Page MenuHomeFreeBSD

Practice some security for the direct exec mode of ld.so.
ClosedPublic

Authored by kib on May 15 2017, 10:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 15 2024, 4:59 AM
Unknown Object (File)
Nov 12 2024, 6:52 PM
Unknown Object (File)
Nov 12 2024, 9:00 AM
Unknown Object (File)
Nov 9 2024, 2:28 AM
Unknown Object (File)
Nov 9 2024, 12:46 AM
Unknown Object (File)
Nov 8 2024, 11:07 PM
Unknown Object (File)
Nov 8 2024, 9:57 PM
Unknown Object (File)
Nov 8 2024, 9:36 PM
Subscribers

Details

Summary

Do not allow direct exec if we the process is suid. Try to follow Unix permission checks for DACs, ignore ACLs.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 9291
Build 9748: CI src buildJenkins

Event Timeline

libexec/rtld-elf/rtld.c
425

I'm not a fan of "Cowardly" (even though I've seen it in similar kinds of cases) because I don't really see a clear connection between the message and the reason. I'll grant you that it does make some sense in that rtld is refusing to do something that would otherwise work fine, but the message isn't really actionable: how should the user make rtld be more brave?

What about just "Refusing to run setuid/setgid binary"?

libexec/rtld-elf/rtld.c
425

I am fine with any reformulation of the message, as far as it technically correct. Note that direct mode does not refuse to run a setuid binary, it does run such files, but of course, without setting uid. The situation where the message above is printed is different: it occurs when already setuid process execed ld.so without dropping euid to uid.

There is no severe reason to refuse to run in direct mode in this case, but it could be an attack amplification. AFAIK, shells do refuse to run, or at least refuse to take some actions in this situation too, so since this change is about 'security', I decided that doing !trust check there as well would not hurt.

Overall this seems fine to me, a couple of comments.

libexec/rtld-elf/rtld.c
425

@jonathan any comments on suitable messages?
"tainted process refusing to run binary %s" ?

444

Prefer to remove this (one line) commentary :)

462

inconsistent indentation?

465

perhaps "refusing to run binary without appropriate execute permission"?

kib marked 4 inline comments as done.

Cover Ed notes.

Update the message text.

This revision is now accepted and ready to land.May 16 2017, 7:39 PM
This revision was automatically updated to reflect the committed changes.