Re: mounting /tmp noexec

To: debian-security@lists.debian.org
Subject: Re: mounting /tmp noexec
From: David Wright <d.wright@open.ac.uk>
Date: Thu, 3 Jan 2002 12:42:42 +0000
Message-id: <[🔎] 20020103124241.A25028@tyne.open.ac.uk>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020103065034.GB13225@terrapin.research.nokia.com>; from alexey.vyskubov@nokia.com on Thu, Jan 03, 2002 at 08:50:34AM +0200
References: <lcMRPC.A.G9G.G13M8@murphy> <[🔎] 20020103065034.GB13225@terrapin.research.nokia.com>

Quoting Alexey Vyskubov (alexey.vyskubov@nokia.com):
> > > > noexec has no good purpose, really.  But it's intention was for
> > > > networked filesystems in certain environments, not a generalized
> > > > security tool.
> > > 
> > > It's very useful for mounting filesystems like vfat, where otherwise
> > > all the files are marked executable which makes mc a PITA to use for
> > > examining archive files (mc tries to execute them!).
> > 
> > Ah, interesting. ;)  Of course, that isn't a security related reason.

Granted. Except that it does prevent one from accidently executing
programs on certain removable media, e.g. those that my partner has
written on with 'doze.

> It's just wrong.
> 
> If you will mount filesystem with noexec option (try!) files may have
> 'x' permission. And they can *look* executable (e.g. on vfat partition
> you will see all files 'executable', as usual).  The only difference is
> that if you will try to execute such file you will get 'permission
> denied' error message. But mc will try to execute every file :)

That's not my experience. I can only assume your /tmp filesystem,
like mine, is not vfat-like. Whereas this floppy is:

Script started on Thu Jan  3 11:41:37 2002
~# mount -t vfat /dev/fd0 /floppy
~# ls -l /floppy/p*
-rwxr-xr-x    1 root     root       160498 May 15  2001 /floppy/pcbits.zip
~# umount /floppy/
~# mount -t vfat -o noexec /dev/fd0 /floppy
~# ls -l /floppy/p*
-rw-r--r--    1 root     root       160498 May 15  2001 /floppy/pcbits.zip
~# chmod +x /floppy/pcbits.zip 
~# ls -l /floppy/p*
-rw-r--r--    1 root     root       160498 May 15  2001 /floppy/pcbits.zip
~# umount /floppy/
~# 
Script done on Thu Jan  3 11:44:12 2002

> [terrapin] 08:46:52 ~$ sudo mount -o remount,noexec /tmp 
> Password:
> [terrapin] 08:47:11 ~$ touch /tmp/a
> [terrapin] 08:47:14 ~$ chmod +x /tmp/a
> [terrapin] 08:47:17 ~$ ls -l /tmp/a
> -rwxr-xr-x    1 alexey   alexey          0 ñÎ×  3 08:47 /tmp/a
> [terrapin] 08:47:21 ~$ /tmp/a
> bash: /tmp/a: Permission denied
> [terrapin] 08:47:25 ~$ 

Cheers,

-- 
Email:  d.wright@open.ac.uk   Tel: +44 1908 653 739  Fax: +44 1908 655 151
Snail:  David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA
Disclaimer:   These addresses are only for reaching me, and do not signify
official stationery. Views expressed here are either my own or plagiarised.

Reply to:

References:
- Re: mounting /tmp noexec
  - From: alexey.vyskubov@nokia.com (Alexey Vyskubov)

Prev by Date: Re: strange proftpd segfault and conntrack_ftp messages
Next by Date: Re: mounting /tmp noexec
Previous by thread: Re: mounting /tmp noexec
Next by thread: Re: mounting /tmp noexec
Index(es):
- Date
- Thread