← Back to context

Comment by dominicq

10 hours ago

The first thing. Invoked processes inherit the permissions of the user who invoked them (unless they have the setuid bit). It's just in case you land access to a computer which has all the standard Unix tools disabled to stop attackers from lateral movement.

7 comments

dominicq

Reply
amiga386  8 hours ago

Why would you bother even doing that?

If someone has the power to execute commands, they are already on the other side of the airtight hatch.

https://devblogs.microsoft.com/oldnewthing/20240102-00/?p=10...

Put your meagre and limited resources on keeping them outside the hatch.

If they get through the hatch, that is where you fucked up, not that you didn't remove every conceiveable command from yourself should they get through. If they can remotely get some program to execute a shell, they can quite conceivably get the same program to just read them the files directly by writing different shellcode. Running a shell is just a convenience for them.

The number of setups that are insecure enough to allow remote shells by arbitrary attackers, but are secure because you disabled /bin/cat once they get in, is zero.

  • dotancohen  7 hours ago

    Security is done in layers. Yes, we do our best to keep the adversaries outside the proverbial hatch. But even inside the hatch, the principal of least privilege is important in reducing the damage of attacks.

  • staticassertion  7 hours ago

    Typically you do things like this to either work in restricted envs (distroless) or to evade detection logic. It's not about bypassing a boundary, it's about getting things done in the env you have available.

  • rithdmc  5 hours ago

    It's the principle of 'Defence in Depth'. Do both, as one control may fail.

    • amiga386  4 hours ago

      But you wouldn't, or shouldn't, take a patchwork approach to it.

      If the software you're trying to secure actually depends on a full, working, intertwined unix system... you leave that as it is. You can certainly try reducing a process's access to the system it's running on (whether that be by containers, jail(8), SELinux, AppArmor, etc.), but you don't go around deleting 7-zip or your scripting languages or compilers, on the off-chance that'll thwart a hacker.

      Sure, you can say, "defense in depth", but if you have one layer that's actually holding up the security guarantees, and a second layer that is largely ineffectual (haha! I removed /bin/cat, now they can't read files! oh and base64 too... and yyencode... and... and... and...), I wouldn't waste much time on the second layer.

      1 reply →