From owner-svn-src-head@freebsd.org Mon May 15 20:00:56 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 665A2D6E5DE; Mon, 15 May 2017 20:00:56 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 483E2151D; Mon, 15 May 2017 20:00:55 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id v4FK0nS1054534; Mon, 15 May 2017 13:00:49 -0700 (PDT) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id v4FK0meq054533; Mon, 15 May 2017 13:00:48 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201705152000.v4FK0meq054533@pdx.rh.CN85.dnsmgr.net> Subject: Re: svn commit: r318313 - head/libexec/rtld-elf In-Reply-To: <20170515192326.GB28684@FreeBSD.org> To: Alexey Dokuchaev Date: Mon, 15 May 2017 13:00:48 -0700 (PDT) CC: Nikolai Lifanov , Konstantin Belousov , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 20:00:56 -0000 > On Mon, May 15, 2017 at 03:09:33PM -0400, Nikolai Lifanov wrote: > > On 05/15/2017 14:52, Alexey Dokuchaev wrote: > > > Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod +x > > > /bin/chmod would now be possible on FreeBSD as well? Does this have > > > any security implications? > > > > This is a use case for fixing accidentally hosed /bin/chmod binary and > > not some sort of an escalation thing. You will need to be root to do > > this. > > Because /bin/chmod is owned by root, not because /libexec/ld-elf.so.1 is > limiting execution to root only, or is it (I might have missed uid check > in that patch [1], but at a quick glance I didn't see it). > > On a living system, there are plenty of other ways to restore missing > +x on /bin/chmod as long as you can call chmod(2), from simple Python > script down to manually crafting small binary in hex. Simple tool to get out of this is use of install(8) to "install" your broken chmod to another file with proper modes. And if you lost that one you could use mtree(8) with a easily crafted input file. > > Likewise, with working chmod binary, you should be able to mark > > binaries with write access executable. > > Well, it's not just about chmod(1), this opens what can be a can of worms > and I want to know how big it is. Big.. very very big... and painted Blue! > ./danfe > > [1] Idea for security.bsd.ld_elf_exec_root_only sysctl(8)? -- Rod Grimes rgrimes@freebsd.org