no idea how
     to protect system-wide services *if* they need GUI control.

   - Or am I missing something here?


-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://users.actcom.co.il/~oron
"Your fair use of this book is restricted"
"You may only read this book once"

More information about the devel mailing list