Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110623171143.GA3927@albatros>
Date: Thu, 23 Jun 2011 21:11:43 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: rlimit_nproc check

On Sun, Jun 19, 2011 at 17:34 +0400, Vasiliy Kulikov wrote:
> I have slightly another idea.  Introduce mechanism (e.g. sysctl
> variable) to make all capabilities dropping function cause SIGSEGV if
> actual dropping process fails for any of several reasons.
> 
> The initial list should look like this:
> 
>     set*{u,g}id
>     {set,init}groups
>     unshare
>     prctl(PR_CAPBSET_DROP, ...)
>     prctl(PR_SET_SECCOMP, ...)
>     capset
> [...]

The scheme actually is harmfull in some situations.  E.g. nfs daemon
with one process architecture switches to another user via setfsuid()
or similar, handles the request, switches back to the root.  If
setfsuid() fails (rlimit or some other reason) nfsd is DoS'ed by the
signal.  Any other daemon with similar architecture will be DoS'ed too.

So, the list of SIGKILL'able syscalls should be selected _very_
carefully (I don't know whether the safe list is nonempty).


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.