On Nov 15, 2012, at 11:20 AM, Emmanuel Dreyfus wrote: > Thor Lancelot Simon <t...@panix.com> wrote: > >> The point is, this is interesting functionality that makes something >> new possible that is potentially useful from a security point of view, >> but the new thing that's possible also breaks assumptions that existing >> code may rely on to get security guarantees it wants. > > Well, it is standard mandated and we want to be standard compliant. If > it is a security hazard, we can have a sysctl to disable the system > call. Something like > sysctl -w kern.fexecve = 0 and it would return ENOSYS.
Well, I kind of agree that in a chroot, it should not be able to invoke setuid/setgid programs nor programs not owned by root nor a FD opened for write.