chmod +x a tempdir file then run it - arbitrary code execution the gate cannot classify #9

New issue

Open

opened 2026-05-23 20:53:57 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:53:57 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-21T13:44:01Z - https://github.com/coilysiren/coily/issues/313

Symptom - An agent can run arbitrary code past the gate by writing a file into the tempdir, marking it executable with chmod +x, and executing it directly. No python, uv run, or other interpreter token ever appears on a command line, so the gate's code-execution classifier has nothing to match.

The sequence:

1. Write tool drops a script at /tmp/foo (file writes are not code execution).
2. chmod +x /tmp/foo (a benign-looking permission change).
3. /tmp/foo executes - the gate sees only an opaque path, never the file contents.

Why this matters - This is the same blind spot as coily#312 (coily pkg uv run /tmp/x.py), reached by a different route. coily#312 is about an interpreter verb accepting an arbitrary path. This issue is about direct execution of a chmod'd file: even with every interpreter verb locked down, an agent can still stage and run arbitrary code because the gate classifies command lines, not file contents. The audit trail records /tmp/foo ran, but not what /tmp/foo was.

cli-guard#87 shipped an engine-level arbitrary-code-execution deny. That deny works on recognizable interpreter invocations. A path to a self-contained executable defeats it - there is no interpreter token to recognize.

Expected - Decide the boundary for executing files from outside the repo root. Options to weigh: deny execution of paths under /tmp and other agent-writable temp tiers outright, gate chmod +x on temp-tier paths, or classify file contents at execute time when the target is an agent-written file. Resolve alongside coily#312 and the cli-guard engine deny so all three stay consistent - closing one interpreter verb while leaving direct exec open just moves the hole.

Keywords: chmod +x, tempdir, direct execution, arbitrary code execution, gate blind spot, file-contents not classified, cli-guard engine deny, coily#312

_Originally filed by @coilysiren on 2026-05-21T13:44:01Z - [https://github.com/coilysiren/coily/issues/313](https://github.com/coilysiren/coily/issues/313)_ **Symptom** - An agent can run arbitrary code past the gate by writing a file into the tempdir, marking it executable with `chmod +x`, and executing it directly. No `python`, `uv run`, or other interpreter token ever appears on a command line, so the gate's code-execution classifier has nothing to match. The sequence: 1. `Write` tool drops a script at `/tmp/foo` (file writes are not code execution). 2. `chmod +x /tmp/foo` (a benign-looking permission change). 3. `/tmp/foo` executes - the gate sees only an opaque path, never the file contents. **Why this matters** - This is the same blind spot as coily#312 (`coily pkg uv run /tmp/x.py`), reached by a different route. coily#312 is about an interpreter verb accepting an arbitrary path. This issue is about direct execution of a chmod'd file: even with every interpreter verb locked down, an agent can still stage and run arbitrary code because the gate classifies command lines, not file contents. The audit trail records `/tmp/foo` ran, but not what `/tmp/foo` was. cli-guard#87 shipped an engine-level arbitrary-code-execution deny. That deny works on recognizable interpreter invocations. A path to a self-contained executable defeats it - there is no interpreter token to recognize. **Expected** - Decide the boundary for executing files from outside the repo root. Options to weigh: deny execution of paths under `/tmp` and other agent-writable temp tiers outright, gate `chmod +x` on temp-tier paths, or classify file contents at execute time when the target is an agent-written file. Resolve alongside coily#312 and the cli-guard engine deny so all three stay consistent - closing one interpreter verb while leaving direct exec open just moves the hole. Keywords: chmod +x, tempdir, direct execution, arbitrary code execution, gate blind spot, file-contents not classified, cli-guard engine deny, coily#312

coilysiren added the

P0

label 2026-05-31 01:52:53 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#9

No description provided.