Re: fexecve

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: fexecve
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Mon, 23 Sep 2019 14:22:39 +0000

On Sun, Sep 08, 2019 at 04:43:50PM -0400, Mouse wrote:
 > > (2) Losing the command name isn't good; lots of people turn process
 > > accounting on for logging (in fact, I'd assume 99.9% of people who
 > > turn process accounting on use it purely for logging) and it
 > > substantially decreases the utility if it's easily circumvented.
 > 
 > Isn't the command name easy to lose and/or forge already, with links if
 > nothng else?

Yes, though not without leaving traces and not necessarily at all in a
sufficiently restricted chroot.

 > > (3) Setugid processes should be prohibited, or at least setugid
 > > dynamically-linked processes, because otherwise there's a window
 > > where a live update of a library might be used to run the old binary
 > > with a new set of libraries.
 > 
 > How does fexecve() make anything possible here that wasn't possible
 > before?  It seems to me that updating .so libraries has always carried
 > this risk, so I must be missing something.

Without fexecve() it's at least theoretically possible to remove the
old bins first, update the libraries, and install new bins, so that
the old bins are gone and can't be exec'd when the new libraries
appear.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: fexecve
  - From: Mouse

References:
- fexecve
  - From: Christos Zoulas
- Re: fexecve
  - From: David Holland
- Re: fexecve
  - From: Mouse

Prev by Date: Re: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/kern_rndq.c:LINE, negation of -ADD
Next by Date: Re: fexecve
Previous by Thread: Re: fexecve
Next by Thread: Re: fexecve
Indexes:

Home | Main Index | Thread Index | Old Index