Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264623AbUFCXCZ (ORCPT ); Thu, 3 Jun 2004 19:02:25 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264629AbUFCXCY (ORCPT ); Thu, 3 Jun 2004 19:02:24 -0400 Received: from smtp-roam.Stanford.EDU ([171.64.10.152]:14750 "EHLO smtp-roam.Stanford.EDU") by vger.kernel.org with ESMTP id S264623AbUFCXCS (ORCPT ); Thu, 3 Jun 2004 19:02:18 -0400 Message-ID: <40BFADE5.9040506@myrealbox.com> Date: Thu, 03 Jun 2004 16:01:57 -0700 From: Andy Lutomirski User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andi Kleen , mingo@elte.hu CC: torvalds@osdl.org, linux-kernel@vger.kernel.org, akpm@osdl.org, arjanv@redhat.com, suresh.b.siddha@intel.com, jun.nakajima@intel.com Subject: Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 References: <20040602205025.GA21555@elte.hu> <20040603072146.GA14441@elte.hu> <20040603124448.GA28775@elte.hu> <20040603175422.4378d901.ak@suse.de> In-Reply-To: <20040603175422.4378d901.ak@suse.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1431 Lines: 41 Andi Kleen wrote: > On Thu, 3 Jun 2004 14:44:48 +0200 > Ingo Molnar wrote: > > > >>- in exec.c, since address-space executability is a security-relevant >>item, we must clear the personality when we exec a setuid binary. I >>believe this is also a (small) security robustness fix for current >>64-bit architectures. > > > I'm not sure I like that. This means I cannot earily force an i386 uname > or 3GB address space on suid programs anymore on x86-64. > > While in theory it could be a small security problem I think the utility > is much greater. > > It's hard to see how setting NX could cause a security hole. The program > may crash, but it is unlikely to be exploitable. The whole point of NX, though, is that it prevents certain classes of exploits. If a setuid binary is vulnerable to one of these, then Ingo's patch "fixes" it. Your approach breaks that. I don't like Ingo's fix either, though. At least it should check CAP_PTRACE or some such. A better fix would be for LSM to pass down a flag indicating a change of security context. I'll throw that in to my caps/apply_creds cleanup, in case that ever gets applied. --Andy > > -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/