2004-11-03 13:51:07 +00:00
|
|
|
.\" Hey Emacs! This file is -*- nroff -*- source.
|
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 1992 Drew Eckhardt (drew@cs.colorado.edu), March 28, 1992
|
2006-09-04 12:27:37 +00:00
|
|
|
.\" and Copyright (c) 2006 Michael Kerrisk <mtk-manpages@gmx.net>
|
2004-11-03 13:51:07 +00:00
|
|
|
.\"
|
|
|
|
.\" Permission is granted to make and distribute verbatim copies of this
|
|
|
|
.\" manual provided the copyright notice and this permission notice are
|
|
|
|
.\" preserved on all copies.
|
|
|
|
.\"
|
|
|
|
.\" Permission is granted to copy and distribute modified versions of this
|
|
|
|
.\" manual under the conditions for verbatim copying, provided that the
|
|
|
|
.\" entire resulting derived work is distributed under the terms of a
|
|
|
|
.\" permission notice identical to this one.
|
2007-04-12 22:42:49 +00:00
|
|
|
.\"
|
2004-11-03 13:51:07 +00:00
|
|
|
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
|
|
.\" manual page may be incorrect or out-of-date. The author(s) assume no
|
|
|
|
.\" responsibility for errors or omissions, or for damages resulting from
|
|
|
|
.\" the use of the information contained herein. The author(s) may not
|
|
|
|
.\" have taken the same level of care in the production of this manual,
|
|
|
|
.\" which is licensed free of charge, as they might when working
|
|
|
|
.\" professionally.
|
2007-04-12 22:42:49 +00:00
|
|
|
.\"
|
2004-11-03 13:51:07 +00:00
|
|
|
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
|
|
.\" the source, must acknowledge the copyright and authors of this work.
|
|
|
|
.\"
|
|
|
|
.\" Modified by Michael Haardt <michael@moria.de>
|
|
|
|
.\" Modified 1993-07-21 by Rik Faith <faith@cs.unc.edu>
|
|
|
|
.\" Modified 1994-08-21 by Michael Chastain <mec@shell.portal.com>:
|
|
|
|
.\" Modified 1997-01-31 by Eric S. Raymond <esr@thyrsus.com>
|
|
|
|
.\" Modified 1999-11-12 by Urs Thuermann <urs@isnogud.escape.de>
|
2004-11-03 14:43:40 +00:00
|
|
|
.\" Modified 2004-06-23 by Michael Kerrisk <mtk-manpages@gmx.net>
|
2006-09-04 12:27:37 +00:00
|
|
|
.\" 2006-09-04 Michael Kerrisk <mtk-manpages@gmx.net>
|
2007-04-30 12:25:52 +00:00
|
|
|
.\" Added list of process attributes that are not preserved on exec().
|
2004-11-03 13:51:07 +00:00
|
|
|
.\"
|
2006-09-04 12:27:37 +00:00
|
|
|
.TH EXECVE 2 2006-09-04 "Linux 2.6.17" "Linux Programmer's Manual"
|
2004-11-03 13:51:07 +00:00
|
|
|
.SH NAME
|
|
|
|
execve \- execute program
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.B #include <unistd.h>
|
|
|
|
.sp
|
2006-03-06 04:40:24 +00:00
|
|
|
.BI "int execve(const char *" filename ", char *const " argv "[], "
|
|
|
|
.br
|
|
|
|
.BI " char *const " envp []);
|
2004-11-03 13:51:07 +00:00
|
|
|
.SH DESCRIPTION
|
2007-05-12 09:06:04 +00:00
|
|
|
.BR execve ()
|
|
|
|
executes the program pointed to by \fIfilename\fP.
|
2004-11-03 13:51:07 +00:00
|
|
|
\fIfilename\fP must be either a binary executable, or a script
|
2007-04-30 09:00:59 +00:00
|
|
|
starting with a line of the form:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
2007-04-30 12:25:52 +00:00
|
|
|
\fB#! \fIinterpreter \fR[optional-arg]
|
2007-04-30 09:00:59 +00:00
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
2007-04-30 12:25:52 +00:00
|
|
|
For details of the latter case, see "Interpreter scripts" below.
|
2004-11-03 13:51:07 +00:00
|
|
|
|
|
|
|
\fIargv\fP is an array of argument strings passed to the new program.
