Date: Mon, 15 May 2017 15:37:09 -0400 From: Nikolai Lifanov <lifanov@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org>, Konstantin Belousov <kostikbel@gmail.com> Cc: svn-src-head@freebsd.org, Alexey Dokuchaev <danfe@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r318313 - head/libexec/rtld-elf Message-ID: <ec7b9dbc-ff4c-cafe-77d2-9c7442da7bd1@FreeBSD.org> In-Reply-To: <0b218455-d104-04be-d133-285f81d93456@FreeBSD.org> References: <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <2493cfd2-1fab-d4cd-523c-0bd7413b1c86@FreeBSD.org> <20170515192944.GI1622@kib.kiev.ua> <0b218455-d104-04be-d133-285f81d93456@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wxpbxHpui1EHqFIxTKLwQm0W5e7lPaDEp Content-Type: multipart/mixed; boundary="L2P74aJ3UV0PVmaSOjNsF8arptAjATXCA"; protected-headers="v1" From: Nikolai Lifanov <lifanov@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org>, Konstantin Belousov <kostikbel@gmail.com> Cc: svn-src-head@freebsd.org, Alexey Dokuchaev <danfe@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org Message-ID: <ec7b9dbc-ff4c-cafe-77d2-9c7442da7bd1@FreeBSD.org> Subject: Re: svn commit: r318313 - head/libexec/rtld-elf References: <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <2493cfd2-1fab-d4cd-523c-0bd7413b1c86@FreeBSD.org> <20170515192944.GI1622@kib.kiev.ua> <0b218455-d104-04be-d133-285f81d93456@FreeBSD.org> In-Reply-To: <0b218455-d104-04be-d133-285f81d93456@FreeBSD.org> --L2P74aJ3UV0PVmaSOjNsF8arptAjATXCA Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 05/15/2017 15:32, Bryan Drewery wrote: > On 5/15/2017 12:29 PM, Konstantin Belousov wrote: >> On Mon, May 15, 2017 at 12:25:20PM -0700, Bryan Drewery wrote: >>> On 5/15/2017 12:00 PM, Konstantin Belousov wrote: >>>> On Mon, May 15, 2017 at 06:52:36PM +0000, Alexey Dokuchaev wrote: >>>>> On Mon, May 15, 2017 at 06:48:58PM +0000, Konstantin Belousov wrote= : >>>>>> New Revision: 318313 >>>>>> URL: https://svnweb.freebsd.org/changeset/base/318313 >>>>>> >>>>>> Log: >>>>>> Make ld-elf.so.1 directly executable. >>>>> >>>>> Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod= +x >>>>> /bin/chmod would now be possible on FreeBSD as well? >>>> Yes. >>>> >>>>> Does this have any security implications? >>>> What do you mean ? >>>> >>> >>> I think for 3rd-party distributions it may be a problem. At the very >>> least it needs to be communicated clearly in release notes or UPDATIN= G. >>> >>> Consider a downstream vendor who has support for signed binary >>> executions. If rtld allows a backdoor around exec(2) to run an unsig= ned >>> binary, that could be a problem for them. It is on them to add suppo= rt >>> to exec(2) to validate the special case of execing rtld with an >>> argument, or to just disable the feature in rtld from this commit. >> >> Note the undocumented O_VERIFY flag in open(2) from the patch. >> This is very vendor-ish addition to request veriexec (?). >> >=20 > Ah nice. >=20 Note, this already does the right thing with noexec filesystems: # zfs create -o mountpoint=3D/mnt -o exec=3Doff tank/TEST # cp /bin/sh /mnt/ # /mnt/sh /mnt/sh: Permission denied. # /libexec/ld-elf.so.1 /mnt/sh /mnt/sh: mmap of data failed: Permission denied - Nikolai Lifanov --L2P74aJ3UV0PVmaSOjNsF8arptAjATXCA-- --wxpbxHpui1EHqFIxTKLwQm0W5e7lPaDEp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKoBAEBCgCSFiEE5oT6TcuaWvG5gtjzZ6sv56ecR0UFAlkaA2VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEU2 ODRGQTREQ0I5QTVBRjFCOTgyRDhGMzY3QUIyRkU3QTc5QzQ3NDUUHGxpZmFub3ZA ZnJlZWJzZC5vcmcACgkQZ6sv56ecR0VWPg/+Nn3OU1exF6WEhB7owrUnjU726A3R fJmkbgueDgPPqUGI5cktj1/FwG+C8iZsN25FL9CYAjDYUhkk1hEFOWMrY5aQl3qo N6gDe1FfoM8bbrrhNk21VnelPkNWfnh0Xr3Jd213HkKMxtCR1kGLri0fShnv3sqM TqrREVNSAZ1wVHVuudtv8+UAPco6rQ80owzPP+5vVeiMeRssSVNnM9NQKZ8D8UpI gCRshG8G4TeDbLcW7MZGzUNJ7RR+rxJrhJqtBzGrCjc7W8coTLHdRz3Ab4yJfNFg ST+/Ey8w/NXYJJXE46bhQoP7//KHrp6j5maj9qCEW+g+Y4fbnFJetfwoDcQdKMUs ag/4f6So+Cvn9MfM71S2iOl8iUJqYT9X6X2bXLW4qjlHVYtAgVebQzLqRKwodQAT yaoV41PG4bs9BfSEkXqM7bBJprJbLyohlkNOXMclg/n3pbXX7+nvQ4uBzk3vIEF7 cT0x1YNf+5NST9qPHGzw0xA+addQhB7u73hIApWxn864H+/n6XLikKmNDdHt6C7B fVGllzrQwhLAuirz3B1SLFg3d+4JqNbFmW+5Cji8iCoSeVQyKYVmc1xtf3uq7Ug6 6coz/hLkao2oZqH5FpSeAJCKPcnU3qRJ+B9I7aNc1iVjeyokeNWmK2f0/oXbScQy 1jKXcOcN+2Cir2U= =Rl6+ -----END PGP SIGNATURE----- --wxpbxHpui1EHqFIxTKLwQm0W5e7lPaDEp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ec7b9dbc-ff4c-cafe-77d2-9c7442da7bd1>