Full Disclosure mailing list archives
Re: a secure base system
From: Tobias Weisserth <tobias () weisserth de>
Date: Mon, 15 Mar 2004 21:38:06 +0100
Hi Alexander, Am Mo, den 15.03.2004 schrieb Alexander Bartolich um 20:27:
Tobias Weisserth wrote:/tmp should always be mounted noexec. Add /home as well with noexec. [...] This may be a trade-off, but the result is more security.On typical Linux distributions noexec is pointless. It does not prevent the execution of dynamically linked ELF images.
Interesting point. But I guess "noexec" still is useful for running services, trapped inside a chroot and running under an user with almost no privileges, with the chroot residing on such a noexec partition. If the service is exploitable and an attacker gains the privileges of the user running the service he might not be able to leave the chroot and use the circumvention to bypass the noexec option. Or am I wrong here? I really appreciate your explanation. You are of course right that I might not be able to hinder individual users who possess this knowledge with a home directory and a bash login to run or install programs inside their home directory by just mounting it noexec. Maybe limiting access to "readelf" helps, but I doubt that since most binaries are linked to the file you used below... interesting point indeed ;-)
$ readelf -l /bin/bash | grep interpreter [Requesting program interpreter: /lib/ld-linux.so.2] $ /lib/ld-linux.so.2 /bin/bash --version GNU bash, version 2.05b.0(1)-release (i386-redhat-linux-gnu) Copyright (C) 2002 Free Software Foundation, Inc.
Well, at least the noexec option for /tmp prevents 99% of available ready-to-run exploits and root kits to execute properly, since they were written to run from within /tmp. I guess this takes care of most of the simple "script-kiddies". But you're right. I doesn't really "solve" the problem. But it raises the bar because exploits have to be adapted and luckily not everybody is able to do this. regards, Tobias W. -- *************************************************** ____ _____ | _ \| ____| Tobias Weisserth | | | | _| tobias@weisserth.[de|com|net|org] _| |_| | |___ http://www.weisserth.org (_)____/|_____| Encrypted mail is welcome. Key and fingerprint: http://imprint.weisserth.org *************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Re: a secure base system, (continued)
- Re: Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: Re: Re: a secure base system martin f krafft (Mar 15)
- Re: a secure base system gadgeteer (Mar 15)
- Re: a secure base system Nico Golde (Mar 15)
- Re: a secure base system Stephen Clowater (Mar 15)
- Re: a secure base system Tobias Weisserth (Mar 15)
- Re: a secure base system Alexander Bartolich (Mar 15)
- Re: a secure base system Valdis . Kletnieks (Mar 15)
- Re: a secure base system martin f krafft (Mar 15)
- Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: a secure base system Alexander Bartolich (Mar 15)
- Re: a secure base system Tobias Weisserth (Mar 15)
- Re: a secure base system Thomas Sjögren (Mar 16)
- Re: a secure base system martin f krafft (Mar 16)
- Re: a secure base system Yusuf Wilajati Purna (Mar 22)