From: Rich Felker <dalias@aerifal.cx>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>,
David Drysdale <drysdale@google.com>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Andy Lutomirski <luto@amacapital.net>,
Meredydd Luff <meredydd@senatehouse.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
David Miller <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Oleg Nesterov <oleg@redhat.com>, Ingo Molnar <mingo@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
Christoph Hellwig <hch@infradead.org>, X86 ML <x86@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
sparclinux@vger.kernel.org
Subject: Re: [PATCHv10 man-pages 5/5] execveat.2: initial man page for execveat(2)
Date: Fri, 9 Jan 2015 17:38:43 -0500 [thread overview]
Message-ID: <20150109223843.GX4574@brightrain.aerifal.cx> (raw)
In-Reply-To: <87lhlbvbzs.fsf@x220.int.ebiederm.org>
On Fri, Jan 09, 2015 at 04:13:27PM -0600, Eric W. Biederman wrote:
> Rich Felker <dalias@aerifal.cx> writes:
>
> > On Fri, Jan 09, 2015 at 09:09:41PM +0000, Al Viro wrote:
>
> > The "magic open-once magic symlink" approach is really the cleanest
> > solution I can find. In the case where the interpreter does not open
> > the script, nothing terribly bad happens; the magic symlink just
> > sticks around until _exit or exec. In the case where the interpreter
> > opens it more than once, you get a failure, but as far as I know
> > existing interpreters don't do this, and it's arguably bad design. In
> > any case it's a caught error.
>
> And it doesn't work without introducing security vulnerabilities into
> the kernel, because it breaks close-on-exec semantics.
I'm curious what those security vulnerabilities would be. The standard
issue with close-on-exec failure (e.g. races) is the leaking of
arbitrary file descriptors (typically, ones opened by other threads or
other unrelated portions of the program) to resources the new process
should not have. "Leaking" of an inode-reference-only (no permissions)
O_PATH fd or pseudo-fd to the script that's to be run does not seem
like a vulnerability to me, and it would only be "leaked" if the
interpreter does something unexpected.
> All you have to do is pick a file descriptor, good canidates are 0 and
> 255 and make it a convention that that file descriptor is used for
> fexecve. At least when you want to support scripts. Otherwise you can
> set close-on-exec.
0 is obviously not a candidate; it's stdin. 255 is also not a
candidate though. Consider for example something like irssi's /upgrade
that's going to have the child inheriting an arbitrary set of file
descriptors that need to keep their original numbers, possibly
including 255. Imposing a script in between should not cause arbitrary
file descriptors to be lost.
> That results in no accumulation of file descriptors because everyone
> always uses the same file descriptor.
>
> Regardless you don't have a patch and you aren't proposing code and the
> code isn't actually broken so please go away.
I'm not proposing code because I'm a libc developer not a kernel
developer. I know what's needed for userspace to provide a conforming
fexecve to applications, not how to implement that on the kernel side,
although I'm trying to provide constructive ideas. The hostility is
really not necessary.
Rich
next prev parent reply other threads:[~2015-01-09 22:38 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 11:53 [PATCHv10 0/5] syscalls,x86,sparc: Add execveat() system call David Drysdale
2014-11-24 11:53 ` David Drysdale
2014-11-24 11:53 ` [PATCHv10 1/5] syscalls: implement " David Drysdale
2014-11-24 11:53 ` David Drysdale
2014-11-24 11:53 ` [PATCHv10 2/5] x86: Hook up execveat " David Drysdale
2014-11-24 11:53 ` David Drysdale
[not found] ` <1416830039-21952-3-git-send-email-drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2014-11-24 12:45 ` Thomas Gleixner
2014-11-24 12:45 ` Thomas Gleixner
2014-11-24 17:06 ` Dan Carpenter
2014-11-24 17:06 ` Dan Carpenter
2014-11-24 18:26 ` David Drysdale
2014-11-24 18:26 ` David Drysdale
[not found] ` <CAHse=S-DS=NGC619Uhzkbd-EKa0D+HgBq3rE1czmLdoxAFswPg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-25 12:16 ` Dan Carpenter
2014-11-25 12:16 ` Dan Carpenter
2014-11-24 18:53 ` Thomas Gleixner
