tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve

On Thu, Nov 15, 2012 at 04:02:50PM -0500, Thor Lancelot Simon wrote:
> On Thu, Nov 15, 2012 at 06:35:48PM +0000, Julian Yon wrote:
> > 
> > As you mention Linux, their man page for fexecve states ?The file
> > descriptor fd must be opened read-only, and the caller must have
> > permission to execute the file that it refers to.? It sounds like that
> > might be what you're missing? I certainly interpret it to mean that if
> > you can't execve the file, you can't fexecve a FD to it either.
> So.  Suppose I have a chrooted environment where all accessible filesystems
> are mounted either ro or noexec.  Or for that matter just nosuid.
> Now someone passes in a file descriptor, from the outside, that is on a
> filesystem that is not mounted with either of those options.  Perhaps,
> as Matt suggested, one for a setuid executable, yet.  Whoops.

Well setuid executables seem like a special case, but other than that, I
think I can probably manage to execute something without an exec call.
In fact I know I can, just by linking against any dynamic library and
calling one of the functions in it.


Home | Main Index | Thread Index | Old Index