Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #12003
| Path | csiph.com!au2pb.net!feeder.erje.net!2.us.feeder.erje.net!news.glorb.com!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Chet Ramey <chet.ramey@case.edu> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: [PATCH/RFC] do not source/exec scripts on noexec mount points |
| Date | Sun, 13 Dec 2015 17:24:14 -0500 |
| Organization | ITS, Case Western Reserve University |
| Lines | 35 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.2028.1450045478.31583.bug-bash@gnu.org> (permalink) |
| References | <1449954086-30408-1-git-send-email-vapier@gentoo.org> |
| Reply-To | chet.ramey@case.edu |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1450045478 13408 208.118.235.17 (13 Dec 2015 22:24:38 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | chet.ramey@case.edu |
| To | Mike Frysinger <vapier@gentoo.org>, bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
| In-Reply-To | <1449954086-30408-1-git-send-email-vapier@gentoo.org> |
| X-Mirapoint-Virus-RAPID-Raw | score=unknown(0), refid=str=0001.0A020203.566DF013.004D,ss=1,re=0.000,fgs=0, ip=198.14.219.209, so=2015-08-12 04:07:17, dmn=2011-05-27 18:58:46 |
| X-Mirapoint-Loop-Id | c4d8cc3ba4badbb222bb7dacf4ea32de |
| X-Junkmail-Whitelist | YES (by domain whitelist at mpv1-2015.case.edu) |
| X-Mirapoint-Virus-RAPID-Raw | score=unknown(0), refid=str=0001.0A020205.566DF015.0250,ss=1,re=0.000,fgs=0, ip=198.14.219.209, so=2015-08-12 04:07:17, dmn=2011-05-27 18:58:46 |
| X-Mirapoint-Loop-Id | 98155b612f2696b520f8d705fd9480de |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy] |
| X-Received-From | 129.22.103.226 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:12003 |
Show key headers only | View raw
On 12/12/15 4:01 PM, Mike Frysinger wrote: > From: Mike Frysinger <vapier@chromium.org> > > Today, if you have a script that lives on a noexec mount point, the > kernel will reject attempts to run it directly: > $ printf '#!/bin/sh\necho hi\n' > /dev/shm/test.sh > $ chmod a+rx /dev/shm/test.sh > $ /dev/shm/test.sh > bash: /dev/shm/test.sh: Permission denied > > But bash itself has no problem running this file: It's hard to see how this proposal improves overall system security. There are a dozen ways a minimally-competent attacker can circumvent it. Unless you want to completely remove the ability for bash and other utilities to read files from a noexec file system, or run on a system with no writable file systems at all, this does no good. Its primary effect would seem to be annoying and frustrating users. A worse problem is that the abstraction is in the wrong place. The shell, like other programs, requests services from the kernel to do things. The kernel is the arbiter of restrictions on those services. If asked to execute a file, the shell asks the kernel whether the file is executable, then tries to execute it. If asked to read a file, the shell tries to open it. The kernel, or some agent it invokes, is where the access decision is made. If you want to, for instance, disallow the shell and other utilities from opening executable files for reading on file systems with noexec set, the shell binary is not the place to embed that policy. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar
Re: [PATCH/RFC] do not source/exec scripts on noexec mount points Chet Ramey <chet.ramey@case.edu> - 2015-12-13 17:24 -0500
csiph-web