[cap-talk] [tahoe-dev] Fwd: Don't put capabilities in argv?

Mark Seaborn mrs at mythic-beasts.com
Wed Jul 23 17:18:16 CDT 2008

zooko <zooko at zooko.com> wrote:

> However I remain interested in whether there could be a tool which  
> was useful to people who were not satisfied by either of these  
> approaches -- a tool which would allow people to use caps directly on  
> the command-line while also allowing them to have untrusted users or  
> run untrusted code on the operating system.
> I can see one possibility: shell functions and builtins don't appear  
> in the ps table, so for example if tahoe accepted caps on stdin, then  
> a bash function like this would allow convenient command-line use  
> while keeping the cap out of the process table entirely:
> function tahoe_put {
> 	echo ${1} | tahoe put ${0}
> }

There's a way to have arguments passed via a file descriptor in the
general case without having to change your programs.  There are two
halves to this:

1) Making processes use execve() with the new calling convention.
2) Making executables accept arguments via the new calling convention.

(2) is the easier half because it can be done mostly transparently to
the executable being invoked by using an ELF chainloader.  The idea is
that instead of doing

exec(["/usr/bin/foo", "arg0", "arg1", "arg2"])

you do

exec(["/usr/bin/chainloader", "<file descriptor number>"])

The chainloader reads the arguments from the file descriptor.  It maps
the executable and dynamic linker, sets up the stack to contain the
arguments, and finally jumps to the dynamic linker (or the executable
if it is statically linked).

I recently adapted an ELF chainloader for use in Plash (see
http://plash.beasts.org/wiki/Story16) where it is used so that the
dynamic linker (ld.so) can be passed via a file descriptor.

(1) could be done by changing libc (the route that Plash takes), or --
much easier -- by using an LD_PRELOAD library.  The preload library
would only have to wrap a few calls: execve() and its variants.

Preload libraries are somewhat hackish.  There is no guarantee that
two preload libraries will coexist happily.  A process can opt out by
unsetting LD_PRELOAD.  But wrapping exec calls is a relatively simple
case so this should work.


More information about the cap-talk mailing list