FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development
Reload this Page Can we get PIE on all SUID binaries by default, por favor?

 
 
LinkBack Thread Tools
 
Old 01-23-2012, 06:08 PM
"Jason A. Donenfeld"
 
Default Can we get PIE on all SUID binaries by default, por favor?
Hi Diego,
So I recently published this:*http://blog.zx2c4.com/749*, a local priv escalation. It doesn't work on Fedora because their /bin/su is compiled with -pie. (They don't compile gpasswd with -pie though, so they're still vulnerable.) In any case, what if we made it a policy in Gentoo to compile all*SUID binaries with PIE, to prevent against any types of future attacks of this variety?

Jason
 
Old 01-23-2012, 06:22 PM
Diego Elio Pettenò
 
Default Can we get PIE on all SUID binaries by default, por favor?
Hello Jason,

Il giorno lun, 23/01/2012 alle 20.08 +0100, Jason A. Donenfeld ha
scritto:

> So I recently published this: http://blog.zx2c4.com/749 , a local priv
> escalation.

I've seen the news

> It doesn't work on Fedora because their /bin/su is compiled with
> -pie. (They don't compile gpasswd with -pie though, so they're still
> vulnerable.)

Is it because of PIE alone or ASLR? Just curious it doesn't make much
difference to me.

> In any case, what if we made it a policy in Gentoo to compile all SUID
> binaries with PIE, to prevent against any types of future attacks of
> this variety?

Here's the trick: it's hard to decide what to compile PIE and what not
because we generally don't split the build for the two. I guess a good
point here could be made to build _everything_ PIE, but it can be tricky
(at least hotot seem not to work on a PIE system).

It would be also a good idea to resume working on the file-based
capabilities, dropping suid altogether.

The main issue here: it's not just my call to make; toolchain and
council should probably chime in on this.

--
Diego Elio Pettenò <flameeyes@gentoo.org>
Gentoo Linux
 
Old 01-23-2012, 06:26 PM
"Jason A. Donenfeld"
 
Default Can we get PIE on all SUID binaries by default, por favor?
On Mon, Jan 23, 2012 at 20:22, Diego Elio Pettenò <flameeyes@gentoo.org> wrote:
Is it because of PIE alone or ASLR? Just curious it doesn't make much

difference to me.

When ASLR is turned on, the .text section of*executables*compiled with PIE is given a randomized base address. When ASLR is off or when PIE is not used, the base address is predictable, so it's easy to find where to write into.
*Here's the trick: it's hard to decide what to compile PIE and what not

because we generally don't split the build for the two. I guess a good

point here could be made to build _everything_ PIE, but it can be tricky

(at least hotot seem not to work on a PIE system).

Doesn't portage already have a check on SUID executables where it checks to see if they meet a certain standard and also strips them of read capabilities? Couldn't we just add a Q&A blurb to this, so that if any SUID executables are merged that aren't PIE, there's a nice yellow warning? And then gradually package maintainers would add the required patches?
*


It would be also a good idea to resume working on the file-based

capabilities, dropping suid altogether.

Of course. But, different discussion.
 

Thread Tools




All times are GMT. The time now is 09:00 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -