From: Steven Rostedt <rostedt@goodmis.org>
To: Nick Warne <nick@linicks.net>
Cc: Felipe Alfaro Solana <felipe.alfaro@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: chmod 111
Date: Fri, 17 Mar 2006 13:26:44 -0500 [thread overview]
Message-ID: <1142620004.9478.13.camel@localhost.localdomain> (raw)
In-Reply-To: <200603171811.01963.nick@linicks.net>
On Fri, 2006-03-17 at 18:11 +0000, Nick Warne wrote:
> On Friday 17 March 2006 18:07, Felipe Alfaro Solana wrote:
> > > I shouldn't be able to execute 'ls' as I can't read it, shouldn't it?
> >
> > Nop... you can execute binaries even if the read permission is not
> > granted. Note that I said "binaries". Shell script files need read and
> > execute permission, since they must be read by a shell interpreter in
> > order to get executed.
>
> Hi Felipe,
>
> First, apologies as this isn't kernel issue (but related, I suppose).
>
> Yes, I see now after much messing about. Why then are most binaries chmod
> 755? Who would need (why) to read a [system] binary?
Well, I guess you can't ptrace an executable that you can't read.
# cd /bin
# ls -l ls
-rwxr-xr-x 1 root root 80008 2006-03-02 15:08 ls
# chmod 711 ls
# ls -l ls
-rwx--x--x 1 root root 80008 2006-03-02 15:08 ls
$ cd /bin
$ ls -l ls
-rwx--x--x 1 root root 80008 2006-03-02 15:08 ls
$ gdb
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu".
(gdb) file /bin/ls
/bin/ls: Permission denied.
(gdb)
# chmod 755 ls
(gdb) file /bin/ls
Reading symbols from /bin/ls...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb)
So I guess if you need to debug a system binary, you need it readable.
But I guess that can also be a security problem, and having system
binaries not readable, might make you system a little more secure.
-- Steve
next prev parent reply other threads:[~2006-03-17 18:26 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-17 17:46 chmod 111 Nick Warne
[not found] ` <6f6293f10603171007vbf752e5n8a3d6f2d65e0a1e7@mail.gmail.com>
2006-03-17 18:11 ` Nick Warne
2006-03-17 18:26 ` Steven Rostedt [this message]
2006-03-17 18:43 ` Linus Torvalds
2006-03-17 18:55 ` Steven Rostedt
2006-03-17 21:44 ` Jan Engelhardt
2006-03-18 12:42 ` Nick Warne
2006-03-17 19:38 ` Phillip Susi
2006-03-17 20:11 ` Linus Torvalds
2006-03-17 20:27 ` Nick Warne
2006-03-17 20:56 ` Willy Tarreau
2006-03-18 14:09 ` Helge Hafting
2006-03-17 18:12 ` Joshua Hudson
[not found] ` <441AFBF5.7010009@tlinx.org>
2006-03-17 18:14 ` Nick Warne
2006-03-17 18:18 ` Phillip Susi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1142620004.9478.13.camel@localhost.localdomain \
--to=rostedt@goodmis.org \
--cc=felipe.alfaro@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nick@linicks.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox