Re: [PATCH] fexecve

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: [PATCH] fexecve
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Thu, 15 Nov 2012 13:55:18 -0500

On Thu, Nov 15, 2012 at 01:50:54PM -0500, Mouse wrote:
> > All of a sudden, the very presence of those sockets means not just
> > that a component A running in chroot Ca, with uid Ua, can pass _data_
> > to a component B running in chroot Cb, with uid Ub -- which was part
> > of the design -- but that it can enable B to run new code that was
> > formerly not available at all in Cb (because all memory and
> > filesystems available to processes in Cb are either read-only, or
> > executable, but not both).
> 
> It always could, just not with exec()-family calls.  Did you read the
> points you didn't quote about script interpreters and VMs?

What script interpreters?  What VMs?  Why would I include one in such an
environment?

The point is, this is interesting functionality that makes something
new possible that is potentially useful from a security point of view,
but the new thing that's possible also breaks assumptions that existing
code may rely on to get security guarantees it wants.  Despite the fact
that if it'd been there since the beginning, this feature might be useful,
it is not safe to unleash it now.

Thor

Follow-Ups:
- Re: [PATCH] fexecve
  - From: Mouse
- Re: [PATCH] fexecve
  - From: Emmanuel Dreyfus

References:
- Re: [PATCH] fexecve
  - From: Thor Lancelot Simon
- Re: [PATCH] fexecve
  - From: Mouse
- Re: [PATCH] fexecve
  - From: Thor Lancelot Simon
- Re: [PATCH] fexecve
  - From: Mouse

Prev by Date: Re: [PATCH] fexecve
Next by Date: Re: [PATCH] fexecve
Previous by Thread: Re: [PATCH] fexecve
Next by Thread: Re: [PATCH] fexecve
Indexes:

Home | Main Index | Thread Index | Old Index