Finding where an executable was run from -- a proposal.
John Gilmore
gnu at hoptoad.uucp
Mon May 23 10:45:17 AEST 1988
mer6g at uvaarpa.virginia.edu (Marc E. Rouleau) wrote:
> The whole point of John Gilmore's proposal was to address this problem
> of executables being found by path-search and therefore having no
> invocation-time knowledge of where they reside.
Actually, that's not the point (you could always write a subroutine
that searched the path to find argv[0]). The point is that I want a
mechanism that cannot be spoofed. Mystery variables in the
environment, library routines that look at argv[0], etc, can all be
spoofed by a 3-line program (that changes the environment then calls
exec(), or that passes different things as the filename to execute
versus argv[0] to exec()). If real applications are going to use this,
it's critical that they are able to depend upon the pointer they find.
Imagine if you could invoke uucp with your own private set of spool
directories -- all the security built into it would be pretty useless.
You could steal mail, forge things, etc.
Several people pointed out that hard links to a program would foul up
my proposed mechanism -- they are right. You can prevent people from
copying the application to another spot and running it (by making the
program unreadable by mortals, even though executable by them); the
kernel could resolve all the symlinks before giving you the path; but
you can hard-link to anything you can name, even if it has '0'
permissions.
Perhaps a solution is to only provide this facility to programs with a
link count of 1? In other words, if you hard-link to a program, it
would no longer be provided its name, and could exit with an error
message. This is probably even worse -- by simply creating a hard link
to /usr/lib/uucico, you could make it unable to find its directories,
even when run from the right place.
Perhaps a variation on one of these themes would work. If the kernel
was to output pathnames to user programs (presumably so that the
programs can trust that the pathnames are uncorrupted), it might
be reasonable to put some kinds of access control on hard links.
Maybe if/when Unix file protection ever gets revised, this can be
considered.
Someone else pointed out that Multics can reliably tell you the
pathname of your running program. Maybe Multics didn't have hard
links, so it was trustable?
--
John Gilmore {sun,pacbell,uunet,pyramid,ihnp4}!hoptoad!gnu gnu at toad.com
"Use the Source, Luke...."
More information about the Comp.unix.wizards
mailing list