The possibility of attacks after setuid() has to be addressed by any program that controls sensitive information. For example, many years ago I fixed my version of the UNIX login and other programs [1] so that they would not dump core. This to avoid dumping core with stdio buffers containing shadow password file information. The use of ptrace hooks on once-privileged processes was discussed in my Murphy USENIX paper [2]. At the time I could not offer a fool-proof solution. If process tracing attacks can be stopped by making executable files unreadable, then I have learned useful new information from this list for which I am grateful. Regarding the MMDF/Bellovin/Spafford gate program to chdir() through a protected directory: it is my understanding that the gate program is set-gid, and that it creates a user-owned file in a world-writable submission subdirectory. If the gate program can be kept simple enough that it can retain set-gid privilege, then it should be immune to process tracing attack regardless of executable file permissions. And with set-gid privilege retained by the submission program, the world-writable submission subdirectory can be avoided entirely. Wietse [1], [2]: See ftp://ftp.win.tue.nl/pub/security/index.html.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:47 PDT