Re: Long Exim break-in analysis
* Vladislav Kurz <vladislav.kurz@webstep.net> [101221 23:09]:
> As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/ to run
> scripts during installation and removal of packages. It would be nice if
> whole /var could be mounted noexec.
AFAIK dpkg does not run things in /tmp. The only thing running things in
/tmp on a normal system is debconf's dpkg-preconfigure, which you can
disable by editing /etc/apt/apt.conf.d/70debconf (which means that
you will get asked questions not at the beginning but while installing
stuff, but as servers usually do not have that many packages that is
easy to bear).
That said, having /tmp noexec,nosuid and /var nosuid will only make some
script-kiddies slower and the more people use it the less it helps.
As long as you have things like /dev/shm world-writeable and not
mounted nosuid there are trivial other ways for attackers. And history
show that there were often ways around noexec and nosuid and though many
of the known ones should be closed by now, there will always appear new
ones. So having those flags set might be some nice stumbling block for
script kiddies, but not much more. (Others include not installing
compilers or things like wget ftp or netcat, blocking outgoing and
incoming connections but a small whitelist in the firewall, installing
kernels without modules and [k]mem support, using some of the more
'obscure' architectures, ...) They do not increase your safety,
but sometimes one at least sees someone stumble....
Bernhard R. Link
Reply to: