>> process-dump-... files in the current directory. The executable itself >> can be recovered by catting the first few files together and truncating >> at the executable size. I have tested this by reconstructing a copy of >> /bin/cat which I had protected mode 111 under Linux 2.0.x. > >You can only do this for non setuid applications. I would question it >is even a bug. Execute only is an extremely vague concept anyway on >x86 since the chip doesnt really support it physically. Solaris has the same "problem" and I too am not sure whether it's a bug or not. Also, filesystems like NFS make no distinction between read-for-execute or read-for-reading. Solaris /proc disallows access to execute only binaries, but its LD_PRELOAD and also LD_LIBRARY_PATH have the exact same problem. LD_LIBRARY_PATH is somewhat trickier to abuse as it requires you to build an entire library and not just an object with a few replacement function, although you might get very far by just using a .init section and little substance. >The convenience and usefulness of LD_PRELOAD seems to far outweigh this >consideration for normal use. Its probably one for the 'secure linux' >patch collection therefore. Indeed, and I would think that disabling LD_LIBRARY_PATH too would have serious usability impact. Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:23 PDT