[lldb-dev] [OS X] debugserver SETUID root?
Hi,
MacPorts has long had ports for llvm and clang which are very practical. Ports
for lldb have been missing until now, so I've been trying to create one based
on the existing clang port. That wasn't particularly difficult, except (who'd
guess) for the codesigning bit.
Two questions:
- to what extent is it indeed (still) required to reboot after each attempt to
(re)sign an executable? It doesn't appear to be the case for applications that
just need to accept internet connections, for instance.
- does the debugserver application do anything which makes it a really bad idea
to make it SETUID root?
And a bonus question: has it ever been tried to sign the debugserver file with
the ad hoc identity ("-")? That identity works for accepting internet
connections (= once signed like that applications no longer put up the
deny/allow connection dialog each time they're started).
Thanks,
René
___
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
On 1 September 2016 at 10:01, René J.V. Bertin via lldb-dev wrote: > - does the debugserver application do anything which makes it a really bad > idea to make it SETUID root? It listens on a tcp connection, and takes control of random applications. debugserver is the ultimate remote code execution tool, and it does not even try to hide it. I don't know whether it has any special security safeguards on osx (there certainly aren't any on linux), but I think having it installed that way is an open invitation to get pwned. pl ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
On Thursday September 01 2016 10:14:16 Pavel Labath wrote: > security safeguards on osx (there certainly aren't any on linux), but There's the codesigning bit. But that's just more a nuisance than a real protection, from what I can tell, at least against code you build and install yourself. > I think having it installed that way is an open invitation to get > pwned. Looking at it that way, yes. That said, it looks like applications debugged as a regular user still run with that user's UID even if debugserver is running as root. R. ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
On 1 September 2016 at 11:37, René J.V. Bertin wrote: > On Thursday September 01 2016 10:14:16 Pavel Labath wrote: > >> security safeguards on osx (there certainly aren't any on linux), but > > There's the codesigning bit. But that's just more a nuisance than a real > protection, from what I can tell, at least against code you build and install > yourself. > >> I think having it installed that way is an open invitation to get >> pwned. > > Looking at it that way, yes. That said, it looks like applications debugged > as a regular user still run with that user's UID even if debugserver is > running as root. > > R. Don't forget that the debugger can attach to an already running processes as well. without setuid, it could presumably attach only to own processes, but if it's running as root... pl ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
> Don't forget that the debugger can attach to an already running > processes as well. without setuid, it could presumably attach only to > own processes, but if it's running as root... Good catch, you're right (on OS X, haven't tried on Linux yet). R. ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [Release-testers] [3.9 Release] 'final' has been tagged
On 01 Sep 2016, at 01:49, Hans Wennborg via Release-testers wrote: > > The final version of 3.9.0 was just tagged (from the 3.9 branch at > r280312). There were no changes after rc3. This took a little longer > than expected, but on the up side that means it's had more time to be > tested. Built and tested OK on FreeBSD 10 again, this time without assertions. Uploaded: SHA256 (clang+llvm-3.9.0-i386-unknown-freebsd10.tar.xz) = 16c612019ece5ba1f846740e77c7c1a39b813acb5bcfbfe9f8af32d7c28caa60 SHA256 (clang+llvm-3.9.0-amd64-unknown-freebsd10.tar.xz) = df35eaeabec7a474b3c3737c798a0c817795ebbd12952c665c52b2f98abcb6de -Dimitry signature.asc Description: Message signed with OpenPGP using GPGMail ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
On Thursday September 01 2016 13:44:36 René J.V. Bertin wrote: Here's a thought for the code-signing.txt document, following suggestions at https://sourceware.org/gdb/wiki/BuildingOnDarwin : Try a `killall -1 taskgated` before attempting a reboot. Wait a bit and then do `ps -axlww | fgrep taskgated`; if that doesn't show a running daemon you can always reboot after all, but if it does chances are the codesigning operation will work at once. R. ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
> On Sep 1, 2016, at 2:01 AM, René J.V. Bertin via lldb-dev
> wrote:
>
> Hi,
>
> MacPorts has long had ports for llvm and clang which are very practical.
> Ports for lldb have been missing until now, so I've been trying to create one
> based on the existing clang port. That wasn't particularly difficult, except
> (who'd guess) for the codesigning bit.
>
> Two questions:
>
> - to what extent is it indeed (still) required to reboot after each attempt
> to (re)sign an executable? It doesn't appear to be the case for applications
> that just need to accept internet connections, for instance.
You don't have to reboot after every attempt to sign an executable. You only
have to reboot after making the code signing identity and, doing the little
command line trick to get the system to accept it. That still seems necessary,
but then once you've done that you can keep using that identity either till it
expires or you reinstall your OS.
> - does the debugserver application do anything which makes it a really bad
> idea to make it SETUID root?
