Package: gnupg2 / 2.2.12-1+deb10u1

block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 11 Aug 2015 20:28:26 -0400
Subject: Avoid simple memory dumps via ptrace

This avoids needing to setgid gpg-agent.  It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one.  If there are other protections we should do them too.

This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.

The remaining options for debugging are:

 * launch the agent from gdb directly
 * connect gdb to a running agent as the superuser

Upstream bug: https://dev.gnupg.org/T1211
---
 agent/gpg-agent.c | 8 ++++++++
 configure.ac      | 2 +-
 scd/scdaemon.c    | 9 +++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index ffd85d1..591f4fd 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -48,6 +48,9 @@
 # include <signal.h>
 #endif
 #include <npth.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
 
 #define GNUPG_COMMON_NEED_AFLOCAL
 #include "agent.h"
@@ -1013,6 +1016,11 @@ main (int argc, char **argv )
 
   early_system_init ();
 
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+  /* Disable ptrace on Linux without sgid bit */
+  prctl(PR_SET_DUMPABLE, 0);
+#endif
+
   /* Before we do anything else we save the list of currently open
      file descriptors and the signal mask.  This info is required to
      do the exec call properly.  We don't need it on Windows.  */
diff --git a/configure.ac b/configure.ac
index 919ab31..b5a72e6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1395,7 +1395,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid  \
                 ftruncate funlockfile getaddrinfo getenv getpagesize \
                 getpwnam getpwuid getrlimit getrusage gettimeofday   \
                 gmtime_r inet_ntop inet_pton isascii lstat memicmp   \
-                memmove memrchr mmap nl_langinfo pipe raise rand     \
+                memmove memrchr mmap nl_langinfo pipe prctl raise rand \
                 setenv setlocale setrlimit sigaction sigprocmask     \
                 stat stpcpy strcasecmp strerror strftime stricmp     \
                 strlwr strncasecmp strpbrk strsep strtol strtoul     \
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 8f8a026..e427b9e 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -36,6 +36,9 @@
 #include <unistd.h>
 #include <signal.h>
 #include <npth.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
 
 #define GNUPG_COMMON_NEED_AFLOCAL
 #include "scdaemon.h"
@@ -438,6 +441,12 @@ main (int argc, char **argv )
   npth_t pipecon_handler;
 
   early_system_init ();
+
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+  /* Disable ptrace on Linux without sgid bit */
+  prctl(PR_SET_DUMPABLE, 0);
+#endif
+
   set_strusage (my_strusage);
   gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
   /* Please note that we may running SUID(ROOT), so be very CAREFUL