Date: Mon, 15 May 2017 22:25:29 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Ian Lepore <ian@freebsd.org> Cc: Alexey Dokuchaev <danfe@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r318313 - head/libexec/rtld-elf Message-ID: <20170515192529.GH1622@kib.kiev.ua> In-Reply-To: <1494875335.59865.118.camel@freebsd.org> References: <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <1494875335.59865.118.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 15, 2017 at 01:08:55PM -0600, Ian Lepore wrote:
> Well, for example, it seems like it would allow anyone to execute a
> binary even if the sysadmin had set it to -x specifically to prevent
> people from running it.
The direct mode does not (and cannot) honor set{u,g}id modes of the
executable, so any binary run this way would only exercise the existing
power of the user which did it.
The most advanced explanation that I was given in private was among
the lines: "if you have an environment where users can upload content
to a shared server, but have no access to chmod(2), no compilers, no
scripting languages, etc." The person then admitted that (s)he does not
consider it as an actual concern.
If somebody is worried about this or similar scenario, I might add too
restrictive check, e.g. requiring u+x if user is owner, g+x is primary
user group is the group of file, and o+x otherwise. This would be strict
subset of the normal unix checks and ACL would be also ignored.
Still I am not convinced.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170515192529.GH1622>