>
Apple goes to pretty great lengths to limit the harm a debugger can do as an
attack vector. With SIP on, being root gives you many fewer permissions w.r.t.
debugging than you might think, so I don't actually think this would help much.
Suggesting people turn SIP off to use your debugger build seems like a bad
idea to me.
> And a bonus question: has it ever been tried to sign the debugserver file
> with the ad hoc identity ("-")? That identity works for accepting internet
> connections (= once signed like that applications no longer put up the
> deny/allow connection dialog each time they're started).
I doubt that would work.
Jim
>
> Thanks,
> René
> ___
> lldb-dev mailing list
> lldb-dev@lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
___
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [OS X] debugserver SETUID root?
On Thursday September 01 2016 10:55:50 Jim Ingham wrote:
>You don't have to reboot after every attempt to sign an executable. You only
>have to reboot after making the code signing identity and, doing the little
>command line trick to get the system to accept it. That still seems
>necessary, but then once you've done that you can keep using that identity
>either till it expires or you reinstall your OS.
Restarting the taskgated also seems to do that trick. If my understanding of
the code signing doc is correct, the kernel doesn't cache new certificates
until they're used for signing, or something of the sort, and if that's correct
it doesn't seem required to reboot after creating a certificate.
>Apple goes to pretty great lengths to limit the harm a debugger can do as an
>attack vector. With SIP on, being root gives you many fewer permissions
>w.r.t. debugging than you might think, so I don't actually think this would
>help much. Suggesting people turn SIP off to use your debugger build seems
>like a bad idea to me.
Yes, that wasn't my intention. I'm still running 10.9, so turning off SIP or
not is somewhat of a nobrainer for me ^^
>> And a bonus question: has it ever been tried to sign the debugserver file
>> with the ad hoc identity ("-")?
>
>I doubt that would work.
It's a pity that there is so little information about what is and what isn't
possible with ad-hoc signing.
Anyway, why does codesign or possibly even the Security framework underlying
Keychain functionality use the HOME env. variable to determine a user's home
directory instead of using one of the available APIs to get this information?
R.
___
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
Re: [lldb-dev] [cfe-dev] [Release-testers] [3.9 Release] 'final' has been tagged
ARM and AArch64 green, uploaded. Thanks! $ sha1sum clang+llvm-3.9.0-aarch64-linux-gnu.tar.xz e9bfdf32c869e8fb344ef1b386c5d2b44ccac056 $ sha1sum clang+llvm-3.9.0-armv7a-linux-gnueabihf.tar.xz 2ad7a7b226b78d5c13ef06abb96da7a0fb8d535e --renato On 2 September 2016 at 01:38, Ben Pope via cfe-dev wrote: > On Thursday, September 01, 2016 01:21 PM, Ben Pope via cfe-dev wrote: >> >> Ubuntu x86_64 16.04 >> 03687b22791b8c21813fc015dd507fc0 >> clang+llvm-3.9.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz >> >> If anybody would like a build for Ubuntu x86_64 14.04, let me know. > > > 0eabc565733a62d77da1214a70c6c344 > clang+llvm-3.9.0-x86_64-linux-gnu-ubuntu-14.04.tar.xz > > Ben > > > ___ > cfe-dev mailing list > cfe-...@lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev ___ lldb-dev mailing list lldb-dev@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
[lldb-dev] [Bug 30251] New: ioctl for request TIOCGWINSZ on STDOUT_FILENO not working on OS X
https://llvm.org/bugs/show_bug.cgi?id=30251
Bug ID: 30251
Summary: ioctl for request TIOCGWINSZ on STDOUT_FILENO not
working on OS X
Product: lldb
Version: unspecified
Hardware: Macintosh
OS: MacOS X
Status: NEW
Severity: normal
Priority: P
Component: All Bugs
Assignee: lldb-dev@lists.llvm.org
Reporter: 6172839...@gmail.com
CC: llvm-b...@lists.llvm.org
Classification: Unclassified
When debugging a process in LLDB using the ``process launch -c /bin/sh'', using
ioctl with request TIOCGWINSZ on STDOUT_FILENO always gives the width and
height of the window as zero and zero.
Test program:
#include
#include
#include
void main(){
struct winsize tty_window_size;
ioctl(STDOUT_FILENO, TIOCGWINSZ, &tty_window_size);
printf("Rows: %i, Cols: %i\n", tty_window_size.ws_row,
tty_window_size.ws_col);
}
When run from terminal:
$ ./test_ioctl
Rows: 24, Cols: 80
$ lldb -v
lldb-320.4.156
$ lldb ./test_ioctl
(lldb) target create "./a.out"
(lldb) process launch -c /bin/sh
Rows: 0, Cols: 0
(lldb) q
--
You are receiving this mail because:
You are the assignee for the bug.
___
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
