No Subject
Anonymous
Anonymous
Sun Jan 2 06:16:38 CET 2000
If setgroups() can't be used to modify one's PAG, then more difficult
avenues must be pursued. One could try mucking around in /dev/kmem or
/dev/mem, for instance, but this too can be restricted: on Linux, you can
use capabilities to give a process the ability to use setgroups() without
giving it access to /dev/kmem or /dev/mem. On BSD, you can increase the
securelevel for the same effect.
The remaining hole would be the possibility of using ptrace to attach to a
running arlad and trying to steal the tokens that way. This problem can be
solved in Linux at least by making sure that arlad has full capabilities;
a process cannot ptrace another with greater capabilities in Linux,
regardless of UID. Similar solutions probably present themselves for other
operating systems.
The problem of securing the tokens does become more difficult the tighter
the security is desired. I just think that for starters, we should plug
the most obvious hole.
Thanks,
Chris
wingc at engin.umich.edu
More information about the Arla-drinkers
mailing list