bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH/RFC] do not source/exec scripts on noexec mount points

From: Mike Frysinger
Subject: Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
Date: Sat, 12 Dec 2015 17:53:35 -0500 
On 12 Dec 2015 15:06, Bob Proulx wrote:
> Mike Frysinger wrote:
> > But bash itself has no problem running this file:
> >   $ bash /dev/shm/test.sh
> >   hi
> >...
> > This detracts from the security of the overall system.  People
> > writing scripts sometimes want to save/restore state (like
> > variables) and will restore the content from a noexec point using
> > the aforementioned source command without realizing that it executes
> > code too.  Of course their code is wrong, but it would be nice if
> > the system would catch & reject it explicitly to stave of
> > inadvertent usage.
> 
> I don't think it makes sense for a userland program to be an enforcer
> of this type of check.  It gives a false impression of a security that
> does not exist.  Which I think is more dangerous.

i disagree, and it's the right place imo: the program that does the
interpreting in the first place (i.e. the shell) should be checking
for the settings where it's going to be loading that interpreted
code.

the reason binary loaders (e.g. ELF ldso's) don't need to do this is
the kernel either prevents it directly (`./foo`) or indirectly (when
the ldso tries to mmap the file with exec bits, the kernel will check
for the noexec mount setting).

> It will almost
> certainly get in the way of a reasonable use case.

can you name a reasonable use case this breaks ?

> And nothing
> prevents one from running a private copy of a shell without such a
> check.  Or any of the many compatible /bin/sh variants such as ksh,
> zsh, ash, dash, and so forth.

you're assuming (1) the user has access to a writable && exec mount point
and (2) those other shells are installed.  clamping both of those loop
holes are trivial and i've seen a number of systems that do exactly that.
Chrome OS for example only mounts / as executable and that is also read
only.  i imagine other verified boot systems enforce similar sanity, as
do remote hosts (a number of systems i have ssh access do this).

i also plan on sending patches for shells i care about (e.g. dash).
-mike

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]