From: Stas Sergeev <stsp@aknet.ru>
To: Hugh Dickins <hugh@veritas.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Andrew Morton <akpm@osdl.org>,
Ulrich Drepper <drepper@redhat.com>,
Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps
Date: Sun, 24 Sep 2006 14:00:53 +0400 [thread overview]
Message-ID: <45165755.8070607@aknet.ru> (raw)
In-Reply-To: <Pine.LNX.4.64.0609241009020.17400@blonde.wat.veritas.com>
Hi.
Hugh Dickins wrote:
>> Since "noexec" was already rendered useless - yes.
> I'm very puzzled. The intention of "noexec" is to prevent execution
> of files on that mount. You're saying it's useless because it's
That was actually a bad english on my side, sorry
(English is not my native lang). Instead of "useless"
I meant to say "changed to the point where it cannot be
effectively used any more".
> preventing execution of files on that mount?
What exactly the "execution" consist of here? You are
not going to prevent an execution of some perl scripts
etc, dont you? So IMHO that applies to only the execution
of the native binaries, ie, similair to just removing the
exec permission from all the files on that partition. Or
at least that's how I understand it. And clearing an exec
permission doesn't disable PROT_EXEC, AFAIK.
> It seems to me that
> you simply have a mount where "noexec" presents more problems than
> it solves: so don't use it there.
I am not at all an expert in a security but I think the point
of "noexecing" the partitions was to make it difficult for an
attacker to put his own binaries somewhere and execute them.
In this case (but I may be wrong) leaving tmpfs without noexec
prevents that goal from being achieved even if all the other
writeable partitions are noexeced, because an attacker will
use /dev/shm for his binaries then. Just my guesses though.
> That doesn't mean it's useless:
> not every mmap involves PROT_EXEC, not every mount demands execution.
I think it is now more useless than before because that
restriction breaks *only* the properly written apps, while
the malicious ones are completely unaffected. That forces
the people to use it rarely than before (not on tmpfs), and
so it looses its use almost completely, leaving at least that
partition executable.
Why only the properly-written apps breaks is because they use
MAP_SHARED - that you *can* effectively protect from PROT_EXEC,
provided you restrict also mprotect(). The malicious apps are
unaffected because they will not use MAP_SHARED, but instead
just read() the binary into the anonymously mapped area with
PROT_EXEC set. ld.so could certainly do that work on his own,
but I don't know how difficult it could be. (I guess it could
retrieve the "noexec" flag from /proc/mounts or something like
that, instead of trying PROT_EXEC and see if it fails).
next prev parent reply other threads:[~2006-09-24 9:59 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-23 10:30 [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-09-23 15:16 ` Hugh Dickins
2006-09-23 15:36 ` Ulrich Drepper
2006-09-23 15:47 ` Stas Sergeev
2006-09-25 1:12 ` Valdis.Kletnieks
2006-09-25 4:35 ` Stas Sergeev
2006-09-23 15:42 ` Stas Sergeev
2006-09-23 16:04 ` Hugh Dickins
2006-09-23 16:38 ` Stas Sergeev
2006-09-23 18:58 ` Alan Cox
