Hi, On Tue, May 20, 2003 at 05:45:21PM +0200, Martin Pitt wrote: > Hi! > > Is there any particular reason to have /lib/ld-linux.so.* exxecutable? > If it is used only as a proper library, it need not be executable. > > The problem is that this breaks the "noexec" mount option. If /foo is > mounted noexec, then one cannot do /foo/myprog, but > > /lib/ld-linux.so.1 /foo/myprog > > will work. > > This prevents proper separation of executable and writable files, thus > I consider this as a security hole. > > Any comments to this? It's not possible if you don't give read permissions on /foo/myprog to users who are not allowed to execute it. If /foo/myprog is a shell script or executable by another interpreter that the user is allowed to run, then you've still got your hole. In short, I think you're trying to place a barrier at a very non-strategic, if not indefensible place. Also, keep in mind that it will prevent anything if that person was prevented from running anything he put on the system himself in the first place. All that is hard to do, and not really necessary if you use the standard Unix permission system sensibly. In general, you should not give access to sensitive files to "other" and then to try and prevent "other" from using any sort of command such as /foo/myprog that will give access to those files; you're making it unnecesarily hard for yourself, and you'll almost inevitably leave one or more access methods open. There are just too many ways to do it. Running a non-setuid program as non-root should never be dangerous in the first place, except to the files of the user running it. If it is, you're already in great danger and should fix your security problem. I'm not saying userland security is never needed or useful, but still: never use userland security as a substitute for properly set up filesystem permissions. Cheers, Emile. -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)70 3906153 http://www.e-advies.nl
Attachment:
pgppEzz509Lpj.pgp
Description: PGP signature