tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] fexecve
On Thu, Nov 15, 2012 at 06:35:48PM +0000, Julian Yon wrote:
>
> As you mention Linux, their man page for fexecve states ?The file
> descriptor fd must be opened read-only, and the caller must have
> permission to execute the file that it refers to.? It sounds like that
> might be what you're missing? I certainly interpret it to mean that if
> you can't execve the file, you can't fexecve a FD to it either.
So. Suppose I have a chrooted environment where all accessible filesystems
are mounted either ro or noexec. Or for that matter just nosuid.
Now someone passes in a file descriptor, from the outside, that is on a
filesystem that is not mounted with either of those options. Perhaps,
as Matt suggested, one for a setuid executable, yet. Whoops.
If this new functionality had been there from the beginning, a reasonable
way to protect against it might have been to filter file descriptors when
passed so one could not pass _into_ a chroot an fd for a file whose only
names were _outside_ it. Though this is actually exceptionally hard to
do (consider hard links, and the backwards-namei problem, and...). But
that would also eliminate the functionality of passing file descriptors
across sockets, into the chroot for purposes *other* than executing them
with fexecve, and *that* is functionality that chrooted programs already
use! It would in fact break things as commonplace as sshd.
My conclusion is that adding this new functionality is unsafe.
> From the spec: ?The purpose of the fexecve() function is to enable
> executing a file which has been verified to be the intended file. It is
> possible to actively check the file by reading from the file descriptor
> and be sure that the file is not exchanged for another between the
> reading and the execution.? ...which seems a reasonable enough thing to
> want to do.
Look at that rationale carefully and I think you will see the race condition
that it does not eliminate. Talk about a "solution looking for a problem"!
Thor
Home |
Main Index |
Thread Index |
Old Index