Re: question about SSH / IPTABLES

To: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>, debian-security@lists.debian.org
Subject: Re: question about SSH / IPTABLES
From: InfoEmergencias - Luis Gómez <lgomez@infoemergencias.com>
Date: Fri, 24 Jan 2003 03:41:29 +0100
Message-id: <[🔎] 200301240341.29343.lgomez@infoemergencias.com>
In-reply-to: <[🔎] 51341B7FA34CD2119FA20008C7289B1C051C1C32@panoramix.coe.int>
References: <[🔎] 51341B7FA34CD2119FA20008C7289B1C051C1C32@panoramix.coe.int>

El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.

Beware that noexec can be easily cheated:

<---------->
adelita:/tmp# dd if=/dev/zero of=mypartition bs=512 count=4K
4096+0 records in
4096+0 records out
2097152 bytes transferred in 0.034112 seconds (61478483 bytes/sec)
adelita:/tmp# mkfs.ext2 mypartition
mke2fs 1.30-WIP (30-Sep-2002)
mypartition is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
256 inodes, 2048 blocks
102 blocks (4.98%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
256 inodes per group

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
adelita:/tmp# mkdir mounted
adelita:/tmp# mount mypartition mounted/ -o loop,noexec
adelita:/tmp# cd mounted/
adelita:/tmp/mounted# cp /bin/ls .
adelita:/tmp/mounted# ./ls
-su: ./ls: Permission denied
adelita:/tmp/mounted# /lib/ld-linux.so.2 ./ls -la
total 74
drwxr-xr-x    3 root     root         1024 Jan 24 03:39 .
drwxrwxrwt    9 root     root          416 Jan 24 03:37 ..
drwx------    2 root     root        12288 Jan 24 03:37 lost+found
-rwxr-xr-x    1 root     root        59592 Jan 24 03:39 ls
<----------->
That's the common proof of concept for the fact that noexec is (almost) 
useless.

> You may also want to prevent users to run other programs such as telnet,
> ping, nc, traceroute and so many others...

...and so many others that, simply, you can't. Either deny every kind of 
traffic originating from your machine, or give up :-(

Regards

	Pope

-- 
Luis Gomez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
lgomez@infoemergencias.com

PGP Public Key available at http://www.infoemergencias.com/lgomez.asc

Reply to:

References:
- RE: question about SSH / IPTABLES
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>

Prev by Date: Re: question about SSH / IPTABLES
Next by Date: unsubscribe
Previous by thread: RE: question about SSH / IPTABLES
Next by thread: Re: question about SSH / IPTABLES
Index(es):
- Date
- Thread