FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 01-23-2012, 06:37 PM
Diego Elio Pettenò
 
Default Can we get PIE on all SUID binaries by default, por favor?

Il giorno lun, 23/01/2012 alle 20.26 +0100, Jason A. Donenfeld ha
scritto:
> When ASLR is turned on, the .text section of executables compiled with
> PIE is given a randomized base address. When ASLR is off or when PIE
> is not used, the base address is predictable, so it's easy to find
> where to write into.

Yup, I know that. I was just making sure that the actual prevention came
from ASLR and not PIE by itself. Both because there is at least one
sci-math package that cannot build with ASLR (randomize_va_space) turned
on, and because it would have disproven my old blog post:

http://blog.flameeyes.eu/2009/11/02/the-pie-is-not-exactly-a-lie


> Doesn't portage already have a check on SUID executables where it
> checks to see if they meet a certain standard and also strips them of
> read capabilities? Couldn't we just add a Q&A blurb to this, so that
> if any SUID executables are merged that aren't PIE, there's a nice
> yellow warning? And then gradually package maintainers would add the
> required patches?

Stripping a compiled file of read permissions is quick, painless and
(mostly) safe from errors. Changing the way it is compiled.. not so
much.

I'm not saying that it's not a good idea, but if we want to proceed with
this, there has to be someone who goes to look at all the packages and
corrects them.

I've not been running the tinderbox for a while both because I have very
little time to _file_ bugs, but more importantly because, being there to
file bugs only, without the time to tackle them, the result was a bunch
of grumpy devs who either needed to repeat the test on a new version, as
the bug became stale, or found me positively annoying as I didn't fix
the stuff myself.

That said, I could fix up the tinderbox and make it run again, no
problem there. I could even try to find the time to look at the logs
and/or see if s3fs allows me to publish them for someone to look through
them... and definitely identifying all the packages installing suid
binaries is easier than looking through all the logs.

But I'd rather not do that unless there is enough consensus that we'll
be tackling the issue.

--
Diego Elio Pettenò <flameeyes@gentoo.org>
Gentoo Linux
 
Old 01-23-2012, 06:40 PM
"Jason A. Donenfeld"
 
Default Can we get PIE on all SUID binaries by default, por favor?

On Mon, Jan 23, 2012 at 20:37, Diego Elio Pettenò <flameeyes@gentoo.org> wrote:
Stripping a compiled file of read permissions is quick, painless and

(mostly) safe from errors. Changing the way it is compiled.. not so

much.



I'm not saying that it's not a good idea, but if we want to proceed with

this, there has to be someone who goes to look at all the packages and

corrects them.


Right. It's a big ordeal. I'm not*suggesting, however, that we automatically inject a CFLAG or something awful like that.
What I propose is just to detect*at merge-time whether or not there are SUID binaries that are not PIE, and if so, spit out a Q&A warning.*

That way, package maintainers could fix things up bit by bit, without having to burden you alone with tinderbox troubles.
 
Old 01-23-2012, 06:51 PM
Mike Gilbert
 
Default Can we get PIE on all SUID binaries by default, por favor?

On Mon, Jan 23, 2012 at 2:40 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> That way, package maintainers could fix things up bit by bit, without having
> to burden you alone with tinderbox troubles.

How do I go about testing with PIE/ASLR on my own box? Is it just some CFLAGS?

A link to some documentation would or just a quick set of instructions
would be great.
 
Old 01-23-2012, 06:56 PM
Diego Elio Pettenò
 
Default Can we get PIE on all SUID binaries by default, por favor?

Il giorno lun, 23/01/2012 alle 20.40 +0100, Jason A. Donenfeld ha
scritto:
> What I propose is just to detect at merge-time whether or not there
> are SUID binaries that are not PIE, and if so, spit out a Q&A
> warning.
>
> That way, package maintainers could fix things up bit by bit, without
> having to burden you alone with tinderbox troubles.

The quick answer is: "you can try but it's not going to happen".

It's not something we haven't done before, in relation to suid binaries.
For quite a long time we've had the "immediate binding" warning on suid
binaries built without -Wl,-z,now — it was removed once both uclibc and
glibc took care of forcing immediate bindings at the loader's level for
suid binaries, but we've had packages throwing that warning till the
very last moment.

Even though it was already a warning when _I_ became a dev.

Sigh

--
Diego Elio Pettenò <flameeyes@gentoo.org>
Gentoo Linux
 
Old 01-23-2012, 06:57 PM
"Jason A. Donenfeld"
 
Default Can we get PIE on all SUID binaries by default, por favor?

To check for PIE,

readelf -h /bin/su | grep Type

If it says EXEC, no PIE. If it says DYN, yes PIE.

--
sent from my mobile


On 1/23/12, Mike Gilbert <floppym@gentoo.org> wrote:
> On Mon, Jan 23, 2012 at 2:40 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>> That way, package maintainers could fix things up bit by bit, without
>> having
>> to burden you alone with tinderbox troubles.
>
> How do I go about testing with PIE/ASLR on my own box? Is it just some
> CFLAGS?
>
> A link to some documentation would or just a quick set of instructions
> would be great.
>
>
 
Old 01-23-2012, 07:00 PM
Mike Gilbert
 
Default Can we get PIE on all SUID binaries by default, por favor?

