wood@dg_rtp.UUCP (Tom Wood) (02/13/86)
Some of us are considering an extension to the process tracing
facilities under UNIX. We've come across a rather tough problem
concerning security.
Ptrace allows a process to declare that it is being traced. Since
tracing is a form of reading the program file being executed, some
more secure versions of exec require that a traced process have read
access as well as execute access to the program file being executed.
Similarly, the set user id and set group id features of exec are
suppressed to prevent a process from fraudulently changing its user
or group id.
We want to allow a debugger to declare that it is going to trace an
arbitrary process. What should the security requirements of this
action be? This is non-trivial as the action of "I may be traced"
is fundamentally different from "Trace that process".
Our current thoughts are that the requesting process's effective
user and group ids should match the target process's real user and
group ids and that the target process's saved user and group ids
match its real user and group ids (requesting effective ==
target real == target saved). In addition, the requesting process
must supply a pathname of the program file being executed by the
target process. This pathname must resolve to the same inode as
that used by the target and the requesting process must have read
access to the program file.
We aren't concerned that this security check be too rigorous; the
big question is whether it is sufficient.
Tom Wood
Data General, Research Triangle Park, NC
{the known world}!mcnc!rti-sel!dg_rtp!wood
--
Tom Wood
Data General, Research Triangle Park, NC
{the known world}!mcnc!rti-sel!dg_rtp!wood