|
|
|
|
\fIenvp\fP is an array of strings, conventionally of the form
|
2007-04-12 22:42:49 +00:00
|
|
|
\fBkey=value\fR, which are passed as environment to the new program.
|
|
|
|
Both \fIargv\fP and \fIenvp\fP must be terminated by a null pointer.
|
|
|
|
The argument vector and environment can be accessed by the
|
2007-04-30 09:00:59 +00:00
|
|
|
called program's main function, when it is defined as:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
int main(int argc, char *argv[], char *envp[])\fR.
|
|
|
|
.fi
|
|
|
|
.in
|
2004-11-03 13:51:07 +00:00
|
|
|
|
2007-05-12 09:06:04 +00:00
|
|
|
.BR execve ()
|
|
|
|
does not return on success, and the text, data, bss, and
|
2004-11-03 13:51:07 +00:00
|
|
|
stack of the calling process are overwritten by that of the program
|
2007-04-12 22:42:49 +00:00
|
|
|
loaded.
|
2004-11-03 13:51:07 +00:00
|
|
|
|
|
|
|
If the current program is being ptraced, a \fBSIGTRAP\fP is sent to it
|
2007-05-12 09:06:04 +00:00
|
|
|
after a successful
|
|
|
|
.BR execve ().
|
2004-11-03 13:51:07 +00:00
|
|
|
|
2005-07-18 14:25:42 +00:00
|
|
|
If the set-user-ID bit is set on the program file pointed to by
|
2007-04-30 14:30:17 +00:00
|
|
|
\fIfilename\fP,
|
|
|
|
and the underlying file system is not mounted
|
|
|
|
.IR nosuid
|
|
|
|
(the
|
|
|
|
.B MS_NOSUID
|
|
|
|
flag for
|
|
|
|
.BR mount (2)),
|
|
|
|
and the calling process is not being ptraced,
|
Hi Andries,
> The question came up whether execve of a suid binary while being ptraced
> would fail or ignore the suid part. The answer today seems to be the
> latter:
>
> E.g. (in 2.6.11) security/dummy.c:
>
> static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int
> unsafe)
> {
> if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) {
> if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) &&
> !capable(CAP_SETUID)) {
> bprm->e_uid = current->uid;
> bprm->e_gid = current->gid;
> }
> }
> }
>
> and fs/exec.c:
>
> void compute_creds(struct linux_binprm *bprm) {
> int unsafe;
>
> unsafe = unsafe_exec(current);
> security_bprm_apply_creds(bprm, unsafe);
> }
>
> static inline int unsafe_exec(struct task_struct *p) {
> int unsafe = 0;
> if (p->ptrace & PT_PTRACED) {
> if (p->ptrace & PT_PTRACE_CAP)
> unsafe |= LSM_UNSAFE_PTRACE_CAP;
> else
> unsafe |= LSM_UNSAFE_PTRACE;
> }
> return unsafe;
> }
>
> That is: if the process that calls execve() is being traced,
> the LSM_UNSAFE_PTRACE bit is et in unsafe and security_bprm_apply_creds()
> will make sure the suid/sgid bits are ignored.
>
> ---
>
> In my man page I do not read anything like that. It says
>
> EPERM The process is being traced, the user is not the superuser and
> the file has an SUID or SGID bit set.
> and
>
> If the current program is being ptraced, a SIGTRAP is sent to it after
> a successful execve().
>
> If the set-uid bit is set on the program file pointed to by filename
> the effective user ID of the calling process is changed to that of the
> owner of the program file.
>
> So, maybe this sentence should be amended to read
>
> If the set-uid bit is set on the program file pointed to by filename
> and the current process is not being ptraced, the effective user ID
> of the calling process is changed to ...
I changed your "current" to "calling" (to be consistent with the
rest of the page), but otherwise applied as you suggest.
The revision will appear in man-pages-2.03, which I can release
any time now. Are you avialable to do an upload tomorrow?
2005-05-31 16:07:24 +00:00
|
|
|
then the effective user ID of the calling process is changed
|
2006-09-04 08:57:04 +00:00
|
|
|
to that of the owner of the program file.
|
2006-07-22 17:24:17 +00:00
|
|
|
Similarly, when the set-group-ID
|
2004-11-03 13:51:07 +00:00
|
|
|
bit of the program file is set the effective group ID of the calling
|
|
|
|
process is set to the group of the program file.
|
|
|
|
|
2006-07-22 17:24:17 +00:00
|
|
|
The effective user ID of the process is copied to the saved set-user-ID;
|
|
|
|
similarly, the effective group ID is copied to the saved set-group-ID.
|
2007-04-12 22:42:49 +00:00
|
|
|
This copying takes place after any effective ID changes that occur
|
2006-07-22 17:24:17 +00:00
|
|
|
because of the set-user-ID and set-group-ID permission bits.
|
|
|
|
|
2007-04-12 22:42:49 +00:00
|
|
|
If the executable is an a.out dynamically-linked
|
2006-07-22 17:24:17 +00:00
|
|
|
binary executable containing
|
2004-11-03 13:51:07 +00:00
|
|
|
shared-library stubs, the Linux dynamic linker
|
|
|
|
.BR ld.so (8)
|
2007-04-12 22:42:49 +00:00
|
|
|
is called at the start of execution to bring
|
2006-07-22 17:24:17 +00:00
|
|
|
needed shared libraries into memory
|
2004-11-03 13:51:07 +00:00
|
|
|
and link the executable with them.
|
|
|
|
|
|
|
|
If the executable is a dynamically-linked ELF executable, the
|
|
|
|
interpreter named in the PT_INTERP segment is used to load the needed
|
2007-04-12 22:42:49 +00:00
|
|
|
shared libraries.
|
|
|
|
This interpreter is typically
|
2004-11-03 13:51:07 +00:00
|
|
|
\fI/lib/ld-linux.so.1\fR for binaries linked with the Linux libc
|
|
|
|
version 5, or \fI/lib/ld-linux.so.2\fR for binaries linked with the
|
|
|
|
GNU libc version 2.
|
2006-09-04 12:27:37 +00:00
|
|
|
|
|
|
|
All process attributes are preserved during an
|
|
|
|
.BR execve (),
|
|
|
|
except the following:
|
|
|
|
.IP * 4
|
|
|
|
The set of pending signals is cleared
|
|
|
|
.RB ( sigpending (2)).
|
|
|
|
.IP * 4
|
2007-04-12 22:42:49 +00:00
|
|
|
The dispositions of any signals that are being caught are
|
2006-09-04 12:27:37 +00:00
|
|
|
reset to being ignored.
|
|
|
|
.IP * 4
|
|
|
|
Any alternate signal stack is not preserved
|
|
|
|
.RB ( sigaltstack (2)).
|
|
|
|
.IP * 4
|
|
|
|
Memory mappings are not preserved
|
|
|
|
.RB ( mmap (2)).
|
|
|
|
.IP * 4
|
|
|
|
Attached System V shared memory segments are detached
|
|
|
|
.RB ( shmat (2)).
|
|
|
|
.IP * 4
|
|
|
|
POSIX shared memory regions are unmapped
|
|
|
|
.RB ( shm_open (3)).
|
|
|
|
.IP * 4
|
|
|
|
Open POSIX message queue descriptors are closed
|
|
|
|
.RB ( mq_overview (7)).
|
|
|
|
.IP * 4
|
|
|
|
Any open POSIX named semaphores are closed
|
|
|
|
.RB ( sem_overview (7)).
|
|
|
|
.IP * 4
|
|
|
|
POSIX timers are not preserved
|
|
|
|
.RB ( timer_create (3)).
|
|
|
|
.IP * 4
|
|
|
|
Any open directory streams are closed
|
|
|
|
.RB ( opendir (3)).
|
|
|
|
.IP * 4
|
|
|
|
Memory locks are not preserved
|
|
|
|
.RB ( mlock (2),
|
|
|
|
.BR mlockall (2)).
|
|
|
|
.IP * 4
|
|
|
|
Exit handlers are not preserved
|
|
|
|
.RB ( atexit (3),
|
|
|
|
.BR on_exit (3)).
|
|
|
|
.PP
|
2007-04-12 22:42:49 +00:00
|
|
|
The process attributes in the preceding list are all specified
|
2006-09-04 12:27:37 +00:00
|
|
|
in POSIX.1-2001.
|
2007-04-12 22:42:49 +00:00
|
|
|
The following Linux-specific process attributes are also
|
2006-09-04 12:27:37 +00:00
|
|
|
not preserved during an
|
|
|
|
.BR execve ():
|
|
|
|
.IP * 4
|
2007-04-12 22:42:49 +00:00
|
|
|
The
|
2006-09-04 12:27:37 +00:00
|
|
|
.BR prctl (2)
|
2007-04-12 22:42:49 +00:00
|
|
|
.B PR_SET_DUMPABLE
|
2006-09-04 12:27:37 +00:00
|
|
|
flag is set,
|
|
|
|
unless a set-user-ID or set-group ID program is being executed,
|
|
|
|
in which case it is cleared.
|
|
|
|
.IP * 4
|
2007-04-12 22:42:49 +00:00
|
|
|
The
|
2006-09-04 12:27:37 +00:00
|
|
|
.BR prctl (2)
|
|
|
|
.B PR_SET_KEEPCAPS
|
|
|
|
flag is cleared.
|
|
|
|
.IP * 4
|
2006-09-13 14:08:11 +00:00
|
|
|
The process name, as set by
|
|
|
|
.BR prctl (2)
|
2007-04-12 22:42:49 +00:00
|
|
|
.BR PR_SET_NAME
|
2006-09-13 14:08:11 +00:00
|
|
|
(and displayed by
|
2007-05-01 07:58:48 +00:00
|
|
|
.IR "ps \-o comm" ),
|
2006-09-13 14:08:11 +00:00
|
|
|
is reset to the name of the new executable file.
|
|
|
|
.IP * 4
|
2006-09-04 12:27:37 +00:00
|
|
|
The termination signal is reset to SIGCHLD
|
|
|
|
(see
|
|
|
|
.BR clone (2)).
|
|
|
|
.PP
|
|
|
|
Note the following further points:
|
|
|
|
.IP * 4
|
2007-04-30 08:55:57 +00:00
|
|
|
All threads other than the calling thread are destroyed during an
|
2006-09-04 12:27:37 +00:00
|
|
|
.BR execve ().
|
|
|
|
Mutexes, condition variables, and other pthreads objects are not preserved.
|
|
|
|
.IP * 4
|
|
|
|
The equivalent of \fIsetlocale(LC_ALL, "C")\fP
|
|
|
|
is executed at program start-up.
|
|
|
|
.IP * 4
|
2007-04-12 22:42:49 +00:00
|
|
|
POSIX.1-2001 specifies that the dispositions of any signals that
|
2006-09-04 12:27:37 +00:00
|
|
|
are ignored or set to the default are left unchanged.
|
2007-04-12 22:42:49 +00:00
|
|
|
POSIX.1-2001 specifies one exception: if SIGCHLD is being ignored,
|
|
|
|
then an implementation may leave the disposition unchanged or
|
2006-09-04 12:27:37 +00:00
|
|
|
reset it to the default; Linux does the former.
|
|
|
|
.IP * 4
|
|
|
|
Any outstanding asynchronous I/O operations are cancelled
|
|
|
|
.RB ( aio_read (3),
|
|
|
|
.BR aio_write (3)).
|
|
|
|
.IP * 4
|
2007-04-12 22:42:49 +00:00
|
|
|
For the handling of capabilities during
|
2006-09-04 12:27:37 +00:00
|
|
|
.BR execve (2),
|
|
|
|
see
|
|
|
|
.BR capabilities (7).
|
2007-04-30 14:30:17 +00:00
|
|
|
.IP * 4
|
|
|
|
By default, file descriptors remain open across an
|
|
|
|
.BR execve ().
|
|
|
|
File descriptors that are marked close-on-exec are closed
|
|
|
|
; see the description of
|
|
|
|
.BR FD_CLOEXEC
|
|
|
|
in
|
|
|
|
.BR fcntl (2).
|
|
|
|
(If a file descriptor is closed, this will cause the release
|
|
|
|
of all record locks obtained on the underlying file by this process.
|
|
|
|
See
|
|
|
|
.BR fcntl (2)
|
|
|
|
for details.)
|
|
|
|
POSIX.1-2001 says that if file descriptors 0, 1, and 2 would
|
|
|
|
otherwise be closed after a successful
|
|
|
|
.BR execve (),
|
|
|
|
and the process would gain privilege because the set-user_ID or
|
|
|
|
set-group_ID permission bit was set on the executed file,
|
|
|
|
then the system may open an unspecified file for each of these
|
|
|
|
file descriptors.
|
|
|
|
As a general principle, no portable program, whether privileged or not,
|
|
|
|
can assume that these three file descriptors will remain
|
|
|
|
closed across an
|
|
|
|
.BR execve ().
|
|
|
|
.\" On Linux it appears that these file descriptors are
|
|
|
|
.\" always open after an execve(), and it looks like
|
|
|
|
.\" Solaris 8 and FreeBSD 6.1 are the same. -- mtk, 30 Apr 2007
|
2007-04-30 12:25:52 +00:00
|
|
|
.SS Interpreter scripts
|
|
|
|
An interpreter script is a text file that has execute
|
|
|
|
permission enabled and whose first line is of the form:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
\fB#! \fIinterpreter \fR[optional-arg]
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
The
|
|
|
|
.I interpreter
|
|
|
|
must be a valid pathname for an
|
|
|
|
executable which is not itself a script.
|
|
|
|
If the
|
|
|
|
.I filename
|
|
|
|
argument of
|
|
|
|
.BR execve ()
|
|
|
|
specifies an interpreter script, then
|
|
|
|
.I interpreter
|
|
|
|
will be invoked with the following arguments:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
\fIinterpreter\fR [optional-arg] \fIfilename\fR arg...
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
where
|
|
|
|
.I arg...
|
|
|
|
is the series of words pointed to by the
|
|
|
|
.I argv
|
|
|
|
argument of
|
|
|
|
.BR execve ().
|
|
|
|
|
|
|
|
For portable use,
|
|
|
|
.I optional-arg
|
|
|
|
should either be absent, or be specified as a single word (i.e., it
|
|
|
|
should not contain white space); see NOTES below.
|
2004-11-03 13:51:07 +00:00
|
|
|
.SH "RETURN VALUE"
|
2007-05-12 09:06:04 +00:00
|
|
|
On success,
|
|
|
|
.BR execve ()
|
|
|
|
does not return, on error \-1 is returned, and
|
2004-11-03 13:51:07 +00:00
|
|
|
.I errno
|
|
|
|
is set appropriately.
|
|
|
|
.SH ERRORS
|
|
|
|
.TP
|
|
|
|
.B E2BIG
|
2007-04-12 22:42:49 +00:00
|
|
|
The total number of bytes in the environment
|
2005-11-08 15:25:07 +00:00
|
|
|
.RI ( envp )
|
2007-04-12 22:42:49 +00:00
|
|
|
and argument list
|
2005-11-08 15:25:07 +00:00
|
|
|
.RI ( argv )
|
|
|
|
is too large.
|
2004-11-03 13:51:07 +00:00
|
|
|
.TP
|
|
|
|
.B EACCES
|
|
|
|
Search permission is denied on a component of the path prefix of
|
|
|
|
.I filename
|
|
|
|
or the name of a script interpreter.
|
|
|
|
(See also
|
|
|
|
.BR path_resolution (2).)
|
|
|
|
.TP
|
|
|
|
.B EACCES
|
|
|
|
The file or a script interpreter is not a regular file.
|
|
|
|
.TP
|
|
|
|
.B EACCES
|
|
|
|
Execute permission is denied for the file or a script or ELF interpreter.
|
|
|
|
.TP
|
|
|
|
.B EACCES
|
|
|
|
The file system is mounted
|
|
|
|
.IR noexec .
|
|
|
|
.TP
|
|
|
|
.B EFAULT
|
|
|
|
.I filename
|
|
|
|
points outside your accessible address space.
|
|
|
|
.TP
|
|
|
|
.B EINVAL
|
|
|
|
An ELF executable had more than one PT_INTERP segment (i.e., tried to
|
|
|
|
name more than one interpreter).
|
|
|
|
.TP
|
|
|
|
.B EIO
|
|
|
|
An I/O error occurred.
|
|
|
|
.TP
|
|
|
|
.B EISDIR
|
|
|
|
An ELF interpreter was a directory.
|
|
|
|
.TP
|
|
|
|
.B ELIBBAD
|
|
|
|
An ELF interpreter was not in a recognised format.
|
|
|
|
.TP
|
|
|
|
.B ELOOP
|
|
|
|
Too many symbolic links were encountered in resolving
|
|
|
|
.I filename
|
|
|
|
or the name of a script or ELF interpreter.
|
|
|
|
.TP
|
|
|
|
.B EMFILE
|
|
|
|
The process has the maximum number of files open.
|
|
|
|
.TP
|
|
|
|
.B ENAMETOOLONG
|
|
|
|
.I filename
|
|
|
|
is too long.
|
|
|
|
.TP
|
|
|
|
.B ENFILE
|
|
|
|
The system limit on the total number of open files has been reached.
|
|
|
|
.TP
|
|
|
|
.B ENOENT
|
2007-04-12 22:42:49 +00:00
|
|
|
The file
|
2004-11-03 13:51:07 +00:00
|
|
|
.I filename
|
|
|
|
or a script or ELF interpreter does not exist, or a shared library
|
|
|
|
needed for file or interpreter cannot be found.
|
|
|
|
.TP
|
|
|
|
.B ENOEXEC
|
|
|
|
An executable is not in a recognised format, is for the wrong
|
|
|
|
architecture, or has some other format error that means it cannot be
|
|
|
|
executed.
|
|
|
|
.TP
|
|
|
|
.B ENOMEM
|
|
|
|
Insufficient kernel memory was available.
|
|
|
|
.TP
|
|
|
|
.B ENOTDIR
|
|
|
|
A component of the path prefix of
|
|
|
|
.I filename
|
|
|
|
or a script or ELF interpreter is not a directory.
|
|
|
|
.TP
|
|
|
|
.B EPERM
|
|
|
|
The file system is mounted
|
|
|
|
.IR nosuid ,
|
2007-04-12 22:42:49 +00:00
|
|
|
the user is not the superuser,
|
2006-09-06 15:23:31 +00:00
|
|
|
and the file has the set-user-ID or set-group-ID bit set.
|
2004-11-03 13:51:07 +00:00
|
|
|
.TP
|
|
|
|
.B EPERM
|
|
|
|
The process is being traced, the user is not the superuser and the
|
2006-09-06 15:23:31 +00:00
|
|
|
file has the set-user-ID or set-group-ID bit set.
|
2004-11-03 13:51:07 +00:00
|
|
|
.TP
|
|
|
|
.B ETXTBSY
|
|
|
|
Executable was open for writing by one or more processes.
|
|
|
|
.SH "CONFORMING TO"
|
2007-04-12 22:42:49 +00:00
|
|
|
SVr4, 4.3BSD, POSIX.1-2001.
|
2006-08-04 12:39:17 +00:00
|
|
|
POSIX.1-2001 does not document the #! behavior
|
2007-04-12 22:42:49 +00:00
|
|
|
but is otherwise compatible.
|
2006-08-03 13:57:17 +00:00
|
|
|
.\" SVr4 documents additional error
|
|
|
|
.\" conditions EAGAIN, EINTR, ELIBACC, ENOLINK, EMULTIHOP; POSIX does not
|
|
|
|
.\" document ETXTBSY, EPERM, EFAULT, ELOOP, EIO, ENFILE, EMFILE, EINVAL,
|
|
|
|
.\" EISDIR or ELIBBAD error conditions.
|
2004-11-03 13:51:07 +00:00
|
|
|
.SH NOTES
|
2007-05-11 23:07:02 +00:00
|
|
|
Set-user-ID and set-group-ID processes can not be
|
|
|
|
.BR ptrace (2)d.
|
2004-11-03 13:51:07 +00:00
|
|
|
|
2006-09-06 15:23:31 +00:00
|
|
|
Linux ignores the set-user-ID and set-group-ID bits on scripts.
|
2004-11-03 13:51:07 +00:00
|
|
|
|
|
|
|
The result of mounting a filesystem
|
|
|
|
.I nosuid
|
2007-04-30 14:30:17 +00:00
|
|
|
varies across Linux kernel versions:
|
2007-04-12 22:42:49 +00:00
|
|
|
some will refuse execution of set-user-ID and set-group-ID
|
2006-09-06 15:23:31 +00:00
|
|
|
executables when this would
|
2004-11-03 13:51:07 +00:00
|
|
|
give the user powers she did not have already (and return EPERM),
|
2007-04-12 22:42:49 +00:00
|
|
|
some will just ignore the set-user-ID and set-group-ID bits and
|
2005-10-20 15:11:10 +00:00
|
|
|
.BR exec ()
|
|
|
|
successfully.
|
2004-11-03 13:51:07 +00:00
|
|
|
|
|
|
|
A maximum line length of 127 characters is allowed for the first line in
|
2007-04-12 22:42:49 +00:00
|
|
|
a #! executable shell script.
|
2007-04-30 10:39:32 +00:00
|
|
|
|
2007-04-30 12:25:52 +00:00
|
|
|
The semantics of the
|
|
|
|
.I optional-arg
|
|
|
|
argument of an interpreter script vary across implementations.
|
|
|
|
On Linux, the entire string following the
|
|
|
|
.I interpreter
|
|
|
|
name is passed as a single argument to the interpreter,
|
|
|
|
and this string can include white space.
|
|
|
|
However, behavior differs on some other systems.
|
|
|
|
Some systems
|
|
|
|
.\" e.g., Solaris 8
|
|
|
|
use the first white space to terminate
|
|
|
|
.IR optional-arg .
|
|
|
|
On some systems,
|
|
|
|
.\" e.g. FreeBSD before 6.0, but not FreeBSD 6.0 onwards
|
|
|
|
an interpreter script can have multiple arguments,
|
|
|
|
and white spaces in
|
|
|
|
.I optional-arg
|
|
|
|
are used to delimit the arguments.
|
|
|
|
|
2007-04-30 10:39:32 +00:00
|
|
|
On Linux,
|
|
|
|
.I argv
|
|
|
|
and
|
|
|
|
.I envp
|
|
|
|
can be specified as NULL,
|
2007-04-30 12:25:52 +00:00
|
|
|
which has the same effect as specifying these arguments
|
2007-04-30 10:39:32 +00:00
|
|
|
as pointers to lists containing a single NULL pointer.
|
2007-04-30 12:25:52 +00:00
|
|
|
.BR "Do not take advantage of this misfeature!"
|
2007-04-30 10:39:32 +00:00
|
|
|
It is non-standard and non-portable:
|
|
|
|
on most other Unix systems doing this will result in an error.
|
|
|
|
.\" e.g. EFAULT on Solaris 8 and FreeBSD 6.1; but
|
|
|
|
.\" HP-UX 11 is like Linux -- mtk, Apr 2007
|
|
|
|
.\" FIXME .
|
|
|
|
.\" Bug filed 30 Apr 2007: http://bugzilla.kernel.org/show_bug.cgi?id=8408
|
2007-04-30 10:58:27 +00:00
|
|
|
.\" Maybe this will get fixed (but it would constitute an ABI change).
|
2007-04-30 10:39:32 +00:00
|
|
|
.\"
|
2004-11-03 13:51:07 +00:00
|
|
|
.\" .SH BUGS
|
|
|
|
.\" Some Linux versions have failed to check permissions on ELF
|
|
|
|
.\" interpreters. This is a security hole, because it allows users to
|
|
|
|
.\" open any file, such as a rewinding tape device, for reading. Some
|
2007-05-12 12:53:57 +00:00
|
|
|
.\" Linux versions have also had other security holes in
|
|
|
|
.\" .BR execve(2)
|
2004-11-03 13:51:07 +00:00
|
|
|
.\" that could be exploited for denial of service by a suitably crafted
|
|
|
|
.\" ELF binary. There are no known problems with 2.0.34 or 2.2.15.
|
2007-05-16 02:45:55 +00:00
|
|
|
.SS Historical
|
2007-04-12 22:42:49 +00:00
|
|
|
With Unix V6 the argument list of an
|
2005-10-20 15:11:10 +00:00
|
|
|
.BR exec ()
|
|
|
|
call was ended by 0,
|
2004-11-03 13:51:07 +00:00
|
|
|
while the argument list of
|
|
|
|
.I main
|
|
|
|
was ended by \-1. Thus, this
|
2007-04-12 22:42:49 +00:00
|
|
|
argument list was not directly usable in a further
|
|
|
|
.BR exec ()
|
2005-10-20 15:11:10 +00:00
|
|
|
call.
|
2004-11-03 13:51:07 +00:00
|
|
|
Since Unix V7 both are NULL.
|
2007-04-30 12:25:52 +00:00
|
|
|
.SH EXAMPLE
|
|
|
|
The following program is designed to execed by the second program below.
|
|
|
|
It just echoes its command-line one per line.
