* Mickaël Salaün: > The order of checks would be: > 1. open script with O_DENY_WRITE > 2. check executability with AT_EXECVE_CHECK > 3. read the content and interpret it > > The deny-write feature was to guarantee that there is no race condition > between step 2 and 3. All these checks are supposed to be done by a > trusted interpreter (which is allowed to be executed). The > AT_EXECVE_CHECK call enables the caller to know if the kernel (and > associated security policies) allowed the *current* content of the file > to be executed. Whatever happen before or after that (wrt. > O_DENY_WRITE) should be covered by the security policy. Why isn't it an improper system configuration if the script file is writable? In the past, the argument was that making a file (writable and) executable was an auditable even, and that provided enough coverage for those people who are interested in this. Thanks, Florian
