From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: Format of EXECVE
Date: Mon, 17 Sep 2007 22:31:17 +0100
Message-ID: <1190064677.4993.27.camel@localhost.localdomain>
References: <1190047816.14088.17.camel@localhost.localdomain>
	<17971.1190062453@turing-police.cc.vt.edu>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0649971703=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <17971.1190062453@turing-police.cc.vt.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Valdis.Kletnieks@vt.edu
Cc: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============0649971703==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-sNFgDhQ6tYiF977YHMp5"


--=-sNFgDhQ6tYiF977YHMp5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2007-09-17 at 16:54 -0400, Valdis.Kletnieks@vt.edu wrote:
> On Mon, 17 Sep 2007 17:50:16 BST, Matthew Booth said:
>=20
> > I'm considering expanding argv[0] of EXECVE to be an absolute path.
>=20
> I take it you mean "*an* absolute path that was valid when we cut the EXE=
CVE
> record", and document that it may not be *the* actual path used?  In a qu=
arter
> century, I've just seen *too* many race conditions, tricks with ../symlin=
k/foo
> links, and the like (including some interesting malware that would dynami=
cally
> create a symlink and execve through it, just to frustrate attempts at fig=
uring
> out which binary was being exploited).

This would be an issue in a single-pronged approach.

Matt
--=20
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-sNFgDhQ6tYiF977YHMp5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBG7vIlNEHqGdM8NJARAnGZAJ0eIwcUXBlehlW15t+5+LoQgBORzgCfQn+z
iluAR6ruEF4e0Yfi/LjkzcA=
=iHao
-----END PGP SIGNATURE-----

--=-sNFgDhQ6tYiF977YHMp5--


--===============0649971703==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0649971703==--