From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps
Date: Mon, 25 Sep 2006 21:36:26 +0000 (UTC) [thread overview]
Message-ID: <ef9i4q$emc$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 20060925105355.GA4390@elf.ucw.cz
Pavel Machek wrote:
>> I'm curious about this, too. ld-linux.so is a purely unprivileged
>> program. It isn't setuid root. Can you write a variant of ld-linux.so
>> that reads an executable into memory off of a partition mounted noexec and
>> then begins executing that code? (perhaps by using anonymous mmap
>> with
>
>Yes, you can, but to execute your ld-linux-ignore-noexec.so variant,
>you need to put it somewhere with exec permissions, right?
Well, yes, if you write it as a binary executable -- but not if you're
more clever. For instance, you can write a ld-linux-ignore-noexec.so.pl
Perl script, store the Perl script on the noexec partition, and execute
it via "/usr/bin/perl ld-linux-ignore-noexec.so.pl" (since I think
Perl scripts can execute all of the system calls you'd need to use to
write your own loader, since it's pretty well guaranteed that /usr/bin
will live on a partition that is not marked noexec). Note that Perl
will happily execute scripts that are stored on a noexec partition and
that do not have the execute bit set. That bypassess all of the noexec
protections pretty handily.
I'm still having a hard time understanding in what way this is an
effective security mechanism. What is the threat model? What is the
security goal that it is trying to achieve? It strikes me as a mechanism
that might be effective at preventing some kinds of unintentional
execution of code off of the noexec partition, but not at preventing
intentional execution of code. If that is the case, it's not really
a security check in the first place. And in that case, if a recent
tightening of the noexec restrictions breaks some real distribution,
then I think it might be reasonable to re-think that tightening.
Then again, maybe I'm missing something. My knowledge of noexec and
the motivation for introducing it is rather limited. If anyone cares
to enlighten me, I'll be glad to listen.
(Out of curiousity, why was noexec introduced in the first place?
What problem is it designed to solve? When I was first introduced to
noexec, I was told that the reason it existed was so that you could
mark your NFS mounts as noexec. The problem is that NFS is insecure.
Especially in the old days of non-switched networks, anyone who was
on the same subnet as you could easily modify the bytes of all files
read over NFS. This meant that executing programs that reside on a NFS
partition was a bad idea. The noexec flag was intended to help remind
you not to do that. Of course, the noexec flag was a total kludge that
didn't solve the real problem at all; the only argument going for it was
that it was easy to introduce, it didn't break anything, maybe it helped
prevent some kinds of unintentional failures, and it gave us a little time
to fix NFS the right way. Well, it's years later, and we still haven't
fixed NFS; noexec is still a kludge that doesn't appear to solve the real
problem; only now we hear that a recent modification to noexec semantics
has broken an important Linux distribution. That story is what makes me
inclined to be sympathetic to Stas's complaints and skeptical about the
arguments in favor of the recently-added strengthening of enforcement
of noexec. Of course, maybe I don't have the whole story or maybe I'm
missing something.)
