Re: fexecve, round 3

["Roland C. Dowdeswell" <elric%imrryr.org@localhost>]

On Sun, Nov 25, 2012 at 11:47:14PM +0000, David Laight wrote:
>

> On Sun, Nov 25, 2012 at 07:54:59PM +0000, Christos Zoulas wrote:
> > >
> > >> Does everyone agrees on this interpretation? If we do, next steps are
> > >> - describe threats this introduce to chrooted processes
> 
> Given a chrooted process would need a helping process outside the
> chroot (to pass it the fd), why is allowing the chrooted proccess to
> exec something any different from it arranging to get the helper
> to do it?
> 
> I think it can only matter if the uid of the chroot is root.
> Even then you could (probably) do nothing you couldn;t do by
> mmaping some anon space with exec permissions and writing code to it.

This thread has been a little long so I am not sure if the setuid
programs have been adequately addressed but certainly it is not
necessarily safe to execute those in a chroot(2)ed environment as
many of them will have assumptions about files such as /etc/spwd.db
and so on.  We should not just consider setuid programs that we
ship but also designs that previously were safe that this model
would make unsafe.

Another example that I've seen people do is putting secret information
such as passwds into programs and give them mode 111 so that it is
not easy to read the information.  Granted, it doesn't make it
terribly difficult to get the information but it still might not
be appropriate to allow chrooted applications to exec these programs
as I don't think that even if passed an fd that they could mmap(2)
and jump.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/