Michal Zalewski writes:
>First of all - doing /lib/ld-linux.so.2 /program/on/noexec/partition is
>the simpliest way to bypass noexec option, if only you have glibc 2.0.x.
Let's make sure we understand this correctly:
#!/bin/sh
/lib/ld-linux.so.2 "$@"
is roughly equivalent to:
#!/bin/sh
file=$1
shift
cp $file /tmp
/tmp/$file "$@"
rm /tmp/$file
(pardon any typos, I didn't try running it...)
And, of course, no one is capable of using mmap and PROT_EXEC to do
their own ld-linux.so-like wrapper, especially since no one has the
glibc source code to start from. ;-)
>Nothing to say, security by obscurity stinks.
The noexec mount option is not a security feature. It's a convenience
feature. It is unfortunate that people think that it is a security
feature, and I will say that you have found one of the more interesting
and subtle ways to show that it is not a security feature, but this is
NOT a glibc bug. I do not know of any reason that it would hurt for
ld-linux.so.2 to not execute things that aren't executable (there might
be, I just don't know one way or the other) but THAT would be a laughable
attempt at security by obscurity, which, as you say, stinks.
michaelkjohnson
"Magazines all too frequently lead to books and should be regarded by the
prudent as the heavy petting of literature." -- Fran Lebowitz
Linux Application Development http://people.redhat.com/johnsonm/lad/
