On Thu, Oct 18, 2001 at 03:11:26PM -0700, Jonathan Stone wrote:

> I was acutlally wondering about hacking ld.{elf_}so -- or wherever
> LD_PRELOAD and LD_LIBRARY_PATH are acutally implemented; <dlfcn.h>? --
> to check each element of a path and check for crossing over mountpoints
> which are mounted noexec, and skipping those search-paths altogether.
>
> Not to close the security loophole -- we agree on the right place for
> that -- but to give cleaner semantics to anyone fishing for loopholes.

...except you wouldn't want to do that... because a perfectly legitimate
configuration might be to have a "noexec" /u1/ftp and a nullfs r/o mounted
on /u1/ftp/bin that has some executables in it that the FTP server is
allowed to run (just as an example).

-- 
        -- Jason R. Thorpe <thorpejwasabisystems.com>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]