Re: Dump a mode --x--x--x binary on Linux 2.0.x

casperHOLLAND.SUN.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Paul Boehm: "Re: ANNOUNCE: secure identd v0.3"
• Previous message: Christos Zoulas: "Re: tcsh buffer overflow"
• In reply to: Alan Cox: "Re: Dump a mode --x--x--x binary on Linux 2.0.x"
• Next in thread: David Luyer: "Re: Dump a mode --x--x--x binary on Linux 2.0.x"

>> process-dump-... files in the current directory.  The executable itself
>> can be recovered by catting the first few files together and truncating
>> at the executable size.  I have tested this by reconstructing a copy of
>> /bin/cat which I had protected mode 111 under Linux 2.0.x.
>
>You can only do this for non setuid applications. I would question it
>is even a bug. Execute only is an extremely vague concept anyway on
>x86 since the chip doesnt really support it physically.

Solaris has the same "problem" and I too am not sure whether it's
a bug or not.  Also, filesystems like NFS make no distinction between
read-for-execute or read-for-reading.

Solaris /proc disallows access to execute only binaries, but its
LD_PRELOAD and also LD_LIBRARY_PATH have the exact same problem.
LD_LIBRARY_PATH is somewhat trickier to abuse as it requires you to
build an entire library and not just an object with a few replacement
function, although you might get very far by just using a .init section
and little substance.

>The convenience and usefulness of LD_PRELOAD seems to far outweigh this
>consideration for normal use. Its probably one for the 'secure linux'
>patch collection therefore.

Indeed, and I would think that disabling LD_LIBRARY_PATH too would have
serious usability impact.

Casper

• Next message: Paul Boehm: "Re: ANNOUNCE: secure identd v0.3"
• Previous message: Christos Zoulas: "Re: tcsh buffer overflow"
• In reply to: Alan Cox: "Re: Dump a mode --x--x--x binary on Linux 2.0.x"
• Next in thread: David Luyer: "Re: Dump a mode --x--x--x binary on Linux 2.0.x"