'Re: How to detach if a process is setuid or setgid?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strace
Subject:    Re: How to detach if a process is setuid or setgid?
From:       "Dmitry V. Levin" <ldv () altlinux ! org>
Date:       2012-07-19 23:31:34
Message-ID: 20120719233134.GA15746 () altlinux ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Thu, Jul 19, 2012 at 03:31:51PM -0700, Aleatha Parker-Wood wrote:
> I'm working with a modified version of strace to collect some information on
> the long term behaviors of process trees and file system accesses.  I've got
> it logging data on a couple of different systems, some of which I do not
> have root access to.  Each of the users of the system spawns an strace
> process which then traces all of their shell activity.
> 
> However, since this is a long term tracing project, users will need to run
> setuid or setgid executables from time to time.  Rather than dropping those
> bits silently (since strace is running as non-root), and breaking
> functionality, I'd like to detect that the child process is doing setuid,
> and detach from it, logging a message that there was an untraced child
> process.
> 
> Can you point me at the area of the code where the setuid bits on child
> processes are handled?  I'm assuming it's somewhere around startup_child(),
> but I'm not spotting it.

set[ug]id bits of executables are processed solely by kernel during
execve(2), strace has no need to handle them: when a traced non-CAP_SETUID
process calls execve(2) to execute a privileged executable, linux kernel
silently resets euid to uid (and egid to gid).

Of course you can modify your version of strace further to probe files
passed to execve(2) and handle these bits, but that approach is inevitably
racy and therefore is not reliable.


-- 
ldv

[Attachment #5 (application/pgp-signature)]

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Strace-devel mailing list
Strace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/strace-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic