Page MenuHomeFreeBSD

Practice some security for the direct exec mode of ld.so.
ClosedPublic

Authored by kib on May 15 2017, 10:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 18, 10:16 PM
Unknown Object (File)
Sat, Jan 18, 10:03 PM
Unknown Object (File)
Sat, Jan 18, 12:49 AM
Unknown Object (File)
Nov 30 2024, 1:21 AM
Unknown Object (File)
Oct 24 2024, 2:52 AM
Unknown Object (File)
Sep 27 2024, 3:04 AM
Unknown Object (File)
Sep 26 2024, 7:05 PM
Unknown Object (File)
Sep 25 2024, 10:59 PM
Subscribers

Details

Summary

Do not allow direct exec if we the process is suid. Try to follow Unix permission checks for DACs, ignore ACLs.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 9312

Event Timeline

libexec/rtld-elf/rtld.c
425

I'm not a fan of "Cowardly" (even though I've seen it in similar kinds of cases) because I don't really see a clear connection between the message and the reason. I'll grant you that it does make some sense in that rtld is refusing to do something that would otherwise work fine, but the message isn't really actionable: how should the user make rtld be more brave?

What about just "Refusing to run setuid/setgid binary"?

libexec/rtld-elf/rtld.c
425

I am fine with any reformulation of the message, as far as it technically correct. Note that direct mode does not refuse to run a setuid binary, it does run such files, but of course, without setting uid. The situation where the message above is printed is different: it occurs when already setuid process execed ld.so without dropping euid to uid.

There is no severe reason to refuse to run in direct mode in this case, but it could be an attack amplification. AFAIK, shells do refuse to run, or at least refuse to take some actions in this situation too, so since this change is about 'security', I decided that doing !trust check there as well would not hurt.

Overall this seems fine to me, a couple of comments.

libexec/rtld-elf/rtld.c
425

@jonathan any comments on suitable messages?
"tainted process refusing to run binary %s" ?

445

Prefer to remove this (one line) commentary :)

463

inconsistent indentation?

466

perhaps "refusing to run binary without appropriate execute permission"?

kib marked 4 inline comments as done.

Cover Ed notes.

Update the message text.

This revision is now accepted and ready to land.May 16 2017, 7:39 PM
This revision was automatically updated to reflect the committed changes.