Review Request 126203: Disable ptrace for kcheckpass and the greeter

Raphael Kubo da Costa rakuco at FreeBSD.org
Mon Nov 30 16:02:11 UTC 2015 


> On Nov. 30, 2015, 10:34 a.m., Tobias Berner wrote:
> > I think FreeBSD 10 introduced a similar interface in r277322
> > https://svnweb.freebsd.org/base?view=revision&revision=277322
> > Though it is explicitely stated to not be a "security feature".
> > 
> > According to the man page of progctl 
> > https://www.freebsd.org/cgi/man.cgi?query=procctl&apropos=0&sektion=2&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html
> > this would be PROC_TRACE_CTL with data PROC_TRACE_CTL_DISABLE.
> > 
> > 
> > I will have to ask someone more familiar with that.
> 
> Martin Gräßlin wrote:
>     > how do I get kwin to output the debug output for the framebuffer backend, with qcdebug lines,
>     
>     Given the notes on it, that seems fine. It's not my intention to protect against kernel or root.
> 
> Raphael Kubo da Costa wrote:
>     From a non-Linux perspective, it would be good if there was a CMake check for `prctl()` and `PR_SET_DUMPABLE/PROC_TRACE_CTL` with a big warning in case none was found. The oldest supported FreeBSD release (9.x) will be supported until the end of 2016 and it does not have this functionality, and neither do {Net,DragonFly,Open}BSD, so adding the calls without additional checks will just create additional problems for those packaging kscreenlocker for those platforms, and I doubt they will be able to add a replacement for this without help from their kernel (and existing releases would still be broken).
> 
> Martin Gräßlin wrote:
>     The CMake check seems like a good idea to me - this also allows to make a nice HAVE_PRCTL_DUMPABABLE flag which I would prefer over QOSLINUX or something like that. Anybody know how to write such a check? I assume trying to compile and check whether it compiles?

I think so. Something like this (untested):

```
include(CheckIncludeFile)
include(CheckSymbolExists)

check_include_file("sys/prctl.h" HAVE_SYS_PRCTL_H)
check_symbol_exists(PR_SET_DUMPABLE "sys/prctl.h" HAVE_PR_SET_DUMPABLE)

check_include_file("sys/procctl.h" HAVE_SYS_PROCCTL_H)
check_symbol_exists(PROC_TRACE_CTL "sys/procctl.h" HAVE_PROC_TRACE_CTL)

if (NOT HAVE_PR_SET_DUMPABLE OR NOT HAVE_PROC_TRACE_CTL)
  message(WARNING "Support for disabling ptrace(2) and core dumps via prctl/procctl is not available. <scary message here>.")
endif ()

configure_file(...)
```

It's unfortunate that the naming could not be standardized, as now one needs to check for those macros and call different functions with different arguments depending on their values.


- Raphael


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126203/#review88939
-----------------------------------------------------------


On Nov. 30, 2015, 10:01 a.m., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126203/
> -----------------------------------------------------------
> 
> (Updated Nov. 30, 2015, 10:01 a.m.)
> 
> 
> Review request for Plasma and Tobias Berner.
> 
> 
> Repository: kscreenlocker
> 
> 
> Description
> -------
> 
> Setting the PR_SET_DUMPABLE flag to 0 for the security relevant
> command kcheckpass and kscreenlocker_greet. If one wants to gdb into
> the running command it will result in:
> 
> ptrace: Operation not permitted.
> 
> For kscreenlocker_greet ptrace is permitted in testing mode.
> 
> As root it's still possible to attach to the process.
> 
> ---
> 
> @Tobias: I assume this is a strong linux-ism. Is there a FreeBSD compareable functionality?
> 
> I'm considering to push this explicitly without an ifdef. It's a new security feature and I want to make non-Linux systems aware of the fact that it adds a new feature and that a replacement should be added.
> 
> 
> Diffs
> -----
> 
>   greeter/main.cpp e4e679e7ef40b319665428281fdba5f4e0b4eb25 
>   kcheckpass/kcheckpass.c fd2d2215bf2199f159a121bb0ce08e7b2b254aaa 
> 
> Diff: https://git.reviewboard.kde.org/r/126203/diff/
> 
> 
> Testing
> -------
> 
> Tried to gdb into the processes: failed
> Tried to gdb into kscreenlocker_greet --testing: succeeded
> Tried to gdb into kscreenlocker_greet as root: succeeded
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151130/cdcab9ff/attachment.html>

More information about the Plasma-devel mailing list