2006-09-24 6:55 ` Stas Sergeev
2006-09-24 9:17 ` Hugh Dickins
2006-09-24 10:00 ` Stas Sergeev [this message]
2006-09-24 13:53 ` Alan Cox
2006-09-24 14:54 ` Stas Sergeev
2006-09-24 15:48 ` Ulrich Drepper
2006-09-24 16:31 ` Stas Sergeev
2006-09-24 16:49 ` Ulrich Drepper
2006-09-24 17:04 ` Stas Sergeev
2006-09-24 18:09 ` Stas Sergeev
2006-09-24 19:14 ` David Wagner
2006-09-24 19:37 ` Kyle Moffett
2006-09-24 22:49 ` David Wagner
2006-09-25 10:53 ` Pavel Machek
2006-09-25 21:36 ` David Wagner
2006-09-27 11:51 ` Pavel Machek
2006-09-24 20:06 ` Denis Vlasenko
2006-09-24 20:22 ` Stas Sergeev
2006-09-24 23:04 ` David Wagner
2006-09-26 19:46 ` Stas Sergeev
2006-09-27 22:33 ` Arjan van de Ven
2006-09-27 23:10 ` David Wagner
2006-09-27 23:38 ` Jesper Juhl
2006-09-29 1:14 ` David Wagner
2006-09-28 4:52 ` Stas Sergeev
2006-09-30 9:42 ` Stas Sergeev
2006-10-03 15:01 ` Arjan van de Ven
2006-10-03 17:15 ` Stas Sergeev
2006-10-03 17:23 ` Ulrich Drepper
2006-10-03 18:06 ` Stas Sergeev
2006-10-03 19:19 ` Ulrich Drepper
2006-10-03 19:40 ` Stas Sergeev
2006-10-03 19:54 ` Arjan van de Ven
2006-10-04 19:36 ` Stas Sergeev
2006-10-04 21:31 ` David Wagner
2006-10-04 3:11 ` David Wagner
2006-10-04 3:51 ` Ulrich Drepper
2006-10-04 4:21 ` David Wagner
2006-10-04 6:03 ` Kyle Moffett
2006-10-04 17:30 ` Ulrich Drepper
2006-10-03 18:23 ` Arjan van de Ven
2006-10-03 18:40 ` Stas Sergeev
2006-10-03 18:42 ` Arjan van de Ven
2006-10-03 19:07 ` Stas Sergeev
2006-10-03 21:00 ` Jakub Jelinek
2006-10-04 19:06 ` Stas Sergeev
2006-10-06 18:09 ` [patch] honour MNT_NOEXEC for access() Stas Sergeev
2006-10-06 21:34 ` Alan Cox
2006-10-06 21:17 ` Ulrich Drepper
2006-10-07 11:19 ` Stas Sergeev
2006-10-07 15:00 ` David Wagner
2006-10-07 16:31 ` Ulrich Drepper
2006-10-07 19:14 ` Stas Sergeev
2006-10-07 19:36 ` David Wagner
2006-10-08 8:32 ` Arjan van de Ven
2006-10-08 9:11 ` Stas Sergeev
2006-10-08 10:55 ` Arjan van de Ven
2006-10-08 13:46 ` Stas Sergeev
2006-10-09 2:09 ` Horst H. von Brand
2006-10-09 4:40 ` Stas Sergeev
2006-10-07 13:18 ` Stas Sergeev
2006-10-08 0:30 ` Jeremy Fitzhardinge
2006-10-08 9:10 ` Stas Sergeev
2006-10-08 9:56 ` Jeremy Fitzhardinge
2006-10-08 10:36 ` Stas Sergeev
2006-10-08 10:39 ` Jesper Juhl
2006-10-08 13:22 ` Stas Sergeev
2006-10-06 22:26 ` Jesper Juhl
2006-10-04 19:30 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-10-04 3:20 ` David Wagner
2006-10-04 3:17 ` David Wagner
2006-10-04 13:41 ` Jeff Dike
2006-10-04 18:02 ` Jesper Juhl
2006-10-04 19:48 ` Stas Sergeev
2006-09-27 19:16 ` [patch] remove MNT_NOEXEC check for PROT_EXEC MAP_PRIVATE mmaps Stas Sergeev
2006-09-27 20:05 ` Hugh Dickins
2006-09-28 4:33 ` Stas Sergeev
2006-09-28 16:42 ` Hugh Dickins
2006-09-29 1:41 ` David Wagner
2006-09-29 20:50 ` Arjan van de Ven
2006-09-29 16:54 ` Stas Sergeev
2006-09-24 19:59 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Alan Cox
2006-09-24 20:07 ` Stas Sergeev
2006-09-24 0:53 ` Arjan van de Ven
2006-09-25 17:17 ` Stas Sergeev
2006-09-25 17:43 ` Stas Sergeev
2006-09-25 20:12 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45165755.8070607@aknet.ru \
--to=stsp@aknet.ru \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=drepper@redhat.com \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.