RE: execute permissions in /tmp
> -----Original Message-----
> From: Peter Cordes [mailto:peter@llama.nslug.ns.ca]
> Sent: Wednesday, July 16, 2003 9:35 AM
> To: debian-security@lists.debian.org
> Subject: Re: execute permissions in /tmp
>
>
> On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent wrote:
> >
> > > On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote:
> > > > If the user can read files in /tmp, they can execute the
> > > code in them.
> > >
> > > even if the user is a "nobody" that owns no files or
> > > directories and grsecurity, selinux or the like prevents
> > > him/her to execute directly code from world writeable directories?
> > >
> > > (I do not know, so I ask)
> >
> > Grsecurity has a "trusted path execution" option.
> > Paste from config help :
> >
> >
> > CONFIG_GRKERNSEC_TPE:
> > If you say Y here, you will be able to choose a gid to add to the
> > supplementary groups of users you want to mark as
> "untrusted." These
> > users will not be able to execute any files that are not in
> root-owned
> > directories writeable only by root. If the sysctl option
> is enabled,
> > a sysctl option with name "tpe" is created.
>
> That doesn't help. /lib is root-owned and not writeable by
> non-root. TPE won't stop them from running /lib/ld-linux.so.2
> or /bin/sh, will it? (Is TPE useful for anything against
> attackers that know about using ld-linux.so.2? I guess it
> makes it inconvenient to set up and use your own software on
> an account restricted with that.)
[snip]
Dummy example with bash. Just assume bash is some exploit script here.
$ cp /bin/bash /tmp
$ /tmp/bash
su: /tmp/bash: Permission denied
$ls -l /tmp/bash
-rwxr-xr-x 1 www-data www-data 511400 Jul 15 16:34 /tmp/bash
$ /lib/ld-linux.so.2 /tmp/bash
Segmentation fault
$strace /lib/ld-linux.so.2 /tmp/bash
execve("/lib/ld-linux.so.2", ["/lib/ld-linux.so.2", "/tmp/bash"], [/* 12
vars */]) = 0 uname({sys="Linux", node="hostname", ...}) = 0
brk(0) = 0x106f8678
brk(0x106f9000) = 0x106f9000
open("/tmp/bash", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\320\221"..., 1024)
= 1024 fstat64(3, {st_mode=S_IFREG|0755, st_size=511400, ...}) = 0
old_mmap(0x8048000, 487424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
0) = -1 EACCES (Permission denied)
close(3) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
TPE does not prevent attackers from running /lib/ld-linux.so.2, but
restricts them from mmaping files in /tmp (and some other dirs, of course).
Since the question was about "execute permissions in /tmp", not
restraining attackers from running /bin/sh, I tend to believe it
does indeed help.
Or am I really missing something obvious?
Vincent
Reply to: