On Fri, Dec 22, 2006 at 03:39:00AM +0100, Christian Biere wrote:
> Matthias Drochner wrote:
> > The backside is that if one succeeds to eavesdrop the
> > communication between the (unprivileged) client program
> > and the SUID helper, he gets the plaintext password and
> > no strong passwd encryption will help.
> 
> Out of curiosity, is it possible to grab the pipe from /proc/<pid>/fd/0 and
> then read the input before the helper does?
> 
> > One can argue (as does Joerg) that such an attacker could
> > listen to X11 events carrying the passwd as well, so there
> > is no additional danger.
> 
> That's one reason why I prefer the console over X for certain things.

You understand that an attacker with your UID can simply read from your
tty, right, since it's a file you can open?  Or, for that matter, from
the memory image of your process, using ptrace.  The X11 thing is really
a red herring.

It sounds like you want a sort of "one open only" attribute for file
descriptors -- like System V mandatory locking.  There are a host of
problems associated with this, but without it, I don't think you can
protect against the kind of attacks you're suggesting.  Perhaps such
locking is less pernicious if allowed only for transient resources
(like ttys which can be forced closed at session end, or pipes) and
if root can override it.

-- 
Thor Lancelot Simon	                                     tls@rek.tjls.com
  "The liberties...lose much of their value whenever those who have greater
   private means are permitted to use their advantages to control the course
   of public debate."					-John Rawls