tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve

> However as has been pointed out ([...]), fexecve doesn't actually
> solve the problem it's intended to solve.

I think it probably does, but that is narrower than the problem you're
probably thinking of.

What I got from the description is that fexecve is intended to solve
file substitution attacks, eg via repointing symlinks - a TOCTOU attack
based on a name naming one file at check time and a different file at
use time.  And that, I think, it does solve.

Nobody has quite come right out and said what the race supposedly
remaining with fexecve is, or at least not that I've seen; the only one
I've been able to think of is a TOCTOU race with someone overwriting
the file between check and execute, and that one fexecve does not
solve.  (It could be tweaked to solve it, by (for example) making
O_EXEC (a) required for fexecve and (b) lock the file against writes in
the same way executing it does, the way that's behind ETXTBSY.)

It's true fexecve doesn't solve the latter, but the bar _is_ higher;
assuming checking involves checking ownership as well as contents,
exploiting it requires the ability to overwrite a file owned by
whatever user the check is checking for.  (If, as is probably the case
in many such uses, that user is root, I have trouble seeing _any_ issue
here - anyone who can overwrite root-owned files pretty much pwnz0rz
the system already.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML      
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Home | Main Index | Thread Index | Old Index