Re: [PATCH v5 0/6] Add support for O_MAYEXEC
From: MickaÃl SalaÃn
Date: Thu May 07 2020 - 05:30:11 EST
On 07/05/2020 11:00, David Laight wrote:
> From: MickaÃl SalaÃn
>> Sent: 07 May 2020 09:37
> ...
>>> None of that description actually says what the patch actually does.
>>
>> "Add support for O_MAYEXEC" "to enable to control script execution".
>> What is not clear here? This seems well understood by other commenters.
>> The documentation patch and the talks can also help.
>
> I'm guessing that passing O_MAYEXEC to open() requests the kernel
> check for execute 'x' permissions (as well as read).
Yes, but only with openat2().
>
> Then kernel policy determines whether 'read' access is actually enough,
> or whether 'x' access (possibly masked by mount permissions) is needed.
>
> If that is true, two lines say what is does.
The "A simple system-wide security policy" paragraph introduce that, but
I'll highlight it in the next cover letter. The most important point is
to understand why it is required, before getting to how it will be
implemented.
>
> Have you ever set a shell script permissions to --x--s--x ?
> Ends up being executable by everyone except the owner!
In this case the script is indeed executable but it can't be executed
because the interpreter (i.e. the user) needs to be able to read the
file. Of course, if the user has CAP_DAC_OVERRIDE (like the root user),
read is still allowed.
> Having the kernel pass all '#!' files to their interpreters
> through an open fd might help security.
This is interesting but it doesn't address the current issue: being able
to have a consistent (script) executability system policy. Maybe its
this point of view which wasn't clear enough?
> In that case the user doesn't need read access to the file
> in order to get an interpreter to process it.
Yes, but this brings security issues, because the interpreter (i.e. the
user) would then be able to read files without read permission.
> (You'd need to stop strace showing the contents to actually
> hide them.)
It doesn't matter if the process is traced or not, the kernel handles
impersonation scopes thanks to ptrace_may_access().