In a program I am developing (Linux), I need very simple text-based IPC. It would be very easy to use a standard input/output pipe for this. Can I trust that messages sent to a process' stdin cannot be read by anyone? Also, can I trust that if I kept the pipe to its stdout, only I can read what it outputs? I just want to make sure there's no procfs-based trick that can read from these.
+1
A:
As far as I know, there are no "tricks" and other users cannot read your stdin/stdout. Just remember that:
- Other processes running as the same user can read your process' memory; this is because security protects you from other users.
- A process running as superuser can do everything.
That said, if you are handling sensitive data, have a look at mlock.
Danilo Piazzalunga
2010-02-18 17:10:46
A:
There's no tricks, the only one I can think of in relation to detecting if stdout is redirected to elsewhere is to do this like in a simple C function as shown here isredirected, other than that the onus rests with you to ensure the messages are kept secure...The other thing, is using procfs trickery requires root privileges to access certain procfs features...so ensure that you put a check in there to ensure it is not running as root...
int isredirected(void){
if (!isatty(fileno(stdin))) return 1;
return 0;
}
Hope this helps, Best regards, Tom.
tommieb75
2010-02-18 17:18:15
+1 for isatty()
Ninefingers
2010-02-18 17:19:57
Problem: `isatty` will return false for pipes, which is what the OP wants to do.
Chris Jester-Young
2010-02-18 17:22:20
Cjy: Dang! Good point!!!! Am out of ideas on this one.... ;)
tommieb75
2010-02-18 17:27:46
A:
Honestly, I think it depends on how much security you think your application needs. I input my GPG key password on stdin. I always ask the question "what is the acceptable risk?".
That said, nothing will protect your application from a rootkit in kernel-space. It can read not just the std in/out terminals but your entire processes memory as it runs. And probably override a few protections you've got in place.
You might look at using SELinux sandboxing in combination with what you're doing - read more about it at http://danwalsh.livejournal.com/ if you really need that level of protection. libselinux lets you interface with it for checking protection exists etc.
Ninefingers
2010-02-18 17:18:40
I don't need Fort Knox — just wanted to make sure there weren't any gaping security holes
c4757p
2010-02-18 18:10:52
A:
In my own limited testing (running uniq | sort then trying to snoop on both ends of the pipe via /proc/XXX/fd), it seems that I can't read what gets sent into the pipe, but I can inject data into it.
In other words, do your own testing to see what you can and can't do. :-)
Chris Jester-Young
2010-02-18 17:21:22
Hmm... Thanks. Being able to inject data just won't do! :-) I think I'll just use local sockets with SO_PEERCRED (no need for this to be portable).
c4757p
2010-02-18 18:12:45
I assume this sort of injection requires that you either be running as the same user or as root? That seems like insufficient reason to distrust stdin/stdout I/O.
Eric Seppanen
2010-02-18 18:43:04