On 02/15/2017 08:22 AM, Chris Adams wrote:
noexec is not that big of a protection. On a normal CentOS system, you almost certainly have python installed (as well as likely other scripting languages such as perl), and they can be used to do just about anything compiled code can do.
Exactly. Since python is required by yum (and gettext, and systemd-sysv), it's nearly impossible to have a CentOS system without python.
Python, of course, includes the "ctypes" module, which allows you to load a shared object and call a C function with whatever arguments you choose.
You *absolutely* do not need a heap spraying attack in order to make arbitrary library or kernel calls.
Leonard, man... you've got let this go. Users with shell access already have fairly broad permission to execute arbitrary code on the system they log in to. The memory leak in pkcheck is *not* a security issue. It's just a bug. *Everyone* is trying to tell you this, including the maintainers of CentOS, and (in your original bug report) the maintainers of RHEL. The security bug you've used as a foundation for all of this was built on a SUID binary, which pkcheck is not. What's it going to take for you to accept this? Do you honestly think that you are better qualified than all of the maintainers and developers that are telling you that this isn't a security bug?
I really want to encourage you to stay involved as a community member. Free Software is a participation culture, and every contributor has the potential to make the entire system better, but participation is a two-way conversation. You've got to learn to listen, as well.