This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
On Tue, Sep 05, 2000 at 10:09:46AM -0400, Ben Collins wrote:
> On Tue, Sep 05, 2000 at 10:01:22AM -0400, Daniel Jacobowitz wrote:
> > On Mon, Sep 04, 2000 at 08:27:15PM -0400, Ben Collins wrote:
> > > On Mon, Sep 04, 2000 at 03:26:57PM -0300, Rodrigo Barbosa (aka morcego) wrote:
> > > > Anything new on this field ? ld-2.1.93.so still executes the file.
> > >
> > > Just a question, what's to stop anyone from copying their own ld.so to ~/
> > > and using it? What I mean is, isn't the problem in the kernel and not
> > > glibc (where fs options should be enforced just like read and write
> > > perms)? Even going to the kernel, nothing stops someone from copying an
> > > executable to their local ~/ and adding +x and then executing it. So
> > > basically, the only thing noexec really cures is +s, and even then should
> > > still be the fs (i.e. kernel) that enforces it.
> >
> > Well, that doesn't work if /home is mounted noexec. Isn't that the
> > whole point?
>
> Then /tmp and /var/tmp too...I guess in that situation, ld.so would be an
> open hole.
>
The hole point is that, as far as I can tell, ld.so doesn't exec the program.
It loads the program into memory, and then execs from memory. I may be wrong,
couse I haven't got as far as ld.so in my study of glibc code, but that is the
general felling I (and other coworkers I asked about it) have.
If that is really the case, the kernel can do nothing about it, couse ld.so is
not executing the program, but is reading it.
But there is a point more important here. Yes, of course the user can copy ld.so
to ~/, but the most troublesome case is when the user does not have a homedir, or
can't write anywhere else but /tmp (mode 1777). The greater reason for a noexec /tmp
is that it's 1777, so anyone (even users like nobody, bin, mail etc) can write
there. And, if the user can write at his homedir, he can do a lot of other things,
and ld.so is only a very minor issue.
If ld.so really does things as I said (read and execute from memory), then the
kernel cannot interfere, and ld.so should verify it by himself.
If that is not the case, I would like to know who ld.so does it, once, AFAIK, one
cannot exec[vlpe] on a noexec'd file.
Tkx.
--
/* Rodrigo Barbosa - A.K.A. morcego */
/* rodrigob@conectiva.com.br - Conectiva R&D Team */
/* "Quis custodiet custodias?" - Juvenal */
PGP signature