Steffen Nurpmeso wrote:
[...]
Some findings:
. I note that the mentioned files are writable by only root (and
i would assume MAP_DENYWRITE to only work if i could do so
myself).
I believe that most executables are writable only by root, but available
to unprivileged users. Since the purpose of MAP_DENYWRITE seems to have
been ensuring that executables cannot change out from underneath running
programs, it would need to work when unprivileged users map the file;
thus the DoS problem.
. Capabilities have become more fine-grained.
. I always whimper when i have to rm(1) a running executable before
placing an updated variant on Linux, on BSDs i simply over-cp(1)
(and i do not understand as long as one gets either the one or
the other when executing the path).
Simple solution:
- write the new executable under a temporary name
- use link(2) to create a new name for the existing executable
- use rename(2) to atomically replace the existing executable
- use unlink(2) to remove the old version after any needed checks
You can dispense with link(2) and unlink(2) if you do not want to
preserve a backup of the old executable. Using this method will change
the executable's inode number (meaning that it really is a different
file) and that means that the old version can remain on disk for as long
as it remains in use, even after its last name has been removed.
-- Jacob
