From: Rich Felker <dalias@libc.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: Joshua Hudson <joshudson@gmail.com>, musl@lists.openwall.com
Subject: Re: Re: posix_spawn
Date: Tue, 1 Oct 2019 07:42:46 -0400 [thread overview]
Message-ID: <20191001114246.GC16318@brightrain.aerifal.cx> (raw)
In-Reply-To: <87pnjhvtch.fsf@oldenburg2.str.redhat.com>
On Tue, Oct 01, 2019 at 09:05:18AM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > This is not safe and creates a false sense that something broken might
> > work. Moreover it's a vulnerability to use it this way. You have a
> > window where different tasks sharing VM space are executing with
> > different privilege levels, and thereby one is able to seize execution
> > of the other and achieve its privilege level.
>
> That's a non-sequitur. A shared address space does not necessarily mean
> that execution under one set of credentials will have unrestricted
> effects on executions under different credentials within the same
> address space.
It does, but not necessarily in all circumstances. The case in which
is it dangerous is when one of the tasks is "dropping privileges"
before executing code that either intentionally (e.g. a login session,
script interpreter, etc. acting behalf of the new user) or
unintentionally (because the code after dropping privileges is not as
heavily scrutinized and has a vulnerability) lets the attacker execute
code they control. In that case, the now-attacker-controlled task can
perform operations on the VM space of the privileged task, e.g. using
mmap to replace the code it's executing with whatever it wants.
This issue is why it's so important that setuid, etc. not return
before all threads have been confirmed to have completed the operation
(just queuing or initiating it for them all is not enough).
Rich
next prev parent reply other threads:[~2019-10-01 11:42 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 21:15 posix_spawn Joshua Hudson
2019-09-30 22:36 ` posix_spawn Rich Felker
2019-10-01 1:58 ` Joshua Hudson
2019-10-01 2:21 ` Rich Felker
2019-10-01 2:41 ` Joshua Hudson
2019-10-01 2:55 ` Rich Felker
2019-10-01 7:05 ` Florian Weimer
2019-10-01 11:42 ` Rich Felker [this message]
2019-10-01 14:07 ` posix_spawn Joshua Hudson
2019-10-01 14:15 ` posix_spawn Florian Weimer
2019-10-01 14:44 ` posix_spawn Rich Felker
2019-10-01 15:06 ` Rich Felker
2019-10-16 12:40 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001114246.GC16318@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=fweimer@redhat.com \
--cc=joshudson@gmail.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).