[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mounting /tmp noexec

Quoting Alexey Vyskubov (alexey.vyskubov@nokia.com):
> > That's not my experience. I can only assume your /tmp filesystem,
> > like mine, is not vfat-like. Whereas this floppy is:
> 
> You probably have some additional settings somewhere (where?).
[...]
> Please show output for 'mount' command after mounting floppy.

No, I'm afraid you're doing something differently from me (remount).

I get the impression that you're trying to find an exploit against the
useful feature that I pointed out in my original message, as if it was
a security defence. I didn't offer it as a defence but as a
convenience (acknowledged in my first message to you). I was concerned
lest his statement "noexec has no good purpose" should cause anyone to
consider getting rid of it, or not going to the trouble of continuing
to support it on filesystems that don't actually have exec
permissions.

If it has any security (sensu lato) value at all, noexec only prevents
accidents rather than maintaining security (sensu stricto) against
exploits. If you want the feature to remain useful, mount the
filesystem noexec to begin with---don't mount it exec, fiddle with it,
and then remount noexec.

If you're not interested in why remount leads to the effects you've
posted, stop reading here...

When you mount a vfat-like filesystem without noexec, all the files
inherit an x permission. With noexec, they all lose the x (except
directories). However, all this is actually faked, and that leads to a
problem (your exploit) when files are in use on a filesystem that gets
remounted.

Unused files are able to inherit the new mount flags, but files
already in use have to keep their current flags. (Thanks to
rmk@arm.uk.linux.org for clearly commenting the kernel code.)

How it should be done:
# mount -v -t vfat -o noexec /dev/fd0 /mnt
/dev/fd0 on /mnt type vfat (rw,noexec)
# chmod -v +x /mnt/*
mode of /mnt/afile changed to 0755 (rwxr-xr-x)    [all this has no
mode of /mnt/bfile changed to 0755 (rwxr-xr-x)     effect because
mode of /mnt/flip retained as 0755 (rwxr-xr-x)     of noexec flag]
# ls -lR /mnt
/mnt:
total 8
-rw-r--r--    1 root     root         3705 Apr  6  1999 afile
-rw-r--r--    1 root     root         3705 Apr  6  1999 bfile
drwxr-xr-x    2 root     root          512 Apr  6  1999 flip
/mnt/flip:
total 4
-rw-r--r--    1 root     root         3705 Apr  6  1999 cfile
# umount /mnt

How it's best not done:
# mount -v -t vfat /dev/fd0 /mnt
/dev/fd0 on /mnt type vfat (rw)
# ls -l /mnt/b*                                                [use bfile]
-rwxr-xr-x    1 root     root         3705 Apr  6  1999 /mnt/bfile
# mount -v -o remount,noexec /mnt
/dev/fd0 on /mnt type vfat (rw,noexec)
# ls -lR /mnt
/mnt:
total 8
-rw-r--r--    1 root     root         3705 Apr  6  1999 afile
-rwxr-xr-x    1 root     root         3705 Apr  6  1999 bfile [x retained]
drwxr-xr-x    2 root     root          512 Apr  6  1999 flip
/mnt/flip:
total 4
-rw-r--r--    1 root     root         3705 Apr  6  1999 cfile

I hope my intentions, and those of the developers, are clearer now.

Cheers,

-- 
Email:  d.wright@open.ac.uk   Tel: +44 1908 653 739  Fax: +44 1908 655 151
Snail:  David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA
Disclaimer:   These addresses are only for reaching me, and do not signify
official stationery. Views expressed here are either my own or plagiarised.
Reply to: