On Fri, 25 Jul 2003 11:33:14 PDT, Chris Wright said:
> How do you figure this? One of the first things execve() does (before
> bprm based LSM hooks) is deny_write_access(). This means writers and
> exec'ers are mutually exclusive.
% ldd /usr/local/bin/xmms
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x40025000)
libSM.so.6 => /usr/X11R6/lib/libSM.so.6 (0x40036000)
libICE.so.6 => /usr/X11R6/lib/libICE.so.6 (0x4003f000)
libxmms.so.1 => /usr/local/lib/libxmms.so.1 (0x40055000)
libgtk-1.2.so.0 => /usr/lib/libgtk-1.2.so.0 (0x4005e000)
libgdk-1.2.so.0 => /usr/lib/libgdk-1.2.so.0 (0x401a6000)
libgmodule-1.2.so.0 => /usr/lib/libgmodule-1.2.so.0 (0x401df000)
libgthread-1.2.so.0 => /usr/lib/libgthread-1.2.so.0 (0x401e2000)
libglib-1.2.so.0 => /usr/lib/libglib-1.2.so.0 (0x401e5000)
libdl.so.2 => /lib/libdl.so.2 (0x4020a000)
libXi.so.6 => /usr/X11R6/lib/libXi.so.6 (0x4020e000)
libXext.so.6 => /usr/X11R6/lib/libXext.so.6 (0x40216000)
libX11.so.6 => /usr/X11R6/lib/libX11.so.6 (0x40226000)
libm.so.6 => /lib/tls/libm.so.6 (0x40303000)
libc.so.6 => /lib/tls/libc.so.6 (0x00e80000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Lots of .so's. Those pages get protected *when*?
Does deny_write_access do checks for the block numbers of writes to /dev/hda7
or wherever your /usr/local happens to live?
Does deny_write_access have the desired effect if somebody finds a way to scribble
on /dev/mem or /dev/swap?
Remember - I don't necessarily need to open /bin/login for writing in order to modify
a page that /bin/login ends up executing as code.....
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 12:34:19 PDT