tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve

On Thu, Nov 15, 2012 at 09:46:13PM +0000, David Holland wrote:
> On Thu, Nov 15, 2012 at 11:03:15AM -0500, Thor Lancelot Simon wrote:
>  > > Here is a patch that implements fexecve(2) for review:
>  > >
>  > 
>  > This strikes me as profoundly dangerous.  Among other things, it
>  > means you can't allow any program running in a chroot to receive
>  > unix-domain messages any more since they might get passed a file
>  > descriptor to code they should not be able to execute.
> I have two immediate reactions to this: (1) being able to pass
> executables to something untrusted in a controlled manner sounds
> useful, not dangerous

Sorry to cherry-pick one more point for the moment:  Considered in a vacuum,
I agree with your reaction #1 above.  The problem is that there is a great
deal of existing code in the world which receives file descriptors and which
is not designed with the possibility that they might then be used to exec.

With that history, I don't see a clear way to make this safe (for example
by restricting which descriptors can be passed to chrooted processes) 
without breaking code that assumes it can pass file descriptors without such


Home | Main Index | Thread Index | Old Index