Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3436922yba; Sat, 11 May 2019 10:36:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4vQxgWoIJI1As8X3/yyjlESov/AGvdSPqanX4eMMhYuO+Dbfx/kmjP8BrvM9GOsgNBsQX X-Received: by 2002:a17:902:7b8d:: with SMTP id w13mr20901239pll.252.1557596168389; Sat, 11 May 2019 10:36:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557596168; cv=none; d=google.com; s=arc-20160816; b=t52Kukv7Ge8Ihuok0bcuQioJeaVOwxa7bhSfZpuaonXhQGKxUhR3SXvH7o69HRmqtB jvxo1eFLx7YSjiDtZqQe5J+zuFJviUt4ptFz6w9fmUZgQZMN8ouzRQtXnnFc5TH9x0G9 zrxDs7lD5rGyQjyW6rKbBkfvsNE9i1hePuWgoO49L1xzkGe9keB9Ia5tC/eG0qlRyXI6 P7GHhFNwPBun5cYb8NzXPXA+GZDM8xlD8b5wI9ELpJim5NW6qZZWWK5T7foxX/1/lCnh Z9IENulgnNr8ca9JDXYsc6igIvM49Y4xVby/23AKoS3YiKl2qToUYm4nGBverDxWmN3D 3dtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=X3d+SXOpG1CpGX5ilLeOQwuuIZJrxksQ7Fi2IFPs39I=; b=J9saNVV/az4Mb02BfFnBKmfyRSswXHcg6N4RefdfRSeiWxHx90dOSaTXJ8mT3TyU+u urVBOgb7nAzGmEun0SaJQbIwz471KmdHUnvgesPksQXHatfnjeTs2KH5xKmKYPFIl7Xy dm3mydonrTOe38wGSpSFf7Rk6I9oVkBaiO/0buQqBB806Za7ku17NSwFF9OtI6/Wp/Tm pEr1xWIp0zTeSUOaOF/EDUVi9zLe8fx5lALP7tE9DqVievFYqUnTtZ8tL0+dWbHPLgnr 0nNpu3WXgaXFpclcIgnABydnCa2KxoDZ7prqTpCIx0t/PbKopHgzJs8BELMF9ik7Q9Oc HsIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p85si12481863pfi.27.2019.05.11.10.35.52; Sat, 11 May 2019 10:36:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727864AbfEKRbz (ORCPT + 99 others); Sat, 11 May 2019 13:31:55 -0400 Received: from mx2.mailbox.org ([80.241.60.215]:62220 "EHLO mx2.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726272AbfEKRbz (ORCPT ); Sat, 11 May 2019 13:31:55 -0400 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 345DCA1102; Sat, 11 May 2019 19:31:51 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id U96iYXqkAw6V; Sat, 11 May 2019 19:31:28 +0200 (CEST) Date: Sun, 12 May 2019 03:31:13 +1000 From: Aleksa Sarai To: Linus Torvalds Cc: Andy Lutomirski , Jann Horn , Andy Lutomirski , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel , Linux API , kernel list , linux-arch Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters Message-ID: <20190511173113.qhqmv5q5f74povix@yavin> References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="i44ldloocwzu2rot" Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --i44ldloocwzu2rot Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-05-11, Linus Torvalds wrote: > On Sat, May 11, 2019 at 1:21 PM Linus Torvalds > wrote: > > > > Notice? None of the real problems are about execve or would be solved > > by any spawn API. You just think that because you've apparently been > > talking to too many MS people that think fork (and thus indirectly > > execve()) is bad process management. >=20 > Side note: a good policy has been (and remains) to make suid binaries > not be dynamically linked. And in the absence of that, the dynamic > linker at least resets the library path when it notices itself being > dynamic, and it certainly doesn't inherit any open flags from the > non-trusted environment. >=20 > And by the same logic, a suid interpreter must *definitely* should not > inherit any execve() flags from the non-trusted environment. So I > think Aleksa's patch to use the passed-in open flags is *exactly* the > wrong thing to do for security reasons. It doesn't close holes, it > opens them. Yup, I've dropped the patch for the next version. (To be honest, I'm not sure why I included any of the other flags -- the only one that would've been necessary to deal with CVE-2019-5736 was AT_NO_MAGICLINKS.) --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --i44ldloocwzu2rot Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEb6Gz4/mhjNy+aiz1Snvnv3Dem58FAlzXBuEACgkQSnvnv3De m597fQ//WXBoDgwSchtS2eCgORVEt/GpkQAgePJYwEpQBr0+c1V9sqX1MgF8PyV+ RfEKv1o0pv1ObTZHVoGJtIayxPKpDF+fC7O5c5uEqMA+9q0rVd+wlZGCS981L19J g2/7Wr7k/keX1kuSxcSUtuiDqwfNtQNlX0wHsV7LBoAsnCRzZAOfooyN9kylZ5wl LrWn6dVN9xB9ZLskG9Ygsu0ea8scE/IPhrj4C0qjVtNrHcblANdXUfXtcMWd4N3v 6NbA8FQoK0+mqnVg/fe390z80RHMtjcGQNWjrPTDRiozevLmwLVY5N2GL6VdQqUn pXxdZNnw8YgRBDk1jZzMtfQE1cIMiLrvLHHgw5HHIoHXWS0O3Io471A/lciG5oOw j7XI7PHZ5AOScO0OokJwjdTLWJDM4RbNMa7pbccJfcpZVAbkkei/Ok5wc4Fmaz/V 3t7BPXmG3hH5QJRWijBWk/UVhbEw9wr/ZrKfs92RJyMV1ssVm05ie3QUI2J7PeE+ nMAzIhmjsnB6hE1hMdh9KYiF4jNE5+pEHAqwftby57wAZFLfGp4DoLqZ6NlNAHz2 FlBp+5f+bj/hyRqi3ZnhWnTgrMzOhwPWW44hoYYp81sQXC6JachI1Hg1uMlRlDVw HaUI9KXoYI8KKUxYhX/AA9kDkkaJlJ7I6V73lh5SlDU6SFLPACk= =wYoq -----END PGP SIGNATURE----- --i44ldloocwzu2rot--