tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: fexecve



On Sun, Sep 08, 2019 at 04:43:50PM -0400, Mouse wrote:
 > > (2) Losing the command name isn't good; lots of people turn process
 > > accounting on for logging (in fact, I'd assume 99.9% of people who
 > > turn process accounting on use it purely for logging) and it
 > > substantially decreases the utility if it's easily circumvented.
 > 
 > Isn't the command name easy to lose and/or forge already, with links if
 > nothng else?

Yes, though not without leaving traces and not necessarily at all in a
sufficiently restricted chroot.

 > > (3) Setugid processes should be prohibited, or at least setugid
 > > dynamically-linked processes, because otherwise there's a window
 > > where a live update of a library might be used to run the old binary
 > > with a new set of libraries.
 > 
 > How does fexecve() make anything possible here that wasn't possible
 > before?  It seems to me that updating .so libraries has always carried
 > this risk, so I must be missing something.

Without fexecve() it's at least theoretically possible to remove the
old bins first, update the libraries, and install new bins, so that
the old bins are gone and can't be exec'd when the new libraries
appear.

-- 
David A. Holland
dholland%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index