Re: fexecve

To: Thor Lancelot Simon <tls%panix.com@localhost>
Subject: Re: fexecve
From: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Date: Sun, 8 Sep 2019 21:53:50 +0000

> Date: Sun, 8 Sep 2019 14:03:03 -0400
> From: Thor Lancelot Simon <tls%panix.com@localhost>
> 
> On Sun, Sep 08, 2019 at 01:23:46PM -0400, Christos Zoulas wrote:
> > 
> > Here's a simple fexecve(2) implementation. Comments?
> 
> I think this is dangerous in systems which use chroot into filesystems
> mounted noexec (or nosuid) and file-descriptor passing into the constrained
> environment to feed data.  Now new executables (and even setuid ones) can
> be fed in, too.
> 
> What can we do about that?

It sounds like you're positing:

- there is a chrooted process A
- there is a colluding process B outside the chroot
- they share a socket
- B can open setuid executables and send their fds over the socket
- A can now execute setuid executables outside the chroot

How is this substantively different from the following?

- there is a chrooted process A
- there is a colluding process B outside the chroot
- they share a socket
- A can ask B to execute files by pathname and B will happily oblige
- A can now execute setuid executables outside the chroot

That is, under what meaningful circumstances can you rule out the
first scenario but not the second one?

Follow-Ups:
- Re: fexecve
  - From: David Holland

References:
- Re: fexecve
  - From: Thor Lancelot Simon

Prev by Date: Re: fexecve
Next by Date: Re: fexecve
Previous by Thread: Re: fexecve
Next by Thread: Re: fexecve
Indexes:

Home | Main Index | Thread Index | Old Index