On Mon, Aug 25, 2025 at 11:39:11AM +0200, Florian Weimer wrote: > * Mickaël Salaün: > > > The order of checks would be: > > 1. open script with O_DENY_WRITE > > 2. check executability with AT_EXECVE_CHECK > > 3. read the content and interpret it > > > > The deny-write feature was to guarantee that there is no race condition > > between step 2 and 3. All these checks are supposed to be done by a > > trusted interpreter (which is allowed to be executed). The > > AT_EXECVE_CHECK call enables the caller to know if the kernel (and > > associated security policies) allowed the *current* content of the file > > to be executed. Whatever happen before or after that (wrt. > > O_DENY_WRITE) should be covered by the security policy. > > Why isn't it an improper system configuration if the script file is > writable? It is, except if the system only wants to track executions (e.g. record checksum of scripts) without restricting file modifications. > > In the past, the argument was that making a file (writable and) > executable was an auditable even, and that provided enough coverage for > those people who are interested in this. Yes, but in this case there is a race condition that this patch tried to fix.
