svn commit: r318313 - head/libexec/rtld-elf

[Nikolai Lifanov]

On 05/15/2017 15:32, Bryan Drewery wrote:
> On 5/15/2017 12:29 PM, Konstantin Belousov wrote:
>> On Mon, May 15, 2017 at 12:25:20PM -0700, Bryan Drewery wrote:
>>> On 5/15/2017 12:00 PM, Konstantin Belousov wrote:
>>>> On Mon, May 15, 2017 at 06:52:36PM +0000, Alexey Dokuchaev wrote:
>>>>> On Mon, May 15, 2017 at 06:48:58PM +0000, Konstantin Belousov wrote:
>>>>>> New Revision: 318313
>>>>>> URL: https://svnweb.freebsd.org/changeset/base/318313
>>>>>>
>>>>>> Log:
>>>>>>   Make ld-elf.so.1 directly executable.
>>>>>
>>>>> Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod +x
>>>>> /bin/chmod would now be possible on FreeBSD as well?
>>>> Yes.
>>>>
>>>>> Does this have any security implications?
>>>> What do you mean ?
>>>>
>>>
>>> I think for 3rd-party distributions it may be a problem. At the very
>>> least it needs to be communicated clearly in release notes or UPDATING.
>>>
>>> Consider a downstream vendor who has support for signed binary
>>> executions.  If rtld allows a backdoor around exec(2) to run an unsigned
>>> binary, that could be a problem for them.  It is on them to add support
>>> to exec(2) to validate the special case of execing rtld with an
>>> argument, or to just disable the feature in rtld from this commit.
>>
>> Note the undocumented O_VERIFY flag in open(2) from the patch.
>> This is very vendor-ish addition to request veriexec (?).
>>
> 
> Ah nice.
> 


Note, this already does the right thing with noexec filesystems:
# zfs create -o mountpoint=/mnt -o exec=off tank/TEST
# cp /bin/sh /mnt/
# /mnt/sh
/mnt/sh: Permission denied.
# /libexec/ld-elf.so.1 /mnt/sh
/mnt/sh: mmap of data failed: Permission denied

- Nikolai Lifanov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 992 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20170515/06f9008c/attachment.sig>