2014-11-24 18:53 ` Thomas Gleixner
2014-11-24 11:53 ` [PATCHv10 3/5] syscalls: add selftest for execveat(2) David Drysdale
2014-11-24 11:53 ` David Drysdale
2014-11-24 11:53 ` [PATCHv10 4/5] sparc: Hook up execveat system call David Drysdale
2014-11-24 11:53 ` David Drysdale
2014-11-24 18:36 ` David Miller
2014-11-24 18:36 ` David Miller
2014-11-24 11:53 ` [PATCHv10 man-pages 5/5] execveat.2: initial man page for execveat(2) David Drysdale
2014-11-24 11:53 ` David Drysdale
2015-01-09 15:47 ` Michael Kerrisk (man-pages)
2015-01-09 15:47 ` Michael Kerrisk (man-pages)
2015-01-09 16:13 ` Rich Felker
2015-01-09 16:13 ` Rich Felker
[not found] ` <20150109161302.GQ4574-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2015-01-09 17:46 ` David Drysdale
2015-01-09 17:46 ` David Drysdale
[not found] ` <CAHse=S88Jy5ZKM_VY5onfvxX7dTMngnxuHfuLeSuzvKvQNP19A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-01-09 20:48 ` Rich Felker
2015-01-09 20:48 ` Rich Felker
2015-01-09 20:56 ` Al Viro
2015-01-09 20:56 ` Al Viro
[not found] ` <20150109205626.GK22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-09 20:59 ` Rich Felker
2015-01-09 20:59 ` Rich Felker
[not found] ` <20150109205926.GT4574-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2015-01-09 21:09 ` Al Viro
2015-01-09 21:09 ` Al Viro
2015-01-09 21:28 ` Rich Felker
2015-01-09 21:50 ` Al Viro
2015-01-09 22:17 ` Rich Felker
2015-01-09 22:17 ` Rich Felker
2015-01-09 22:33 ` Al Viro
2015-01-09 22:42 ` Rich Felker
2015-01-09 22:42 ` Rich Felker
[not found] ` <20150109224252.GY4574-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2015-01-09 22:57 ` Al Viro
2015-01-09 22:57 ` Al Viro
2015-01-09 23:12 ` Rich Felker
2015-01-09 23:24 ` Andy Lutomirski
2015-01-09 23:24 ` Andy Lutomirski
2015-01-09 23:37 ` Rich Felker
2015-01-09 23:37 ` Rich Felker
2015-01-10 0:01 ` Al Viro
2015-01-09 23:36 ` Al Viro
[not found] ` <20150109233644.GR22149-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-01-10 3:03 ` Al Viro
2015-01-10 3:03 ` Al Viro
2015-01-10 3:41 ` Rich Felker
2015-01-10 3:41 ` Rich Felker
2015-01-10 4:14 ` Al Viro
2015-01-10 5:57 ` Rich Felker
2015-01-10 5:57 ` Rich Felker
2015-01-10 22:27 ` Eric W. Biederman
2015-01-11 1:15 ` Rich Felker
2015-01-11 1:15 ` Rich Felker
2015-01-11 2:09 ` Eric W. Biederman
2015-01-11 2:09 ` Eric W. Biederman
[not found] ` <87oaq6oypl.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-11 11:02 ` Christoph Hellwig
2015-01-11 11:02 ` Christoph Hellwig
2015-01-12 14:18 ` David Drysdale
[not found] ` <20150109212852.GU4574-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2015-01-09 22:13 ` Eric W. Biederman
2015-01-09 22:13 ` Eric W. Biederman
2015-01-09 22:38 ` Rich Felker [this message]
2015-01-09 22:38 ` Rich Felker
[not found] ` <20150109223843.GX4574-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2015-01-10 1:17 ` Eric W. Biederman
2015-01-10 1:17 ` Eric W. Biederman
[not found] ` <87mw5rtowa.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-10 1:33 ` Rich Felker
2015-01-10 1:33 ` Rich Felker
2015-01-12 11:33 ` David Drysdale
2015-01-12 11:33 ` David Drysdale
2015-01-12 16:07 ` Rich Felker
2015-01-10 7:13 ` Michael Kerrisk (man-pages)
2015-01-09 21:20 ` Eric W. Biederman
2015-01-09 21:20 ` Eric W. Biederman
[not found] ` <877fwvy7ln.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-01-09 21:31 ` Rich Felker
2015-01-09 21:31 ` Rich Felker
2015-01-10 7:43 ` Michael Kerrisk (man-pages)
2015-01-10 7:43 ` Michael Kerrisk (man-pages)
2015-01-10 8:27 ` Michael Kerrisk (man-pages)
2015-01-10 8:27 ` Michael Kerrisk (man-pages)
2015-01-10 13:31 ` Rich Felker
2015-01-10 7:38 ` Michael Kerrisk (man-pages)
2015-01-10 7:38 ` Michael Kerrisk (man-pages)
2015-01-09 18:02 ` David Drysdale
[not found] ` <CAHse=S9kRj00eRbB+7DQd39Cso1O2LcmZpBVCbuUa9EwRQKv_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-01-10 7:56 ` Michael Kerrisk (man-pages)
2015-01-10 7:56 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150109223843.GX4574@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=meredydd@senatehouse.org \
--cc=mingo@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=sfr@canb.auug.org.au \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=viro@ZenIV.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).