Re: [PATCH v2 1/2] exec: add a flag for "reasonable" execveat() comm

From: Tycho Andersen
Date: Tue Oct 01 2024 - 09:43:56 EST

Next message: Gregory Price: "Re: [RFC 1/5] cxl: Rename ACPI_CEDT_CFMWS_RESTRICT_TYPE2/TYPE3"
Previous message: Simon Horman: "Re: [PATCH net] net: ethernet: marvell: octeontx2: nic: Add error pointer check in otx2_ethtool.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Sep 30, 2024 at 03:10:29PM -0500, Eric W. Biederman wrote:
> "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> writes:
>
> > Kees Cook <kees@xxxxxxxxxx> writes:
>
> >> I'm not super comfortable doing this regardless of bprm->fdpath; that
> >> seems like too many cases getting changed. Can we just leave it as
> >> depending on bprm->fdpath?
>
> I was recommending that because I did not expect that there was any
> widespread usage of aliasing of binary names using symlinks.
>
> I realized today that on debian there are many aliases
> of binaries created with the /etc/alternatives mechanism.
> So there is much wider exposure to problems than I would have
> supposed.
>
> So I remove any objections to making the new code conditional on bprm->fdpath.

Yep, and it looks like Alpine distributes busybox with symlinks
instead of hard links. I will respin with a fixed subject line shortly.

Thanks,

Tycho

Next message: Gregory Price: "Re: [RFC 1/5] cxl: Rename ACPI_CEDT_CFMWS_RESTRICT_TYPE2/TYPE3"
Previous message: Simon Horman: "Re: [PATCH net] net: ethernet: marvell: octeontx2: nic: Add error pointer check in otx2_ethtool.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]