> Date: Sun, 8 Sep 2019 14:03:03 -0400 > From: Thor Lancelot Simon <t...@panix.com> > > On Sun, Sep 08, 2019 at 01:23:46PM -0400, Christos Zoulas wrote: > > > > Here's a simple fexecve(2) implementation. Comments? > > I think this is dangerous in systems which use chroot into filesystems > mounted noexec (or nosuid) and file-descriptor passing into the constrained > environment to feed data. Now new executables (and even setuid ones) can > be fed in, too. > > What can we do about that?
It sounds like you're positing: - there is a chrooted process A - there is a colluding process B outside the chroot - they share a socket - B can open setuid executables and send their fds over the socket - A can now execute setuid executables outside the chroot How is this substantively different from the following? - there is a chrooted process A - there is a colluding process B outside the chroot - they share a socket - A can ask B to execute files by pathname and B will happily oblige - A can now execute setuid executables outside the chroot That is, under what meaningful circumstances can you rule out the first scenario but not the second one?