Date: Tue, 28 Oct 1997 04:08:00 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: Don.Lewis@tsc.tdk.com (Don Lewis) Cc: tlambert@primenet.com, Don.Lewis@tsc.tdk.com, jamil@trojanhorse.ml.org, thorpej@nas.nasa.gov, joerg_wunsch@uriah.heep.sax.de, freebsd-hackers@FreeBSD.ORG Subject: Re: Possible SERIOUS bug in open()? (Big time bug) Message-ID: <199710280408.VAA05972@usr08.primenet.com> In-Reply-To: <199710280017.QAA23766@salsa.gv.tsc.tdk.com> from "Don Lewis" at Oct 27, 97 04:17:32 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> } You need to be able to open something with just "x" access to map > } it so that a proces you own can "run" it. So you also want to > } allow an open if you have execute access. > > I don't think administrators who remove "r" access to keep users > from copying executables would like this, since the users could > just switch to a copying program that uses mmap. A user can just ctrl-\ the thing and get a core and "undump" it now. If it's a net program, they can just download it. > I think it would be better to add a kernel hook so that the emulator > could be registered as an interpreter for foreign binaries. The > kernel could then open an fd and pass it to the emulator when the > binary is execed. Something similar would allow you to remove the > "r" permissions from shell scripts. This route leads to chaos. Consider a foreign binary which is suid; you would end up with the same issues that you would get if SUID shell scripts worked (in effect, an emulator that worked this way would be a "different kind of shell interpreter with the foreigh binary instead of '#!' as the 'magic number'" -- this would be bad). > } Does having only execute access keep you from reading a file? > } > } No. You can make it core. > > But that doesn't get you a copy of the text segment. You can probably > play games with debuggers as well. > > In some environments it might not be acceptable to get even this much > access, so it might make sense to allow the administrator to disable > core file generation and the ability to attach a debugger if you don't > have "r" access. Well, that's the next logical paranoid step, of course... ;-). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710280408.VAA05972>