Re: execute permissions in /tmp

To: debian-security@lists.debian.org
Cc: "Noah L. Meyerhans" <noahm@debian.org>
Subject: Re: execute permissions in /tmp
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Sat, 12 Jul 2003 23:43:02 -0300
Message-id: <[🔎] 20030713024302.GB25895@llama.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org, "Noah L. Meyerhans" <noahm@debian.org>
In-reply-to: <[🔎] 20030713013416.GG16880@morgul.net>
References: <[🔎] FMELKIGJMCKDEONBJEDGIEODHKAA.jimpop@yahoo.com> <[🔎] 20030713013416.GG16880@morgul.net>

On Sat, Jul 12, 2003 at 09:34:16PM -0400, Noah L. Meyerhans wrote:
> On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote:
> > I have a complaint/opinion/statement to express.  It seems that every now
> > and then when I run 'apt-get upgrade' i get a lot of errors about "Can't
> > exec "/tmp/config.xxxxx": Permission denied at...".
>
> Second of all, mounting a filesystem with the noexec flag (assuming
> /tmp is a separate filesystem on your system and this is, in fact, what
> you're doing) has been shown many many times to not provide any level of
> protection.  Try this on your noexec mounted /tmp:
> # cp /bin/ls /tmp/
> # /lib/ld-linux.so.2 /bin/ls
> 
> Basically, what it comes down to is that you *can not* prevent files
> from being executed.

 This is at least the third time this has come up that I remember.  However, 
absolute statements like *can not* get me thinking:  Is there any any sort
of file that can't be executed from /tmp?  What about statically linked ELF
binaries?  /lib/ld-linux.so.2 /sbin/e2fsck.static  segfaults.  In five
minutes, I haven't thought of a way to execute one.

 This is of course not useful from a security perspective, as one can simply
upload executables that can have interpreters (such as ld-linux.so.2 or
/bin/sh) run on them, if one is in a position to upload and run something in
the first place.  Maybe if there are space constraints on what you can
upload (the size of a buffer that you can overflow without segfaulting,
maybe?), your carefully constructed assembly-code binary[1] won't be usable
on systems run by overly paranoid people with non-executable /tmp
directories.

 Hmm, what about in a chroot jail?  If you don't leave any interpreters
inside the jail (that means no dynamically linked programs, and no scripts
of any sort), noexec could possibly be useful.  You'd have to arrange for
the software in the jail to do the chroot(2) itself, as there should be
nothing to execve(2) inside the jail.

[1]http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
http://developers.slashdot.org/article.pl?sid=02/10/19/1233250

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug.n , s.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Attachment: pgp9fAkOydCum.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: execute permissions in /tmp
  - From: "Noah L. Meyerhans" <noahm@debian.org>

References:
- execute permissions in /tmp
  - From: "Jim Popovitch" <jimpop@yahoo.com>
- Re: execute permissions in /tmp
  - From: "Noah L. Meyerhans" <noahm@debian.org>

Prev by Date: RE: execute permissions in /tmp
Next by Date: Re: execute permissions in /tmp
Previous by thread: Re: execute permissions in /tmp
Next by thread: Re: execute permissions in /tmp
Index(es):
- Date
- Thread