Re: Long Exim break-in analysis

["Bernhard R. Link" <brlink@debian.org>]

* Bastian Blank <waldi@debian.org> [101222 11:30]:
> On Wed, Dec 22, 2010 at 10:18:50AM +0100, Bernhard R. Link wrote:
> > That said, having /tmp noexec,nosuid and /var nosuid will only make some
> > script-kiddies slower and the more people use it the less it helps.
>
> It is a start.

I'd not call it a start. It is more little a pillow at the ground of the
pit. It's nice to have if someone falls but only helps once it is
already to late.

> > As long as you have things like /dev/shm world-writeable and not
> > mounted nosuid there are trivial other ways for attackers.
>
> /dev/shm _is_ mounted nosuid by default.

Indeed. Since lenny (and perhaps etchnhalf) it is nosuid by default.
Sorry, I sometimes lose track of the many little things I let my
installer patch after installing.

> >                                                            And history
> > show that there were often ways around noexec and nosuid and though many
> > of the known ones should be closed by now,
>
> Around noexec: not much, at least for real binaries.

In the past there was the ld.so trick. That is said to be closed now.
But I would make no bet that on a full desktop-system there is nothing
that cane still be used to execute something (perhaps some of those
start-programs-with-libraries already loaded tricks or things like
that).

> Around nosuid:
> please show me.

In the past there was perl-suid. I hope noone will do something stupid
as that again. But then I was already quite perplex something like that
existed.

	Bernhard R. Link