tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

core statement on fexecve, O_EXEC, and O_SEARCH

The NetBSD core group has considered adding the
fexecve(2) or fexecve(3) syscall or function, and adding
new O_EXEC and O_SEARCH open(2) flags.

These new features may be useful, but their security properties are not well understood. The core group is of the opinion that these new features should not be added to NetBSD until there is a design that discusses their security properties, the way they interact with each other and existing features, and addresses the security concerns.

Designs that are slightly incompatible with other operating systems or with POSIX need not be ruled out; for example, it may be reasonable to make fexecve() fail if the fd was not opened with certain flags, or to automatically clear certain flags when the fd is passed from one process to another.

The fexecve function could be implemented entirely in libc, via execve(2) on a file name of the form "/proc/self/fd/<N>". Any security concerns around fexecve() also apply to exec of /proc/self/fd/<N>.

If necessary, the open(2) syscall could be versioned so that O_RDONLY is no longer defined as zero.

Alan Barrett, on behalf of core

Home | Main Index | Thread Index | Old Index