Re: fexecve

[Paul Goyette <paul%whooppee.com@localhost>]

On Sun, 8 Sep 2019, Mouse wrote:

> > (2) Losing the command name isn't good; lots of people turn process
> > accounting on for logging (in fact, I'd assume 99.9% of people who
> > turn process accounting on use it purely for logging) and it
> > substantially decreases the utility if it's easily circumvented.
>
> Isn't the command name easy to lose and/or forge already, with links if
> nothng else?  In any case, it seems to me this is one reason to make
> fexecve() optional.  (I'd actually _like_ to see something
> capabilityish, in which case "can use fexecve" would be a capability
> that could be removed, from init if need be, on systems that care about
> this sort of thing.)

Couldn't we have an enable/disable sysctl variable for this?


> > (3) Setugid processes should be prohibited, or at least setugid
> > dynamically-linked processes, because otherwise there's a window
> > where a live update of a library might be used to run the old binary
> > with a new set of libraries.
>
> How does fexecve() make anything possible here that wasn't possible
> before?  It seems to me that updating .so libraries has always carried
> this risk, so I must be missing something.
>
> /~\ The ASCII				  Mouse
> \ / Ribbon Campaign
> X  Against HTML		mouse%rodents-montreal.org@localhost
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
>
> !DSPAM:5d756850213181273910470!

+--------------------+--------------------------+-----------------------+
| Paul Goyette       | PGP Key fingerprint:     | E-mail addresses:     |
| (Retired)          | FA29 0E3B 35AF E8AE 6651 | paul%whooppee.com@localhost     |
| Software Developer | 0786 F758 55DE 53BA 7731 | pgoyette%netbsd.org@localhost   |
+--------------------+--------------------------+-----------------------+