Michal Zalewski writes: >First of all - doing /lib/ld-linux.so.2 /program/on/noexec/partition is >the simpliest way to bypass noexec option, if only you have glibc 2.0.x. Let's make sure we understand this correctly: #!/bin/sh /lib/ld-linux.so.2 "$@" is roughly equivalent to: #!/bin/sh file=$1 shift cp $file /tmp /tmp/$file "$@" rm /tmp/$file (pardon any typos, I didn't try running it...) And, of course, no one is capable of using mmap and PROT_EXEC to do their own ld-linux.so-like wrapper, especially since no one has the glibc source code to start from. ;-) >Nothing to say, security by obscurity stinks. The noexec mount option is not a security feature. It's a convenience feature. It is unfortunate that people think that it is a security feature, and I will say that you have found one of the more interesting and subtle ways to show that it is not a security feature, but this is NOT a glibc bug. I do not know of any reason that it would hurt for ld-linux.so.2 to not execute things that aren't executable (there might be, I just don't know one way or the other) but THAT would be a laughable attempt at security by obscurity, which, as you say, stinks. michaelkjohnson "Magazines all too frequently lead to books and should be regarded by the prudent as the heavy petting of literature." -- Fran Lebowitz Linux Application Development http://people.redhat.com/johnsonm/lad/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:19 PDT