Summary: | ld-linux.so allows bypassing of the eXecute permission bit on readable ELF programs | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Joseph Pingenot <gentoobugzilla> |
Component: | [OLD] Core system | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED CANTFIX | ||
Severity: | major | CC: | henrik, jakub, superlag, truedfx |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Joseph Pingenot
2005-12-01 09:24:56 UTC
I can confirm the behavior here. > ld-linux executes the [ELF] program, despite lack of execute permission (and
> probably also mount -o noexec!)
Actually, with noexec it will refuse to load.
(In reply to comment #2) > > ld-linux executes the [ELF] program, despite lack of execute permission (and > > probably also mount -o noexec!) > > Actually, with noexec it will refuse to load. How does this fix the initial problem? Being able to execute -x binaries? Quite right about the noexec, btw: $ls -r--r--r-- 1 someuser someuser 8700 Dec 1 12:57 small-read $pwd /mnt/foo $/lib/ld-linux.so.2 ./small-read ./small-read: error while loading shared libraries: ./small-read: failed to map segment from shared object: Operation not permitted that said, the eXecute issue still remains. I don't agree that this is RESOLVED at all, however. The security of the eXectue bit is dubious atm. > How does this fix the initial problem? Being able to execute -x binaries?
You're the one who closed this bug :) From your comment I assume this was a
mistake, so consider it reopened.
Brix: as I stated, the problem goes beyond binaries and is going to be a Hard problem to solve well. For now, simply making ld-linux check is sufficient to stop this <i>particular</i> hole, but one can still execute, for example, a perl script in /usr/local/bin despite the script being -x: $ dir /usr/local/bin/foo.pl -r--r--r-- 1 solarion solarion 51 Dec 1 13:13 /usr/local/bin/foo.pl $ file /usr/local/bin/foo.pl /usr/local/bin/foo.pl: perl script text executable $ /usr/local/bin/foo.pl bash: /usr/local/bin/foo.pl: Permission denied $ perl /usr/local/bin/foo.pl I ran! It's also interesting to note that bash is a good citizen: it checks permissions: $ dir /usr/local/bin/a.out -rw-r--r-- 1 solarion solarion 49 Oct 3 2000 /usr/local/bin/a.out $ file /usr/local/bin/a.out /usr/local/bin/a.out: Bourne shell script text executable $ bash /usr/local/bin/a.out Use ./a.out instead. /usr/local/bin/a.out: line 4: ./a.out: Permission denied [as an aside, /usr/local/bin/a.out in every user's path is an evil thing to do in a multiuser environment, but helpful on your own machine ;] (In reply to comment #5) > You're the one who closed this bug :) From your comment I assume this was a > mistake, so consider it reopened. Errr... oops. :) 1/ First of all, I've missed why it this filed to Gentoo bugzilla. This is *absolutely not* a Gentoo-specific problem. 2/ This has been known for a long time, and used to work even with noexec mounted partitions, later on this has been fixed in kernel (about two years ago) and you cannot bypass noexec mount in this way any more. 3/ If you don't like the current behaviour, then use PaX/SELinux/whatever else to get the desired behaviour... UPSTREAM. Why not remove perl, python and ruby interpreters then? Because you can always pass them the scripts as stdin perl < /path/to/a/perl/script (-x) python < /path/to/a/python/script (-x) ruby < /path/to/a/ruby/script (-x) ... It's an unsolvable problem from that pov. I agree with jakub on this. Closing CANTFIX/UPSTREAM. |