Re: Executable /lib/ld-linux.so breaks noexec
On Wed, 21 May 2003 01:45, Martin Pitt wrote:
> Is there any particular reason to have /lib/ld-linux.so.* exxecutable?
> If it is used only as a proper library, it need not be executable.
>
> The problem is that this breaks the "noexec" mount option. If /foo is
> mounted noexec, then one cannot do /foo/myprog, but
>
> /lib/ld-linux.so.1 /foo/myprog
>
> will work.
The following the is the result of trying to do that under SE Linux. Other
LSM modules should also be able to do the same things.
root@lyta:/tmp# /lib/ld-linux.so.2 /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment
from shared object: Permission denied
root@lyta:/tmp# dmesg | tail -1
avc: denied { execute } for pid=27439 exe=/lib/ld-2.3.1.so path=/tmp/ls
dev=03:02 ino=162902 scontext=rjc:sysadm_r:sysadm_t
tcontext=rjc:object_r:user_tmp_t tclass=file
root@lyta:/tmp# wc /tmp/ls
246 1992 69356 /tmp/ls
root@lyta:/tmp#
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: