Re: [PATCH] fexecve

To: Julian Yon <julian%yon.org.uk@localhost>
Subject: Re: [PATCH] fexecve
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Thu, 15 Nov 2012 16:02:50 -0500

On Thu, Nov 15, 2012 at 06:35:48PM +0000, Julian Yon wrote:
> 
> As you mention Linux, their man page for fexecve states ?The file
> descriptor fd must be opened read-only, and the caller must have
> permission to execute the file that it refers to.? It sounds like that
> might be what you're missing? I certainly interpret it to mean that if
> you can't execve the file, you can't fexecve a FD to it either.

So.  Suppose I have a chrooted environment where all accessible filesystems
are mounted either ro or noexec.  Or for that matter just nosuid.

Now someone passes in a file descriptor, from the outside, that is on a
filesystem that is not mounted with either of those options.  Perhaps,
as Matt suggested, one for a setuid executable, yet.  Whoops.

If this new functionality had been there from the beginning, a reasonable
way to protect against it might have been to filter file descriptors when
passed so one could not pass _into_ a chroot an fd for a file whose only
names were _outside_ it.  Though this is actually exceptionally hard to
do (consider hard links, and the backwards-namei problem, and...).  But
that would also eliminate the functionality of passing file descriptors
across sockets, into the chroot for purposes *other* than executing them
with fexecve, and *that* is functionality that chrooted programs already
use!  It would in fact break things as commonplace as sshd.

My conclusion is that adding this new functionality is unsafe.

> From the spec: ?The purpose of the fexecve() function is to enable
> executing a file which has been verified to be the intended file. It is
> possible to actively check the file by reading from the file descriptor
> and be sure that the file is not exchanged for another between the
> reading and the execution.? ...which seems a reasonable enough thing to
> want to do.

Look at that rationale carefully and I think you will see the race condition
that it does not eliminate.  Talk about a "solution looking for a problem"!

Thor

Follow-Ups:
- Re: [PATCH] fexecve
  - From: David Laight
- Re: [PATCH] fexecve
  - From: Eric Haszlakiewicz
- Re: [PATCH] fexecve
  - From: Julian Yon

References:
- [PATCH] fexecve
  - From: Emmanuel Dreyfus
- Re: [PATCH] fexecve
  - From: Thor Lancelot Simon
- Re: [PATCH] fexecve
  - From: Julian Yon

Prev by Date: Re: [PATCH] fexecve
Next by Date: Re: [PATCH] fexecve
Previous by Thread: Re: [PATCH] fexecve
Next by Thread: Re: [PATCH] fexecve
Indexes:

Home | Main Index | Thread Index | Old Index