tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve



On Thu, Nov 15, 2012 at 01:50:54PM -0500, Mouse wrote:
> > All of a sudden, the very presence of those sockets means not just
> > that a component A running in chroot Ca, with uid Ua, can pass _data_
> > to a component B running in chroot Cb, with uid Ub -- which was part
> > of the design -- but that it can enable B to run new code that was
> > formerly not available at all in Cb (because all memory and
> > filesystems available to processes in Cb are either read-only, or
> > executable, but not both).
> 
> It always could, just not with exec()-family calls.  Did you read the
> points you didn't quote about script interpreters and VMs?

What script interpreters?  What VMs?  Why would I include one in such an
environment?

The point is, this is interesting functionality that makes something
new possible that is potentially useful from a security point of view,
but the new thing that's possible also breaks assumptions that existing
code may rely on to get security guarantees it wants.  Despite the fact
that if it'd been there since the beginning, this feature might be useful,
it is not safe to unleash it now.

Thor


Home | Main Index | Thread Index | Old Index