Bugtraq mailing list archives

Re: Dump a mode --x--x--x binary on Linux 2.0.x

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 15 Sep 1998 20:20:15 +0200

process-dump-... files in the current directory.  The executable itself
can be recovered by catting the first few files together and truncating
at the executable size.  I have tested this by reconstructing a copy of
/bin/cat which I had protected mode 111 under Linux 2.0.x.


You can only do this for non setuid applications. I would question it
is even a bug. Execute only is an extremely vague concept anyway on
x86 since the chip doesnt really support it physically.


Solaris has the same "problem" and I too am not sure whether it's
a bug or not.  Also, filesystems like NFS make no distinction between
read-for-execute or read-for-reading.

Solaris /proc disallows access to execute only binaries, but its
LD_PRELOAD and also LD_LIBRARY_PATH have the exact same problem.
LD_LIBRARY_PATH is somewhat trickier to abuse as it requires you to
build an entire library and not just an object with a few replacement
function, although you might get very far by just using a .init section
and little substance.

The convenience and usefulness of LD_PRELOAD seems to far outweigh this
consideration for normal use. Its probably one for the 'secure linux'
patch collection therefore.


Indeed, and I would think that disabling LD_LIBRARY_PATH too would have
serious usability impact.

Casper

Current thread:

Dump a mode --x--x--x binary on Linux 2.0.x David Luyer (Sep 14)
- Re: Dump a mode --x--x--x binary on Linux 2.0.x Alan Cox (Sep 15)
  - Re: Dump a mode --x--x--x binary on Linux 2.0.x Casper Dik (Sep 15)
- <Possible follow-ups>
- Re: Dump a mode --x--x--x binary on Linux 2.0.x David Luyer (Sep 15)
  - Re: Dump a mode --x--x--x binary on Linux 2.0.x Neale Banks (Sep 16)
  - Re: Dump a mode --x--x--x binary on Linux 2.0.x Martin Mares (Sep 17)