On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> To check for PIE,
>
> readelf -h /bin/su | grep Type
>
> If it says EXEC, no PIE. If it says DYN, yes PIE.

I'm asking "how does one enable PIE/ASLR", not how to check if it is
enabled already.
 
Old 01-23-2012, 07:09 PM
Sven Vermeulen
 
Default Can we get PIE on all SUID binaries by default, por favor?

On Mon, Jan 23, 2012 at 03:00:41PM -0500, Mike Gilbert wrote:
> I'm asking "how does one enable PIE/ASLR", not how to check if it is
> enabled already.

Look at http://hardened.gentoo.org, the default toolchain used includes PIE,
and it also includes various other measures (like additional grSecurity
restrictions or even SELinux) that makes Gentoo Hardened systems less
vulnerable to this specific vulnerability.

Wkr,
Sven Vermeulen
 
Old 01-23-2012, 07:12 PM
Francesco Riosa
 
Default Can we get PIE on all SUID binaries by default, por favor?

2012/1/23 Mike Gilbert <floppym@gentoo.org>:
> On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>> To check for PIE,
>>
>> readelf -h /bin/su | grep Type
>>
>> If it says EXEC, no PIE. If it says DYN, yes PIE.
>
> I'm asking "how does one enable PIE/ASLR", not how to check if it is
> enabled already.

- PIE should be -fPIC also for the executable, not only for the .so
(has a performance impact)
- ASLR you need "hardened" use for gcc, and the toolchain, pax kernel help too

xattr could be used to reduce the number of suid binaries, but need
support in portage

right?
 
Old 01-23-2012, 07:47 PM
Agostino Sarubbo
 
Default Can we get PIE on all SUID binaries by default, por favor?

On Monday 23 January 2012 15:00:41 Mike Gilbert wrote:

> I'm asking "how does one enable PIE/ASLR", not how to check if it is

> enabled already.

Just enable hardened profile that compiles generally with:

-fno-strict-overflow -fPIE -fstack-protector-all

*

in particular with gcc-hardenednossp you have:

fno-strict-overflow -fPIE

*

with gcc-hardenednopie you have:

fno-strict-overflow -fstack-protector-all

*

with gcc-hardenednopiessp you have:

-fno-strict-overflow

*

--

Agostino Sarubbo ago -at- gentoo.org

Gentoo/AMD64 Arch Security Liaison

GPG: 0x7CD2DC5D

*
 
Old 01-23-2012, 07:48 PM
Markos Chandras
 
Default Can we get PIE on all SUID binaries by default, por favor?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/23/2012 07:40 PM, Jason A. Donenfeld wrote:
>
> What I propose is just to /detect/ at merge-time whether or not
> there are SUID binaries that are not PIE, and if so, spit out a Q&A
> warning.
>
> That way, package maintainers could fix things up bit by bit,
> without having to burden you alone with tinderbox troubles.

This actually sounds a great idea. It probably worth opening a feature
request for portage using our bugzilla.

- --
Regards,
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBCgAGBQJPHcePAAoJEPqDWhW0r/LCGvwP/03SWLvj9L7DzWq4hRyvOFUB
t0ugAPv+D3xT1dyAY6QarPWAMotfPPk2LTSR2y4yvxqt8mYoW0 xablTB9S+V5YSn
QbBJOQ+lsWzr0Qv5OcWBWWIeOIdyVfX7eMer9YTD1T+zVVOixU 0P9T60zq0F6VmI
7Sk/wmFVmj0Tm3iqS9rWkA6aik5TVTKN4NdjqEoOlyZUqNtdgqnChf 3eWlWdK/tK
nctze3JRdQdXVcY4q4JHh+cwR099wBL61BzCB9lrwc0HCfKBU3 oKrqU29ZjKsDfQ
xtOgOmh0pCVuPtbHnVHC+YWGmBpoRuExaDa5PMbCCrQPi/bcQioMa6XaVmkJqJ7M
bcj5ArCEuE7+66iUvhjwv2vMyA9Vm5RLCpc7YN7dfLwsT+d/2W6+CtRkr38v+mGd
OcFiCfcw3tPoUvZwL+RrAk1rXb3mL4in3XeKwwshq6VjIajKfX 29h99YazeZ1X5N
WErKapz9t6pdEcfurXMZJb2WeLljKHI9DkRcOXvK9mb4dDbKk2 0+KeQ646N5pJCS
c6pJnoU1R8zXPNeP+xAKvaRslubXNmY6mPfE5Lqmzz0DLYi7BM HjP3Cjx30kc9hz
SwiqoEPSdPE4dzQhqP5EGXZkxgUhCu4IaeCWVCh/sP67QZk8dElBJ9nj14w++Kxr
CGNbH7oBy5y5vNAd+LCr
=glKZ
-----END PGP SIGNATURE-----
 

Thread Tools




All times are GMT. The time now is 02:10 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org