From owner-svn-src-head@freebsd.org Mon May 15 19:13:20 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 344C3D6E085 for ; Mon, 15 May 2017 19:13:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E4B9B1AF4 for ; Mon, 15 May 2017 19:13:19 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt0-x232.google.com with SMTP id f55so56599779qta.3 for ; Mon, 15 May 2017 12:13:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ZBN7P75CCyKstEABDytULiQ/0uQWMw/t1TXPbRUdxiw=; b=dmLbujS8L5YbhAWbRgAUUfOGaTkhVBAThCd78S4QqFqrY/CcG8fek8a9amICCMOIYy ZxsYkBbE8b2gBBjRfQhadQoW+ENEtZ77hlTtgQbqd0zCeVoFMLJv0V7kZ9OC+1AMTl2V fI7dNx2AMrKgsYTVe357BHApUPMXS8xM+PiolWGKJ0fj6CnwK4jXyK4BcEI+mNI5Ciai jZZ93CXDKbiIVRG6PSCZHHACtTcZ7mOfkSgImpqgonbSeY8cPL+VkEvXu9r+6e3tInu/ bTGQV5TFPESa7ns1rdX6hXV17bboDoyH5IxVNXypUtofWcMq/GGAWEDrPyw9u9j6C2if 4kvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ZBN7P75CCyKstEABDytULiQ/0uQWMw/t1TXPbRUdxiw=; b=IYpkZgjipDm9e0K0aHH/V9u202yk7j0xUPo7tVD9NnxbpeRGJhd0sy72pWKj4smEIi UCGaJBEmFeiE5aX+BSCZsLL1WinjD5aWlvQOcEPwqDu0BP51KmoO6quFltH/OU+TyEfg gGpOT1Kl6MZffyByS5SMT8mODDvwOSygH+/Bzn9/wVVjMKoK89dzRWhUPtNJ+Ip50/nt /7Pib2Ro7w6vI0pZwFWfu8TYTN6zmB3mQy/QNmiNtQi7z4x5UUCePkKMr6OqNvqhEAkd uHfYjq4tFoG7C+HqXJ6BYAABdh+ynogN8Rob7ESVKXTDmHuZ3AggP2ejkkQNEcfe58JZ /G9Q== X-Gm-Message-State: AODbwcAYDEQ1bsCmuaK3GVrNJcW+a/nVPn/I5umid+6/jApy6bAF499A SkJA1iy2GWAdZL8+ X-Received: by 10.200.36.66 with SMTP id d2mr7994059qtd.9.1494875599042; Mon, 15 May 2017 12:13:19 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id x139sm9112833qkx.20.2017.05.15.12.13.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 15 May 2017 12:13:18 -0700 (PDT) Date: Mon, 15 May 2017 15:13:16 -0400 From: Shawn Webb To: Ian Lepore Cc: Konstantin Belousov , Alexey Dokuchaev , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r318313 - head/libexec/rtld-elf Message-ID: <20170515191316.jjtxiynrh3jvo5sz@mutt-hbsd> References: <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <1494875335.59865.118.camel@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5io3g6j2hynitzvc" Content-Disposition: inline In-Reply-To: <1494875335.59865.118.camel@freebsd.org> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170306 (1.8.0) X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 19:13:20 -0000 --5io3g6j2hynitzvc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 15, 2017 at 01:08:55PM -0600, Ian Lepore wrote: > On Mon, 2017-05-15 at 22:00 +0300, Konstantin Belousov wrote: > > On Mon, May 15, 2017 at 06:52:36PM +0000, Alexey Dokuchaev wrote: > > >=20 > > > On Mon, May 15, 2017 at 06:48:58PM +0000, Konstantin Belousov > > > wrote: > > > >=20 > > > > New Revision: 318313 > > > > URL: https://svnweb.freebsd.org/changeset/base/318313 > > > >=20 > > > > Log: > > > > ? Make ld-elf.so.1 directly executable. > > > Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod > > > +x > > > /bin/chmod would now be possible on FreeBSD as well? > > Yes. > >=20 > > >=20 > > > Does this have any security implications? > > What do you mean ? > >=20 >=20 > Well, for example, it seems like it would allow anyone to execute a > binary even if the sysadmin had set it to -x specifically to prevent > people from running it. It additionally subverts application whitelisting schemes where all dependent shared objects (even the rtld) are checked (such is the case with Integriforce in HardenedBSD). Since even the rtld is checked, an attacker can now bypass the application whitelisting scheme by running: /libexec/ld-elf.so.1 /path/to/previously/disallowed/executable Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --5io3g6j2hynitzvc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlkZ/ckACgkQaoRlj1JF bu5B2w/+IwXqXEF1TEazfzGVK6C4+f9WoK12qRISJlVF7hGVFQ1Sk0Hbac4P3Mb0 +5WXXb4XFzYLCk8bXWUgO0rJdyVKmkeRQhQ0dREXUoSBOPZDbVk3/rTprlwiv3I5 dj2m3b012zcW7D3py3P/LwVztsw6WQ4EaIkgnYax4QT0YdOJP0vwRmVCHPegro47 F2Aw0zuAKY+Cjau7y/Act8aEZ7Vu5yaOeruKtJi7HaLCugq5JXd0zWuiwVZhZhaT NkOx0Rl+fEyZK8LuZ3v9yWCzjV4FmdYHB54ZzpNwCgIl6+a3LKgfV1DP36/CKacg TsGmSbv8vSDBIBJCq1lH/l+EWJb5qq+pk56bcbFEQs3bagtieD/yrrarM6hGIZir l2qJOAX7uRhR0uH7eofN6nKd5Sjdm6KymcBER6XLNBAciNsTK/VsAihtf7akD4w0 JX8OGBgBye+lBaAfk6f2swB8eUmwsdG+asX6brevF1Jh4L/M7QeJbYxVMV/1/L9/ NBBaKgDGPyyQYrfQQpu5heaZ7+ec/TdUaeV61+vJ8sKNCCyGJh/MoJGVAwjmgUaj 1mNvmv9CGSyk9nuoQXj/KkpWIa2F/SDHu2toO2wvgJmoP61tDC1yARCnL91aPDrE 5jEKCR3mMfjhfYwQuBuusBAsGHyuZslJFirXsPCrmynBPzZI4XI= =ipty -----END PGP SIGNATURE----- --5io3g6j2hynitzvc--