> If you don't have read rights you can open with O_EXEC instead, and > you can't read the file you just opened; it merely provides a > mechanism to pointlessly use fexecve.
I disagree that it's pointless. You can still check that, for example, it's the same dev/inumber/size you have recorded in a database of what executables ought to be. Not as good as a full checksum, but certainly a higher bar than just winning a switch-the-symlink race. Also, as someone else pointed out upthread, you can open executables before you chroot, hang onto the fds, and execute them later. fexecve() is also the only way to execute a binary that has no accessible name (and chroots are not the only way that can happen). For example, maybe you've just written into an unlinked file, or maybe it exists in a part of the filesystem namespace that now has something mounted in front of it. (Whether these are good things to be able to do is open to debate, of course.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B