As usual, thanks for the quick replies! Here is the original question,
and replies. Please note that Claude make an interesting point in his
response.
On Wed, 21 Apr 1999, Ian 'Ivo' Veach wrote:
> Greetings. For those of us still in our admin swaddling, could someone
> explain the practical implications of this (from the security README):
>
> >This solution will default to making the stack of all suid programs to be
> >not executable, hence closing the security hole. However, please be aware
> >that any user applications which rely on the stack being executable will
> >fail. For situations where the machines are being used behind firewalls
>
> Generally, do apps need an executable stack to work, and when
> might an app need an executable stack? Specifically, will general SUID
> apps still work? Any specific apps that you know will have problems?
>
From: John P Speno <speno_at_isc.upenn.edu>
==========================================================================
Not in general, and we haven't found any examples of programs that will
fail specifically.
From: "Dr. Tom Blinn, 603-884-0646" <tpb_at_doctor.zk3.dec.com>
==========================================================================
In general, applications should NOT need an executable stack. The case where
an application MIGHT need an executable stack would an applications that uses
self-modifying code and puts that code on the stack and executes it there.
This would be a truly odd application. I can imagine such an application but
it's not a normal case.
So, most suid applications should work, but only someone who understands how
the code works can say for sure.
I personally probably would not trust as suid applications that construct code
on the stack and then execute it. Such applications are intrinsically NOT
easy to verify vis a vis correct or secure operation. But you might want to
take that risk, and if your system is truly secure, that might be a risk that
is worth taking for some well-understood set of applications.
From: Claude Scarpelli <claude_at_genoscope.cns.fr>
==========================================================================
Most application will work. I do not have an example of an application
that will fail.
But why is it only restricted to suid application ? daemon running as
root are very vulnerable to stack overflow.
Received on Wed Apr 21 1999 - 19:18:11 NZST