Avoid simple memory dumps via ptrace

This avoids needing to setgid gpg-agent.  It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one.  If there are other protections we should do them too.

This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.

The remaining options for debugging are:

 * launch the agent from gdb directly
 * connect gdb to a running agent as the superuser

Upstream bug: https://dev.gnupg.org/T1211

Gbp-Pq: Topic block-ptrace-on-secret-daemons
Gbp-Pq: Name Avoid-simple-memory-dumps-via-ptrace.patch

diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 1fdc94d0f15586529311dffccd940faa4223c02e..7d0d906a8d4376f7687c92b2fe802df4c1fc9b91 100644 (file)
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -48,6 +48,9 @@
 # include <signal.h>
 #endif
 #include <npth.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
 
 #define GNUPG_COMMON_NEED_AFLOCAL
 #include "agent.h"
@@ -1006,6 +1009,11 @@ main (int argc, char **argv )
 
   early_system_init ();
 
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+  /* Disable ptrace on Linux without sgid bit */
+  prctl(PR_SET_DUMPABLE, 0);
+#endif
+
   /* Before we do anything else we save the list of currently open
      file descriptors and the signal mask.  This info is required to
      do the exec call properly.  We don't need it on Windows.  */

diff --git a/configure.ac b/configure.ac
index f77317f369ab247d64dce564197cbfbf943cf473..50e93551551ae21284d41ca8f8dea1da79d1af4b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1379,6 +1379,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name])
 AC_CHECK_FUNCS([strcasecmp strncasecmp ctermid times gmtime_r strtoull])
 AC_CHECK_FUNCS([setenv unsetenv fcntl ftruncate inet_ntop])
 AC_CHECK_FUNCS([canonicalize_file_name])
+AC_CHECK_FUNCS([prctl])
 AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime])
 AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale])
 AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo])

diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 8f8a026195d786009de03b7d3f96d045cc365f9c..e427b9e5755ae0b30011704ec60b8bed0ce94a8a 100644 (file)
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -36,6 +36,9 @@
 #include <unistd.h>
 #include <signal.h>
 #include <npth.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
 
 #define GNUPG_COMMON_NEED_AFLOCAL
 #include "scdaemon.h"
@@ -438,6 +441,12 @@ main (int argc, char **argv )
   npth_t pipecon_handler;
 
   early_system_init ();
+
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+  /* Disable ptrace on Linux without sgid bit */
+  prctl(PR_SET_DUMPABLE, 0);
+#endif
+
   set_strusage (my_strusage);
   gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
   /* Please note that we may running SUID(ROOT), so be very CAREFUL