next prev parent reply other threads:[~2006-09-25 21:36 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-23 10:30 [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-09-23 15:16 ` Hugh Dickins
2006-09-23 15:36 ` Ulrich Drepper
2006-09-23 15:47 ` Stas Sergeev
2006-09-25 1:12 ` Valdis.Kletnieks
2006-09-25 4:35 ` Stas Sergeev
2006-09-23 15:42 ` Stas Sergeev
2006-09-23 16:04 ` Hugh Dickins
2006-09-23 16:38 ` Stas Sergeev
2006-09-23 18:58 ` Alan Cox
2006-09-24 6:55 ` Stas Sergeev
2006-09-24 9:17 ` Hugh Dickins
2006-09-24 10:00 ` Stas Sergeev
2006-09-24 13:53 ` Alan Cox
2006-09-24 14:54 ` Stas Sergeev
2006-09-24 15:48 ` Ulrich Drepper
2006-09-24 16:31 ` Stas Sergeev
2006-09-24 16:49 ` Ulrich Drepper
2006-09-24 17:04 ` Stas Sergeev
2006-09-24 18:09 ` Stas Sergeev
2006-09-24 19:14 ` David Wagner
2006-09-24 19:37 ` Kyle Moffett
2006-09-24 22:49 ` David Wagner
2006-09-25 10:53 ` Pavel Machek
2006-09-25 21:36 ` David Wagner [this message]
2006-09-27 11:51 ` Pavel Machek
2006-09-24 20:06 ` Denis Vlasenko
2006-09-24 20:22 ` Stas Sergeev
2006-09-24 23:04 ` David Wagner
2006-09-26 19:46 ` Stas Sergeev
2006-09-27 22:33 ` Arjan van de Ven
2006-09-27 23:10 ` David Wagner
2006-09-27 23:38 ` Jesper Juhl
2006-09-29 1:14 ` David Wagner
2006-09-28 4:52 ` Stas Sergeev
2006-09-30 9:42 ` Stas Sergeev
2006-10-03 15:01 ` Arjan van de Ven
2006-10-03 17:15 ` Stas Sergeev
2006-10-03 17:23 ` Ulrich Drepper
2006-10-03 18:06 ` Stas Sergeev
2006-10-03 19:19 ` Ulrich Drepper
2006-10-03 19:40 ` Stas Sergeev
2006-10-03 19:54 ` Arjan van de Ven
2006-10-04 19:36 ` Stas Sergeev
2006-10-04 21:31 ` David Wagner
2006-10-04 3:11 ` David Wagner
2006-10-04 3:51 ` Ulrich Drepper
2006-10-04 4:21 ` David Wagner
2006-10-04 6:03 ` Kyle Moffett
2006-10-04 17:30 ` Ulrich Drepper
2006-10-03 18:23 ` Arjan van de Ven
2006-10-03 18:40 ` Stas Sergeev
2006-10-03 18:42 ` Arjan van de Ven
2006-10-03 19:07 ` Stas Sergeev
2006-10-03 21:00 ` Jakub Jelinek
2006-10-04 19:06 ` Stas Sergeev
2006-10-06 18:09 ` [patch] honour MNT_NOEXEC for access() Stas Sergeev
2006-10-06 21:34 ` Alan Cox
2006-10-06 21:17 ` Ulrich Drepper
2006-10-07 11:19 ` Stas Sergeev
2006-10-07 15:00 ` David Wagner
2006-10-07 16:31 ` Ulrich Drepper
2006-10-07 19:14 ` Stas Sergeev
2006-10-07 19:36 ` David Wagner
2006-10-08 8:32 ` Arjan van de Ven
2006-10-08 9:11 ` Stas Sergeev
2006-10-08 10:55 ` Arjan van de Ven
2006-10-08 13:46 ` Stas Sergeev
2006-10-09 2:09 ` Horst H. von Brand
2006-10-09 4:40 ` Stas Sergeev
2006-10-07 13:18 ` Stas Sergeev
2006-10-08 0:30 ` Jeremy Fitzhardinge
2006-10-08 9:10 ` Stas Sergeev
2006-10-08 9:56 ` Jeremy Fitzhardinge
2006-10-08 10:36 ` Stas Sergeev
2006-10-08 10:39 ` Jesper Juhl
2006-10-08 13:22 ` Stas Sergeev
2006-10-06 22:26 ` Jesper Juhl
2006-10-04 19:30 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Stas Sergeev
2006-10-04 3:20 ` David Wagner
2006-10-04 3:17 ` David Wagner
2006-10-04 13:41 ` Jeff Dike
2006-10-04 18:02 ` Jesper Juhl
2006-10-04 19:48 ` Stas Sergeev
2006-09-27 19:16 ` [patch] remove MNT_NOEXEC check for PROT_EXEC MAP_PRIVATE mmaps Stas Sergeev
2006-09-27 20:05 ` Hugh Dickins
2006-09-28 4:33 ` Stas Sergeev
2006-09-28 16:42 ` Hugh Dickins
2006-09-29 1:41 ` David Wagner
2006-09-29 20:50 ` Arjan van de Ven
2006-09-29 16:54 ` Stas Sergeev
2006-09-24 19:59 ` [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps Alan Cox
2006-09-24 20:07 ` Stas Sergeev
2006-09-24 0:53 ` Arjan van de Ven
2006-09-25 17:17 ` Stas Sergeev
2006-09-25 17:43 ` Stas Sergeev
2006-09-25 20:12 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ef9i4q$emc$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.