Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 May 2017 13:00:48 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net>
To:        Alexey Dokuchaev <danfe@freebsd.org>
Cc:        Nikolai Lifanov <lifanov@freebsd.org>, Konstantin Belousov <kib@freebsd.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r318313 - head/libexec/rtld-elf
Message-ID:  <201705152000.v4FK0meq054533@pdx.rh.CN85.dnsmgr.net>
In-Reply-To: <20170515192326.GB28684@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, May 15, 2017 at 03:09:33PM -0400, Nikolai Lifanov wrote:
> > On 05/15/2017 14:52, Alexey Dokuchaev wrote:
> > > Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod +x
> > > /bin/chmod would now be possible on FreeBSD as well?  Does this have
> > > any security implications?
> > 
> > This is a use case for fixing accidentally hosed /bin/chmod binary and
> > not some sort of an escalation thing. You will need to be root to do
> > this.
> 
> Because /bin/chmod is owned by root, not because /libexec/ld-elf.so.1 is
> limiting execution to root only, or is it (I might have missed uid check
> in that patch [1], but at a quick glance I didn't see it).
> 
> On a living system, there are plenty of other ways to restore missing
> +x on /bin/chmod as long as you can call chmod(2), from simple Python
> script down to manually crafting small binary in hex.

Simple tool to get out of this is use of install(8) to "install" your
broken chmod to another file with proper modes.  And if you lost that
one you could use mtree(8) with a easily crafted input file.

> > Likewise, with working chmod binary, you should be able to mark
> > binaries with write access executable.
> 
> Well, it's not just about chmod(1), this opens what can be a can of worms
> and I want to know how big it is.

Big.. very very big... and painted Blue!

> ./danfe
> 
> [1] Idea for security.bsd.ld_elf_exec_root_only sysctl(8)?

-- 
Rod Grimes                                                 rgrimes@freebsd.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705152000.v4FK0meq054533>