TPE should ignore directories where the sticky bit is set

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

TPE should ignore directories where the sticky bit is set

Postby Stebalien » Fri Jan 22, 2016 2:34 pm

TPE/TPE_ALL should ignore group/other writability of parent directories where the sticky bit is set.

To illustrate, assume we're talking about /tmp (world writable with the sticky bit set) and we're operating under TPE_ALL.

  1. TPE allows a user to execute /tmp/my_dir/my_prog if /tmp/my_dir and /tmp/my_dir/my_prog is owned by root or the current user.
  2. TPE does not allow the user to execute /tmp/my_prog.

However, both of these cases have equivalent security because the sticky bit ensures that both /tmp/my_dir/ and /tmp/my_prog...

  1. ...must have been linked-in to /tmp by the file's owner or root,
  2. cannot be replaced/unlinked by anyone but the file's owner or root.

On another note, grsecurity should probably be checking parent directories recursively... As is, checking the parent directory but not higher level directories seems ineffective.
Stebalien
 
Posts: 6
Joined: Tue Mar 12, 2013 6:02 pm

Return to grsecurity development