Re: openssh on linux rce in sftp-only mode

[Yves-Alexis Perez <corsac () debian org>]

On jeu., 2014-10-09 at 01:05 +0200, Jann Horn wrote:
> On Wed, Oct 08, 2014 at 06:44:32PM -0400, Josh Bressers wrote:
> > > > I think one has to assume if a user has unrestricted sftp access, they can
> > > > figure out how to do most anything. Even with the upstream hardening patch,
> > > > it really only protects the sftpd process. Any other processes the user may
> > > > own could be modified.
> > >
> > > Not that easily - /proc/$pid/mem requires you to either be the same process
> > > or be attached to it via ptrace, I think.
> >
> > I can't speak for other systems (I don't understand the details), but I can
> > read arbitrary process memory for processes I own in Fedora 20.
>
> Hmm, just tried it on Debian Testing, I can reproduce that.
>
>
> > Does someone know what the typical default is?
>
> I looked through the git history of fs/proc/base.c now, looks like commit
> e268337dfe26dfc7efd422a804dbb27977a3cccc ("proc: clean up and fix
> /proc/<pid>/mem handling") changed the behavior to be more permissive. That commit
> is between kernel 3.2 and 3.3. Meh. :(

Note that you can somehow restrict ptrace using Yama with
kernel.yama.ptrace_scope (see
https://www.kernel.org/doc/Documentation/security/Yama.txt)

If would like to restrict sftp users on a somehow hardened box, it might
make sense to set ptrace_scope to 1+.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part