2

作为最近的“rowhammer”利用概念证明的一部分,使用了 read-suid-exec 工具“ping”来创建更精细的概念证明。

所以我的问题 - 为什么各种发行版都准备 suid(尤其是 root)可执行文件作为可读和可执行文件?

我的推测包括:

  1. 与“ldd”一起使用的便利性
  2. 允许tripwire或包更新检查软件以非root身份运行
  3. 没关系,因为大多数发行版都是公开的,任何人都可以获取 ELF 二进制文件(安装到 VM 等)
  4. selinux 可以用来使这无关紧要
  5. 懒惰的开发者

使用 (3),隐藏公共发行版的二进制文件只能提供安全性的遮羞布 - 而 (5) 几乎是名字调用。

4

2 回答 2

0

不是一个完整的答案,但我发现如果 setuid 根程序存储在 NFS 服务器上,我需要使它们可读。

让我再说一遍:在本地文件系统chmod 4711上,setuid root 程序就足够了,但在 NFS 上,所需的模式是4755.

于 2015-03-16T21:08:04.303 回答
0

It's a mixture of "it doesn't matter" (3) and "lazy developers" (5).

It's good practice to turn off unnecessary permissions such as read access on SUID executables because it can reduce attack surface generally, but in many cases it doesn't make much difference.

As you say for (3), hiding the program data doesn't stop attackers searching for ROP gadgets etc. because the data is typically visible in the public distribution that the binary came from.

Note that that doesn't apply to the rowhammer-based exploit described in the Project Zero blog post. For that, the exploit doesn't want to read the data in the SUID executable, it just wants to use /proc/self/pagemap to learn which physical addresses contain the executable's data.

However, as the blog post says, if the attacker can't open() the SUID executable, it can just open() a library it uses, such as /lib64/ld-linux-x86-64.so.2, and apply the exploit to that. So restricting read permissions on the SUID executable doesn't help. We can't remove the read permission on these libraries otherwise they would be unusable.

于 2015-05-24T16:48:50.973 回答