tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] fexecve
On Thu, Nov 15, 2012 at 10:14:18PM +0100, Joerg Sonnenberger wrote:
> On Thu, Nov 15, 2012 at 08:20:30PM +0100, Emmanuel Dreyfus wrote:
> > Thor Lancelot Simon <tls%panix.com@localhost> wrote:
> >
> > > The point is, this is interesting functionality that makes something
> > > new possible that is potentially useful from a security point of view,
> > > but the new thing that's possible also breaks assumptions that existing
> > > code may rely on to get security guarantees it wants.
> >
> > Well, it is standard mandated and we want to be standard compliant. If
> > it is a security hazard, we can have a sysctl to disable the system
> > call. Something like
> > sysctl -w kern.fexecve = 0 and it would return ENOSYS.
>
> Frankly, I still don't see the point why something would want to use it.
How about running a staticly linked executable inside a chroot without
needed the executable itself to do the chroot.
Oh, and now make $ORIGIN work for dynamic executables and fexec() :-)
(Probably not a good idea inside choots! At least you wouldn't want it
to work AFTER the initil program load.)
David
--
David Laight: david%l8s.co.uk@localhost
Home |
Main Index |
Thread Index |
Old Index