Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds

Theodore Y. Ts'o (tytso@MIT.EDU)
Tue, 4 Aug 1998 15:51:50 -0400

From: alan@lxorguk.ukuu.org.uk (Alan Cox)
Date: Tue, 4 Aug 1998 18:36:29 +0100 (BST)

Security patches aren't intended to fix bugs in software. They are a
recogntion of the fact that nobody has mastered the art of writing highly
secure software.

The No-Exec Stack Hack does indeed raises the bar to make it harder to
explict certain kinds of security holes. My only reason for being
nervous is that it may null developers into a false sense of security,
thinking that they no longer have to worry about stack overruns because
the No-Exec Stack Hack will save them. That's a bad assumption, because
it doesn't make it impossible to carry out these attacks; it just makes
it harder. (For example, instead of executing on the stack, an attacker
might be able to force the return address to be inside the libc
implementation of system(); if he/she can force it to exec a /bin/sh,
possibly with bogus arguments but enough so that it starts an
interactive shell, the stack hack won't save you.)

This is not a technical argument, then, but a social one. This doesn't
mean that we shouldn't put the stack hack into mainline at some point.
It just means we have to be careful how we market it, and make sure
developers still worry about stack overruns.

- Ted

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html