Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 1997 16:17:32 -0800
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Terry Lambert <tlambert@primenet.com>, Don.Lewis@tsc.tdk.com (Don Lewis)
Cc:        jamil@trojanhorse.ml.org, thorpej@nas.nasa.gov, joerg_wunsch@uriah.heep.sax.de, freebsd-hackers@FreeBSD.ORG
Subject:   Re: Possible SERIOUS bug in open()? (Big time bug)
Message-ID:  <199710280017.QAA23766@salsa.gv.tsc.tdk.com>
In-Reply-To: Terry Lambert <tlambert@primenet.com> "Re: Possible SERIOUS bug in open()? (Big time bug)" (Oct 25,  1:24am)
next in thread | previous in thread | raw e-mail | index | archive | help 
On Oct 25,  1:24am, Terry Lambert wrote:
} Subject: Re: Possible SERIOUS bug in open()? (Big time bug)

} But say you have a processor emulator that gets invoked by an
} execution class loader so that it can mmap a foreign binary
} in its address space, and then run it.
} 
} ,------------------.  ,------------------.
} | DEC Alpha binary |  | DEC Alpha binary |
} | regular process  |  | emulator process |
} |                  |  | ,--------------. |
} |                  |  | | x86 image    | |
} |                  |  | | (Netscape)   | |
} |                  |  | `--------------' |
} `------------------'  `------------------'
} 
} You need to be able to open something with just "x" access to map
} it so that a proces you own can "run" it.  So you also want to
} allow an open if you have execute access.

I don't think administrators who remove "r" access to keep users
from copying executables would like this, since the users could
just switch to a copying program that uses mmap.

I think it would be better to add a kernel hook so that the emulator
could be registered as an interpreter for foreign binaries.  The
kernel could then open an fd and pass it to the emulator when the
binary is execed.  Something similar would allow you to remove the
"r" permissions from shell scripts.

} Does having only execute access keep you from reading a file?
} 
} No.  You can make it core.

But that doesn't get you a copy of the text segment.  You can probably
play games with debuggers as well.

In some environments it might not be acceptable to get even this much
access, so it might make sense to allow the administrator to disable
core file generation and the ability to attach a debugger if you don't
have "r" access.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710280017.QAA23766>