tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve



On Fri, 16 Nov 2012 20:08:45 +0100
manu%netbsd.org@localhost (Emmanuel Dreyfus) wrote:

> Emmanuel Dreyfus <manu%netbsd.org@localhost> wrote:
> 
> > > The spec only requires that the file only needs to be open for
> > > reading.
> > 
> > That is not completely clear to me. open(2) and openat(2) get a
> > O_EXEC flag, but I did not found other reference of it: fexecve(2)
> > specification does explicitely require a fd open with O_EXEC. 
> 
> Wait, it actually says something:
> 
> http://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
> 
> --- cut here---
> Since execute permission is checked by fexecve(), the file description
> fd need not have been opened with the O_EXEC flag. However, if the
> file to be executed denies read and write permission for the process
> preparing to do the exec, the only way to provide the fd to fexecve()
> will be to use the O_EXEC flag when opening fd. In this case, the
> application will not be able to perform a checksum test since it will
> not be able to read the contents of the file.
> 
> Note that when a file descriptor is opened with O_RDONLY, O_RDWR, or
> O_WRONLY mode, the file descriptor can be used to read, read and
> write, or write the file, respectively, even if the mode of the file
> changes after the file was opened. Using the O_EXEC open mode is
> different; fexecve() will ignore the mode that was used when the file
> descriptor was opened and the exec will fail if the mode of the file
> associated with fd does not grant execute permission to the calling
> process at the time fexecve() is called.
> --- cut here---
> 

Let me interpret that for you: (a) If you have read access to the
file, you may open the file for reading, perform whatever operation you
were doing (e.g. checksum) then pass it to fexecve. *At this point*
execute permission will be checked, and if the calling process has such
permission, the file will be executed. i.e. nothing says you have to
have execute permission when you first open the file. (b) If you don't
have read access, but do have execute permission, you can open the file
with O_EXEC; this won't allow you to read the contents but will give
you a handle for fexecve. As with case (a), execute permission will be
checked at this point for the calling process, even though it was
already checked when you opened the file.

I'm struggling to think of a sane reason why case (b) would ever apply,
but in any case unless I'm missing something, NetBSD doesn't define
O_EXEC anyway (nor does Linux).


Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012%jry.me@localhost>

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index