Full Disclosure mailing list archives

Re: a secure base system

From: Tobias Weisserth <tobias () weisserth de>
Date: Mon, 15 Mar 2004 21:38:06 +0100

Hi Alexander,

Am Mo, den 15.03.2004 schrieb Alexander Bartolich um 20:27:

Tobias Weisserth wrote:

/tmp should always be mounted noexec. Add /home as well with noexec.
[...] This may be a trade-off, but the result is more security.


On typical Linux distributions noexec is pointless.
It does not prevent the execution of dynamically linked ELF images.


Interesting point. 

But I guess "noexec" still is useful for running services, trapped
inside a chroot and running under an user with almost no privileges,
with the chroot residing on such a noexec partition. If the service is
exploitable and an attacker gains the privileges of the user running the
service he might not be able to leave the chroot and use the
circumvention to bypass the noexec option. Or am I wrong here? I really
appreciate your explanation.

You are of course right that I might not be able to hinder individual
users who possess this knowledge with a home directory and a bash login
to run or install programs inside their home directory by just mounting
it noexec. Maybe limiting access to "readelf" helps, but I doubt that
since most binaries are linked to the file you used below... interesting
point indeed ;-)

$ readelf -l /bin/bash | grep interpreter
      [Requesting program interpreter: /lib/ld-linux.so.2]

$ /lib/ld-linux.so.2 /bin/bash --version
GNU bash, version 2.05b.0(1)-release (i386-redhat-linux-gnu)
Copyright (C) 2002 Free Software Foundation, Inc.


Well, at least the noexec option for /tmp prevents 99% of available
ready-to-run exploits and root kits to execute properly, since they were
written to run from within /tmp. I guess this takes care of most of the
simple "script-kiddies". But you're right. I doesn't really "solve" the
problem. But it raises the bar because exploits have to be adapted and
luckily not everybody is able to do this.

regards,
Tobias W.


-- 
***************************************************
   ____  _____
  |  _ \| ____| Tobias Weisserth
  | | | |  _|   tobias@weisserth.[de|com|net|org]
 _| |_| | |___  http://www.weisserth.org
(_)____/|_____|
                
Encrypted mail is welcome.
Key and fingerprint: http://imprint.weisserth.org

***************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Re: a secure base system, (continued)
- - - Re: Re: Re: a secure base system Tobias Weisserth (Mar 15)
    - Re: Re: Re: a secure base system martin f krafft (Mar 15)
- Re: a secure base system gadgeteer (Mar 15)
- Re: a secure base system Nico Golde (Mar 15)
- Re: a secure base system Stephen Clowater (Mar 15)
- Re: a secure base system Tobias Weisserth (Mar 15)
  - Re: a secure base system Alexander Bartolich (Mar 15)
    - Re: a secure base system Valdis . Kletnieks (Mar 15)
    - Re: a secure base system martin f krafft (Mar 15)
    - Re: Re: a secure base system Tobias Weisserth (Mar 15)
    - Re: a secure base system Tobias Weisserth (Mar 15)
    - Re: a secure base system Thomas Sjögren (Mar 16)
    - Re: a secure base system martin f krafft (Mar 16)
- Re: a secure base system harry (Mar 16)
  - Re: a secure base system Yusuf Wilajati Purna (Mar 22)