sandbox-rlimit and ptrace.

Damien Miller djm at mindrot.org
Sat Dec 21 07:54:02 EST 2013


On Fri, 20 Dec 2013, Pawel Jakub Dawidek wrote:

> I was wondering if the following attack would be feasible once I'm able
> to break into rlimit sandbox.
> 
> Because sandboxed process that handles unauthenticated session is
> running as the 'sshd' user I was wondering if this could be used to jump
> between processes using ptrace(2). For example if I find a bug in the
> code executed before authentication I could use ptrace(2) to attach to
> another unprivileged processes running with the same credentials as I
> am. If I understand correctly this sandbox process is responsible for
> extracting credentials of the connecting user from the protocol, which
> means if I attach to a process handling root loggining in with a
> password I could obtain root's password.
> 
> Can someone confirm or tell me what am I missing?

It shouldn't be possible because the child process has a setuid in its
history and this should deny ptrace of the process by any user but root.

-d


More information about the openssh-unix-dev mailing list