From owner-freebsd-hackers Tue Oct 28 02:50:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA14033 for hackers-outgoing; Tue, 28 Oct 1997 02:50:16 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA14025 for ; Tue, 28 Oct 1997 02:50:11 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id CAA10138; Tue, 28 Oct 1997 02:47:20 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id CAA07475; Tue, 28 Oct 1997 02:47:19 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA25242; Tue, 28 Oct 1997 02:47:17 -0800 (PST) From: Don Lewis Message-Id: <199710281047.CAA25242@salsa.gv.tsc.tdk.com> Date: Tue, 28 Oct 1997 02:47:17 -0800 In-Reply-To: Terry Lambert "Re: Possible SERIOUS bug in open()? (Big time bug)" (Oct 28, 4:08am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Terry Lambert , Don.Lewis@tsc.tdk.com (Don Lewis) Subject: Re: Possible SERIOUS bug in open()? (Big time bug) Cc: jamil@trojanhorse.ml.org, thorpej@nas.nasa.gov, joerg_wunsch@uriah.heep.sax.de, freebsd-hackers@FreeBSD.ORG Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Oct 28, 4:08am, Terry Lambert wrote: } Subject: Re: Possible SERIOUS bug in open()? (Big time bug) } > I don't think administrators who remove "r" access to keep users } > from copying executables would like this, since the users could } > just switch to a copying program that uses mmap. } } A user can just ctrl-\ the thing and get a core and "undump" it now. At least in FreeBSD that doesn't seem to get them a copy of the text segment which would seem to diminish the usefulness of the core file. } If it's a net program, they can just download it. Yes, but I was thinking more of commercial-ware with license restrictions on copying. } > I think it would be better to add a kernel hook so that the emulator } > could be registered as an interpreter for foreign binaries. The } > kernel could then open an fd and pass it to the emulator when the } > binary is execed. Something similar would allow you to remove the } > "r" permissions from shell scripts. } } This route leads to chaos. Consider a foreign binary which is suid; } you would end up with the same issues that you would get if SUID shell } scripts worked (in effect, an emulator that worked this way would be } a "different kind of shell interpreter with the foreigh binary instead } of '#!' as the 'magic number'" -- this would be bad). The biggest problem with suid scripts is the race condition between the kernel check to see if the script is suid and the interpreter opening the script, which gives a cracker the opportunity to change the symlink to point to some evil but not suid script that he wishes to execute with inappropriate privileges. This race condition is eliminated if the kernel opens the script file and points the interpreter at /dev/fd/whatever instead of the script file (or you can use the strategy of suidperl). Of course you should give the administrator a knob to completely disable suid scripts and foreign binaries.