From: Cyrill Gorcunov <gorcunov@openvz.org>
To: richard -rw- weinberger <richard.weinberger@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Pavel Emelyanov <xemul@parallels.com>,
Kees Cook <keescook@chromium.org>, Tejun Heo <tj@kernel.org>,
Matt Helsley <matthltc@us.ibm.com>
Subject: Re: [patch 1/2] c/r: prctl: Add ability to set new mm_struct::exe_file
Date: Tue, 20 Mar 2012 03:17:09 +0400 [thread overview]
Message-ID: <20120319231709.GM19594@moon> (raw)
In-Reply-To: <CAFLxGvyCRAq6t8_ni+VFUVpOGJ4-iz0i=PRFEFpVJ+ZaPEb3-g@mail.gmail.com>
On Tue, Mar 20, 2012 at 12:02:44AM +0100, richard -rw- weinberger wrote:
> On Mon, Mar 19, 2012 at 11:46 PM, Andrew Morton
> <akpm@linux-foundation.org> wrote:
> > Well, let's discuss this more completely. In what ways could an
> > attacker use this? How serious is the problem? What actions can be
> > taken to lessen it? etcetera.
>
> After considering the problem a bit more I think it's not a big problem.
> We must not trust /proc/pid/exe in anyway.
Well, Richard, we probably do not trust it anyway but sysadmins might do
(and this was another reason for one-shot behaviour -- to not bring
heart attacks to sysadmins, and everyone would know this link might
be changed only one time ;)
> An attacker can always execute another binary without calling execve().
That's what c/r basically does :)
>
> So, why makes that one-short fashion the feature more secure?
> Let the user change the exe symlink as often as he wants.
> From a security point of view the exe symlink is anyway useless.
Maybe better to call it 'predictable' then rather than 'secure'?
Cyrill
next prev parent reply other threads:[~2012-03-19 23:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-16 20:55 [patch 0/2] [PATCH 0/2] prctl extension in a sake of c/r Cyrill Gorcunov
2012-03-16 20:55 ` [patch 1/2] c/r: prctl: Add ability to set new mm_struct::exe_file Cyrill Gorcunov
2012-03-19 22:15 ` Andrew Morton
2012-03-19 22:39 ` Cyrill Gorcunov
2012-03-19 22:41 ` richard -rw- weinberger
2012-03-19 22:46 ` Andrew Morton
2012-03-19 22:50 ` Cyrill Gorcunov
2012-03-19 22:59 ` Andrew Morton
2012-03-19 23:12 ` Cyrill Gorcunov
2012-03-19 23:02 ` richard -rw- weinberger
2012-03-19 23:17 ` Cyrill Gorcunov [this message]
2012-03-19 23:23 ` richard -rw- weinberger
2012-03-20 6:55 ` Cyrill Gorcunov
2012-03-22 23:38 ` Eric W. Biederman
2012-03-23 6:41 ` Cyrill Gorcunov
2012-03-23 6:47 ` Cyrill Gorcunov
2012-03-23 17:06 ` Matt Helsley
2012-03-19 22:47 ` Cyrill Gorcunov
2012-03-16 20:55 ` [patch 2/2] c/r: prctl: Add ability to get clear_tid_address Cyrill Gorcunov
2012-03-19 16:51 ` Kees Cook
2012-03-19 16:55 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120319231709.GM19594@moon \
--to=gorcunov@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=oleg@redhat.com \
--cc=richard.weinberger@gmail.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox