Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters

From: Linus Torvalds
Date: Sat May 11 2019 - 13:35:37 EST

Next message: Theodore Ts'o: "Re: [PATCH v2 00/17] kunit: introduce KUnit, the Linux kernel unit testing framework"
Previous message: Aleksa Sarai: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
In reply to: Linus Torvalds: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
Next in thread: Aleksa Sarai: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, May 11, 2019 at 1:21 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Notice? None of the real problems are about execve or would be solved
> by any spawn API. You just think that because you've apparently been
> talking to too many MS people that think fork (and thus indirectly
> execve()) is bad process management.

Side note: a good policy has been (and remains) to make suid binaries
not be dynamically linked. And in the absence of that, the dynamic
linker at least resets the library path when it notices itself being
dynamic, and it certainly doesn't inherit any open flags from the
non-trusted environment.

And by the same logic, a suid interpreter must *definitely* should not
inherit any execve() flags from the non-trusted environment. So I
think Aleksa's patch to use the passed-in open flags is *exactly* the
wrong thing to do for security reasons. It doesn't close holes, it
opens them.

Linus

Next message: Theodore Ts'o: "Re: [PATCH v2 00/17] kunit: introduce KUnit, the Linux kernel unit testing framework"
Previous message: Aleksa Sarai: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
In reply to: Linus Torvalds: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
Next in thread: Aleksa Sarai: "Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]