On 2019-05-11, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Sat, May 11, 2019 at 1:21 PM Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Notice? None of the real problems are about execve or would be solved > > by any spawn API. You just think that because you've apparently been > > talking to too many MS people that think fork (and thus indirectly > > execve()) is bad process management. > > Side note: a good policy has been (and remains) to make suid binaries > not be dynamically linked. And in the absence of that, the dynamic > linker at least resets the library path when it notices itself being > dynamic, and it certainly doesn't inherit any open flags from the > non-trusted environment. > > And by the same logic, a suid interpreter must *definitely* should not > inherit any execve() flags from the non-trusted environment. So I > think Aleksa's patch to use the passed-in open flags is *exactly* the > wrong thing to do for security reasons. It doesn't close holes, it > opens them. Yup, I've dropped the patch for the next version. (To be honest, I'm not sure why I included any of the other flags -- the only one that would've been necessary to deal with CVE-2019-5736 was AT_NO_MAGICLINKS.) -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature