Bug 1222498

Summary: Critical security vulnerability. Execution permissions ignored and easily bypassed.
Product: [openSUSE] openSUSE Tumbleweed Reporter: Phoenix <phoenix91140>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: Andreas.Stieger, oberkut, phoenix91140, R_Nik_C, werwolf131313
Version: CurrentFlags: Andreas.Stieger: needinfo? (phoenix91140)
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Phoenix 2024-04-09 04:32:44 UTC 
First of all, affected distros: ALL.

To reproduce.

Make any separate executable. Make it denied to execute. Then run this: /lib64/ld-linux-x86-64.so.2 ./your_exec . Execution permission fully ignored. Can abuse this to execute whatever you want despite of execution permission present or missing. Bug over 10 years old and can be well abused for hacking and exploiting permissions.
Comment 1 Andreas Stieger 2024-04-09 06:38:55 UTC 
Reporter seems to have trivial understanding of what executable permissions do. Any file that a user can read they can also copy and execute in their own context. You don’t even have to call the linker, just copy the file.

Reporter in the light of that can you please explain how this crosses a privilege boundary?

Security team would you like to educate?
Comment 2 Phoenix 2024-04-09 06:58:15 UTC 
For easiest experiment switch user to nobody. Imagine you technically can not write that file anywhere, expect maybe tmpfs or temp. You can execute stuff that normally should not be executable, you can dump memory cache, abuse meltdown and other stuff then if execution permission means in fact nothing and system ignores completely execution permissions. Ok, you can not write on disk much let's say, but it's enough to upload data generated by executable to external ftps etc.

Exec permission is pointless in the first place, if it's ignored that easily. Executable can generate as well sensible data. There are many ways to abuse it, or otherwise execution permission could be dropped as useless in the first place.
Comment 3 Phoenix 2024-04-09 07:00:54 UTC 
And somehow I didn't test this yet => https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html , but it seems partition level noexec got fixed, but general permission fix did not follow up
Comment 4 Andreas Stieger 2024-04-09 07:18:29 UTC 
This is your first bug report on this bugzilla. It does not make much sense to re-iterate what you believe. Please take a step back and try to dis-confirm your beliefs, as we do. 

If a user has an account on a machine they can run things on the machine. How they get the code does not matter. If they copy a binary from somewhere that's fine. I think you care conflating "can execute THIS file" with "can execute SOMETHING".

This would only be concern if things like setuid/setgid/caps etc are kept, which I don't think is the case here. Can you dive into that?
Comment 5 Phoenix 2024-04-09 07:48:03 UTC 
Well, maybe it's my first bug report with this account, since I forgot my old one, not using it years, while staying on distribution.

I am software engineer at back-end side. Well even let's ask here, do I have a user account in normal mean on server? I doubt I do. It's just username and password in database with apache rights. I am allowed to upload attachment. Linux makes no sense when called to execute what extension file is. Any web server able to upload files does first stem - uploading file. Normally apache would set it to non executable and prevent even if explicitly attempted to set 0777 to do that due to security reasons, I know that cause I developed own C++ CMS from scratch many years ago and doing that over 10 years. So here to we go to last remaining phase, if to fix any single tiny possibility attempt to execute file that was not intended to be executed and system permission ignored here we have security breach from just one small negative thing up to residental spy daemon leaking whole accessible data away, thanks to system no caring about execution permission. Surely yet need to find a way to trigger that, but it happens to find and such possibility makes hacker's life sensibly easier if execution permissions doesn't matter, if instead of system(something) and get decline, you can all linked and ignore any rights needed for execution.

If it still seems unsensible, just close the ticket. I didn't actually expect any positive reaction, but I know well how such things can be abused for breaching rights not supposed to have. As you understand if that performed, thing would hijack apache rights and able to stay resident until all needed work done.
Comment 6 Andreas Stieger 2024-04-09 08:22:31 UTC 
You are describing some general concerns, based on knowing just enough. Again I believe that you are confusing executable permissions on a file with the (different) permission to run code as a user. These are different security concerns.

Can you please provide succinct reproduction steps that demonstrate your concern crossing a privilege boundary?
Comment 7 Andreas Stieger 2024-04-09 15:07:06 UTC 
I guess the reporter refers to this "problem"...

Preparation:

$ sudo zypper in hello
$ ls -l /usr/bin/hello
# (-rwxr-xr-x)
$ /usr/bin/hello
Hello, world!
$ sudo chmod o-x /usr/bin/hello

"Problem":

$ /usr/bin/hello
-bash: /usr/bin/hello: Permission denied
/lib64/ld-linux-x86-64.so.2 /usr/bin/hello
Hello, world!
$ cp /usr/bin/hello .
./hello
Hello, world!

If that is the case this is a non-issue. A user can run any executable they like with their own permissions. The fact that this is a system binary is irrelevant, they could have compiled or copies this themselves. You are not looking for control via the executable permissions, but for restricted shells (rush) or mandatory access controls. Closing.