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
/* myecho.c */
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
|
|
int
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
{
|
|
|
|
int j;
|
|
|
|
|
|
|
|
for (j = 0; j < argc; j++)
|
|
|
|
printf("argv[%d]: %s\\n", j, argv[j]);
|
|
|
|
|
|
|
|
exit(EXIT_SUCCESS);
|
|
|
|
}
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
This program can be used to exec the program named in its command-line
|
|
|
|
argument:
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
|
|
|
|
/* execve.c */
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
int
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
{
|
|
|
|
char *newargv[] = { NULL, "hello", "world", NULL };
|
|
|
|
char *newenviron[] = { NULL };
|
|
|
|
|
|
|
|
assert(argc == 2); /* argv[1] identifies
|
|
|
|
program to exec */
|
|
|
|
newargv[0] = argv[1];
|
|
|
|
|
|
|
|
execve(argv[1], newargv, newenviron);
|
|
|
|
perror("execve"); /* execve() only returns on error */
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
We can use the second program to exec the first as follows:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
$ cc myecho.c -o myecho
|
|
|
|
$ cc execve.c -o execve
|
|
|
|
$ ./exceve ./myecho
|
|
|
|
argv[0]: ./myecho
|
|
|
|
argv[1]: hello
|
|
|
|
argv[2]: world
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
We can also use these programs to demonstrate the use of a script
|
|
|
|
interpreter.
|
|
|
|
To do this we create a script whose "interpreter" is our
|
|
|
|
.I myecho
|
|
|
|
program:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
$ cat > script.sh
|
|
|
|
#! ./myecho script-arg
|
|
|
|
^D
|
|
|
|
$ chmod +x script.sh
|
|
|
|
.fi
|
|
|
|
.in
|
|
|
|
|
|
|
|
We can then use our program to exec the script:
|
|
|
|
|
|
|
|
.in +0.5i
|
|
|
|
.nf
|
|
|
|
$ ./execve ./script.sh
|
|
|
|
argv[0]: ./myecho
|
|
|
|
argv[1]: script-arg
|
|
|
|
argv[2]: ./script.sh
|
|
|
|
argv[3]: hello
|
|
|
|
argv[4]: world
|
|
|
|
.fi
|
|
|
|
.in
|
2004-11-03 13:51:07 +00:00
|
|
|
.SH "SEE ALSO"
|
|
|
|
.BR chmod (2),
|
|
|
|
.BR fork (2),
|
|
|
|
.BR path_resolution (2),
|
Hi Andries,
> The question came up whether execve of a suid binary while being ptraced
> would fail or ignore the suid part. The answer today seems to be the
> latter:
>
> E.g. (in 2.6.11) security/dummy.c:
>
> static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int
> unsafe)
> {
> if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) {
> if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) &&
> !capable(CAP_SETUID)) {
> bprm->e_uid = current->uid;
> bprm->e_gid = current->gid;
> }
> }
> }
>
> and fs/exec.c:
>
> void compute_creds(struct linux_binprm *bprm) {
> int unsafe;
>
> unsafe = unsafe_exec(current);
> security_bprm_apply_creds(bprm, unsafe);
> }
>
> static inline int unsafe_exec(struct task_struct *p) {
> int unsafe = 0;
> if (p->ptrace & PT_PTRACED) {
> if (p->ptrace & PT_PTRACE_CAP)
> unsafe |= LSM_UNSAFE_PTRACE_CAP;
> else
> unsafe |= LSM_UNSAFE_PTRACE;
> }
> return unsafe;
> }
>
> That is: if the process that calls execve() is being traced,
> the LSM_UNSAFE_PTRACE bit is et in unsafe and security_bprm_apply_creds()
> will make sure the suid/sgid bits are ignored.
>
> ---
>
> In my man page I do not read anything like that. It says
>
> EPERM The process is being traced, the user is not the superuser and
> the file has an SUID or SGID bit set.
> and
>
> If the current program is being ptraced, a SIGTRAP is sent to it after
> a successful execve().
>
> If the set-uid bit is set on the program file pointed to by filename
> the effective user ID of the calling process is changed to that of the
> owner of the program file.
>
> So, maybe this sentence should be amended to read
>
> If the set-uid bit is set on the program file pointed to by filename
> and the current process is not being ptraced, the effective user ID
> of the calling process is changed to ...
I changed your "current" to "calling" (to be consistent with the
rest of the page), but otherwise applied as you suggest.
The revision will appear in man-pages-2.03, which I can release
any time now. Are you avialable to do an upload tomorrow?
2005-05-31 16:07:24 +00:00
|
|
|
.BR ptrace (2),
|
2004-11-03 13:51:07 +00:00
|
|
|
.BR execl (3),
|
2006-03-07 02:20:16 +00:00
|
|
|
.BR fexecve (3),
|
2006-04-21 00:45:46 +00:00
|
|
|
.BR environ (7),
|
2004-11-03 13:51:07 +00:00
|
|
|
.BR ld.so (8)
|