From: ebiederm@xmission.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@transmeta.com>
Cc: <linux-kernel@vger.kernel.org>
Subject: Re: Security question: "Text file busy" overwriting executables but not shared libraries?
Date: 04 Oct 2001 09:01:03 -0600 [thread overview]
Message-ID: <m1n137zbyo.fsf@frodo.biederman.org> (raw)
In-Reply-To: <Pine.LNX.4.33.0110032247190.7649-100000@penguin.transmeta.com>
In-Reply-To: <Pine.LNX.4.33.0110032247190.7649-100000@penguin.transmeta.com>
Linus Torvalds <torvalds@transmeta.com> writes:
> On Thu, 4 Oct 2001, Alexander Viro wrote:
> > <nit>
> > I _really_ doubt that something does write() on /etc/passwd. Create a
> > file and rename it over the thing - sure, but that's it.
> > </nit>
>
> Well, yeah, bad choice. Can you believe /var/run/utmp or similar?
>
> And yes, we could add checks for the thing being executable before we
> accept MAP_DENYWRITE instead of just ignoring the flag from user space.
> Nobody has cared enough to make the effort.
>
> Until now?
Hmm. Before I volunteer I need to think this thing out. I orginally
missed the clearing of MAP_DENYWRITE in the arch specific code.
First what user space really wants is the MAP_COPY. Which is
MAP_PRIVATE with the guarantee that they don't see anyone else's changes.
Just skimming /lib most libraries are only rw by root so the case we
are protecting ourselves against is fumble fingered administrators.
The two fumbles in particular are fumbling the permissions, and
accidentaly writing to a shared library.
given that MAP_DENYWRITE does remove unlink permission for most uses it
can be worked around.
We already allow user space applications to make arbitrary files
MAP_DENYWRITE simply by executing them, and the only restriction is
that MAP_DENYWRITE only persists while user space has the file open.
So I guess allowing it in mmap is not actually a problem, as we can
already do that.
At the same time there are cases where it is unacceptable to stop
people from writing to a file just because you have read access to it,
and you open the file. Even having write access to a file isn't
enough. So you really need to have execute and read permissions on a
file for this to be reasonable.
The one downside of requiring libraries to be executable is that
tricks like preventing. /lib/ld-linux.so.2 /mnt/noexec/bin/true is
a little harder.
A remaining question was for newer kernels should MAP_DENYWRITE fail
if you don't have execute permissions, or should it just be a strong
hint.
Having MAP_DENYWRITE fail on filesystems that are mounted noexec and
having a dynamic loader that tests looks like it would be easier to
enforce a noexec policy for untrusted mounts.
So the code will need to look something like.
if (flags & MAP_DENYWRITE) {
struct inode *inode = file->f_dentry->inode;
if (IS_NOEXEC(inode) || !ISREG(inode->i_mode) ||
(permission(inode, MAY_EXEC) != 0)) {
return -EACCESS;
}
}
Eric
next prev parent reply other threads:[~2001-10-04 15:10 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-03 12:49 Security question: "Text file busy" overwriting executables but not shared libraries? Jesse Pollard
2001-10-03 18:06 ` Eric W. Biederman
2001-10-03 23:20 ` Rob Landley
2001-10-04 3:38 ` Eric W. Biederman
2001-10-04 4:19 ` Alexander Viro
2001-10-04 6:15 ` Eric W. Biederman
2001-10-04 8:21 ` CaT
2001-10-04 8:35 ` john slee
2001-10-04 8:45 ` CaT
2001-10-04 13:11 ` Eric W. Biederman
2001-10-04 14:24 ` Kernel size Richard B. Johnson
2001-10-13 20:35 ` Aaron Lehmann
2001-10-04 8:30 ` Security question: "Text file busy" overwriting executables but not shared libraries? Ville Herva
2001-10-04 9:46 ` Erik Andersen
2001-10-04 19:50 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-04 8:53 ` Security question: "Text file busy" overwriting executables but not shared libraries? Andreas Schwab
2001-10-04 13:23 ` Eric W. Biederman
2001-10-04 9:12 ` Bloatware (was Re: Security question: "Text file busy"...) VDA
2001-10-04 5:38 ` Security question: "Text file busy" overwriting executables but not shared libraries? Linus Torvalds
2001-10-04 5:44 ` Alexander Viro
2001-10-04 5:49 ` Linus Torvalds
2001-10-04 15:01 ` Eric W. Biederman [this message]
2001-10-04 15:49 ` Linus Torvalds
2001-10-04 16:02 ` Richard Gooch
2001-10-04 16:20 ` Andreas Schwab
2001-10-04 17:19 ` Richard Gooch
2001-10-04 16:11 ` Alexander Viro
2001-10-04 19:28 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-04 17:25 ` Security question: "Text file busy" overwriting executables but not shared libraries? Eric W. Biederman
2001-10-13 14:53 ` Jamie Lokier
2001-10-13 17:13 ` Linus Torvalds
2001-10-13 18:18 ` Rik van Riel
2001-10-13 18:40 ` Pablo Alcaraz
2001-10-13 19:05 ` Jamie Lokier
2001-10-13 18:54 ` Jamie Lokier
2001-10-13 19:23 ` Linus Torvalds
2001-10-13 19:46 ` Jamie Lokier
2001-10-13 21:43 ` Aaron Lehmann
2001-10-13 22:27 ` Eric W. Biederman
2001-10-13 22:50 ` Aaron Lehmann
2001-10-15 11:24 ` Jamie Lokier
2001-10-13 22:19 ` Linus Torvalds
2001-10-14 6:49 ` Eric W. Biederman
2001-10-14 8:17 ` Xavier Bestel
2001-10-14 15:40 ` Linus Torvalds
2001-10-14 18:49 ` Eric W. Biederman
2001-10-15 11:43 ` Jamie Lokier
2001-10-13 22:41 ` Richard Gooch
2001-10-15 11:35 ` Jamie Lokier
2001-10-15 11:51 ` Alexander Viro
2001-10-15 12:29 ` Jamie Lokier
2001-10-13 22:27 ` Linus Torvalds
2001-10-14 12:57 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-14 21:43 ` Security question: "Text file busy" overwriting executables but not shared libraries? Mark H. Wood
2001-10-04 5:53 ` Richard Gooch
2001-10-04 20:39 ` Security question: "Text file busy" overwriting executables but Alan Cox
2001-10-05 16:30 ` Eric W. Biederman
2001-10-05 16:58 ` Linus Torvalds
2001-10-05 17:35 ` Horst von Brand
2001-10-05 17:44 ` Linus Torvalds
2001-10-05 18:51 ` Oliver Xymoron
2001-10-06 19:05 ` Eric W. Biederman
2001-10-14 8:02 ` [RFC] "Text file busy" when overwriting libraries Eric W. Biederman
2001-10-14 12:08 ` Alan Cox
2001-10-14 20:48 ` Eric W. Biederman
2001-10-15 1:44 ` Alan Cox
2001-10-15 2:06 ` Linus Torvalds
2001-10-15 10:11 ` Eric W. Biederman
2001-10-15 11:54 ` Alan Cox
2001-10-15 11:57 ` Alexander Viro
2001-10-15 12:08 ` Alan Cox
2001-10-15 12:11 ` Alexander Viro
2001-10-04 6:50 ` Security question: "Text file busy" overwriting executables but not shared libraries? George Greer
2001-10-04 12:54 ` John Levon
-- strict thread matches above, loose matches on Subject: below --
2001-10-03 2:55 Rob Landley
2001-10-03 7:07 ` Alexander Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1n137zbyo.fsf@frodo.biederman.org \
--to=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox