Do not allow direct exec if we the process is suid. Try to follow Unix permission checks for DACs, ignore ACLs.
Details
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 9311 Build 9776: CI src build Jenkins
Event Timeline
libexec/rtld-elf/rtld.c | ||
---|---|---|
425 | I'm not a fan of "Cowardly" (even though I've seen it in similar kinds of cases) because I don't really see a clear connection between the message and the reason. I'll grant you that it does make some sense in that rtld is refusing to do something that would otherwise work fine, but the message isn't really actionable: how should the user make rtld be more brave? What about just "Refusing to run setuid/setgid binary"? |
libexec/rtld-elf/rtld.c | ||
---|---|---|
425 | I am fine with any reformulation of the message, as far as it technically correct. Note that direct mode does not refuse to run a setuid binary, it does run such files, but of course, without setting uid. The situation where the message above is printed is different: it occurs when already setuid process execed ld.so without dropping euid to uid. There is no severe reason to refuse to run in direct mode in this case, but it could be an attack amplification. AFAIK, shells do refuse to run, or at least refuse to take some actions in this situation too, so since this change is about 'security', I decided that doing !trust check there as well would not hurt. |
Overall this seems fine to me, a couple of comments.
libexec/rtld-elf/rtld.c | ||
---|---|---|
425 | @jonathan any comments on suitable messages? | |
445 | Prefer to remove this (one line) commentary :) | |
463 | inconsistent indentation? | |
466 | perhaps "refusing to run binary without appropriate execute permission"? |