Trusted Path Execution (TPE)

Introduction

TPE is an AED feature that prevent users from executing binaries that are either not owned by the root user, a trusted user, or are world-writable or writable by an untrusted user. This is useful to prevent users from uploading and executing their own malicious binaries or accidentally executing world or untrusted user writable system binaries and scripts that could have been modified by a malicious user. This security feature in AED prevents a whole category of exploits whereby a malicious user tries to execute his or her own code to compromise the system.

This features is best thought of as a “defense in depth” means that makes both uploading malware and backdooring applications on the system harmless because the uploaded malware either cant be executed or the backdoored code can also not be executed because it has been configured insecurely. This also makes privilege escalation harder when an account restricted by TPE is compromised as the attacker won’t be able to execute custom binaries, scripts and other tools which are either not in the trusted path, or are not owned by a trusted user. This feature can also prevent race conditions on code executed by non root users.

Replacing world writable, or group writable files or scripts is a well known and very old attack, and TPE prevents it from being exploited.


Enabling/Disabling TPE

TPE is enabled by default, can can be controlled by the ENABLE_TPE AED setting.


Configuring TPE

In AED TPE can be used in one of two manners by setting the group policy via this setting: TPE_GROUP_POLICY

  • Unless Deny, Allow: This setting, the default, is to only apply TPE to users defined in AED. This means that unless a user is on in the “untrusted” group, the user is trusted and TPE is not applied.

  • Unless Allow, Deny: This setting causes TPE to be applied to all users, unless they are on the “trusted” list. This means that unless a user is on in the “trusted” group, the user is untrusted and TPE is applied.