From owner-freebsd-hackers Mon Oct 27 20:08:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA22725 for hackers-outgoing; Mon, 27 Oct 1997 20:08:24 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.5.84]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA22720 for ; Mon, 27 Oct 1997 20:08:20 -0800 (PST) (envelope-from tlambert@usr08.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.7/8.8.7) id VAA14680; Mon, 27 Oct 1997 21:08:14 -0700 (MST) Received: from usr08.primenet.com(206.165.6.208) via SMTP by smtp03.primenet.com, id smtpd014659; Mon Oct 27 21:08:06 1997 Received: (from tlambert@localhost) by usr08.primenet.com (8.8.5/8.8.5) id VAA05972; Mon, 27 Oct 1997 21:08:00 -0700 (MST) From: Terry Lambert Message-Id: <199710280408.VAA05972@usr08.primenet.com> Subject: Re: Possible SERIOUS bug in open()? (Big time bug) To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Tue, 28 Oct 1997 04:08:00 +0000 (GMT) Cc: tlambert@primenet.com, Don.Lewis@tsc.tdk.com, jamil@trojanhorse.ml.org, thorpej@nas.nasa.gov, joerg_wunsch@uriah.heep.sax.de, freebsd-hackers@FreeBSD.ORG In-Reply-To: <199710280017.QAA23766@salsa.gv.tsc.tdk.com> from "Don Lewis" at Oct 27, 97 04:17:32 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > } You need to be able to open something with just "x" access to map > } it so that a proces you own can "run" it. So you also want to > } allow an open if you have execute access. > > I don't think administrators who remove "r" access to keep users > from copying executables would like this, since the users could > just switch to a copying program that uses mmap. A user can just ctrl-\ the thing and get a core and "undump" it now. If it's a net program, they can just download it. > I think it would be better to add a kernel hook so that the emulator > could be registered as an interpreter for foreign binaries. The > kernel could then open an fd and pass it to the emulator when the > binary is execed. Something similar would allow you to remove the > "r" permissions from shell scripts. This route leads to chaos. Consider a foreign binary which is suid; you would end up with the same issues that you would get if SUID shell scripts worked (in effect, an emulator that worked this way would be a "different kind of shell interpreter with the foreigh binary instead of '#!' as the 'magic number'" -- this would be bad). > } Does having only execute access keep you from reading a file? > } > } No. You can make it core. > > But that doesn't get you a copy of the text segment. You can probably > play games with debuggers as well. > > In some environments it might not be acceptable to get even this much > access, so it might make sense to allow the administrator to disable > core file generation and the ability to attach a debugger if you don't > have "r" access. Well, that's the next logical paranoid step, of course... ;-). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.