From owner-svn-src-head@freebsd.org Mon May 15 19:25:36 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16544D6E5AF; Mon, 15 May 2017 19:25:36 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1446BA6F; Mon, 15 May 2017 19:25:34 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id v4FJPTca000765 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 May 2017 22:25:30 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua v4FJPTca000765 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id v4FJPTMq000764; Mon, 15 May 2017 22:25:29 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 15 May 2017 22:25:29 +0300 From: Konstantin Belousov To: Ian Lepore Cc: Alexey Dokuchaev , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r318313 - head/libexec/rtld-elf Message-ID: <20170515192529.GH1622@kib.kiev.ua> References: <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <1494875335.59865.118.camel@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1494875335.59865.118.camel@freebsd.org> User-Agent: Mutt/1.8.2 (2017-04-18) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 19:25:36 -0000 On Mon, May 15, 2017 at 01:08:55PM -0600, Ian Lepore wrote: > Well, for example, it seems like it would allow anyone to execute a > binary even if the sysadmin had set it to -x specifically to prevent > people from running it. The direct mode does not (and cannot) honor set{u,g}id modes of the executable, so any binary run this way would only exercise the existing power of the user which did it. The most advanced explanation that I was given in private was among the lines: "if you have an environment where users can upload content to a shared server, but have no access to chmod(2), no compilers, no scripting languages, etc." The person then admitted that (s)he does not consider it as an actual concern. If somebody is worried about this or similar scenario, I might add too restrictive check, e.g. requiring u+x if user is owner, g+x is primary user group is the group of file, and o+x otherwise. This would be strict subset of the normal unix checks and ACL would be also ignored. Still I am not convinced.