Re: [Announcement] "Exec Shield", new Linux security feature

Arjan van de Ven (arjanv@redhat.com)
04 May 2003 10:49:17 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ingo Molnar: "Re: [Announcement] "Exec Shield", new Linux security feature"
Previous message: Ingo Molnar: "Re: [Announcement] "Exec Shield", new Linux security feature"

This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_courier-17334-1052038289-0001-2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2003-05-04 at 09:03, Calin A. Culianu wrote:
> On Sat, 3 May 2003 Valdis.Kletnieks@vt.edu wrote:
>=20
> > On Sat, 03 May 2003 13:19:52 -0000, linux@horizon.com said:
> >
> > > An interesting question arises: is the number of useful interpreter
> > > functions (system, popen, exec*) sufficiently low that they could be
> > > removed from libc.so entirely and only staticly linked, so processes
> > > that didn't use them wouldn't even have them in their address space,
> > > and ones that did would have them at less predictible addresses?
> > >
> > > Right now, I'm thinking only of functions that end up calling execve(=
);
> > > are there any other sufficiently powerful interpreters hiding in comm=
on
> > > system libraries? regexec()?
> >
> > This does absolutely nothing to stop an exploit from providing its own
> > inline version of execve(). There's nothing in libc that a process can=
't
> > do itself, inline.
> >
> > A better bet is using an LSM module that prohibits exec() calls from an=
y
> > unauthorized combinations of running program/user/etc.
>=20
> Is that practical? I can see how with some daemons it would definitely b=
e
> useful to prohibit exec calls (maybe things like BIND don't need to exec
> anything).. but some daemons do need to exec. An SMTPD may need to exec(=
)
> some helper processes (postfix for instance has a whole slew of helper
> programs it uses).. and things like sshd need to exec a shell, etc..
>=20
> It's still a good idea though, since some daemons don't need to exec,
> ever. I guess this is one extra layer of protection. As Ingo said in hi=
s
> announcement, the more layers of protection you have, the better.. and th=
e
> more difficult a cracker's job is.

would be easier to make a CAP_EXEC capability that bind can drop then ;)

--=_courier-17334-1052038289-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+tNQNxULwo51rQBIRAi1sAJ9VPm1wPeERlpUJH1BuBgD62sko/ACaA6ch
D019dfHTV5/9tg4uratjS7E=
=u7Gw
-----END PGP SIGNATURE-----

--=_courier-17334-1052038289-0001-2--

Next message: Ingo Molnar: "Re: [Announcement] "Exec Shield", new Linux security feature"
Previous message: Ingo Molnar: "Re: [Announcement] "Exec Shield", new Linux security feature"