Re: phpBB vulnerability exploited

[Fraser Campbell <fraser@georgetown.wehave.net>]

On Monday 13 December 2004 03:31, Marek Podmaka wrote:

>   Yes, I have been doing the same with /tmp, but some debian packages
>   won't install on noexec /tmp. But there are other directorieso n my
>   system which are world writable - for example /var/tmp and
>   /var/lock.

If you've configured apt to preconfigure packages (at least I think that's the 
case) then apt will extract some stuff to /tmp and execute it from there.

The solution I use is to temporarily remount partitions with necessary 
permissions during apt's run.  I do this automatically with the following 
commands in apt's config files:

  DPkg::Pre-Install-Pkgs {"mount -o remount,rw /boot";};
  DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
  DPkg::Pre-Install-Pkgs {"mount -o remount,rw /usr";};
  DPkg::Post-Invoke {"mount -o remount /boot";};
  DPkg::Post-Invoke {"mount -o remount /tmp";};
  DPkg::Post-Invoke {"mount -o remount /usr";};

I'd think you can get away with linking /var/tmp to /tmp but /var/lock might 
be tricky to get around.

>   Can entire /var be mounted noexec?

In my case I doubt it since much of postfix lives there.  It might be possible 
in certain cases though I'm not sure.

-- 
Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux