On Thu, Nov 15, 2012 at 04:02:50PM -0500, Thor Lancelot Simon wrote: > On Thu, Nov 15, 2012 at 06:35:48PM +0000, Julian Yon wrote: > > > > As you mention Linux, their man page for fexecve states ?The file > > descriptor fd must be opened read-only, and the caller must have > > permission to execute the file that it refers to.? It sounds like that > > might be what you're missing? I certainly interpret it to mean that if > > you can't execve the file, you can't fexecve a FD to it either. > > So. Suppose I have a chrooted environment where all accessible filesystems > are mounted either ro or noexec. Or for that matter just nosuid. > > Now someone passes in a file descriptor, from the outside, that is on a > filesystem that is not mounted with either of those options. Perhaps, > as Matt suggested, one for a setuid executable, yet. Whoops.
Well setuid executables seem like a special case, but other than that, I think I can probably manage to execute something without an exec call. In fact I know I can, just by linking against any dynamic library and calling one of the functions in it. eric
