Re: execute permissions in /tmp

To: debian-security@lists.debian.org
Subject: Re: execute permissions in /tmp
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Wed, 16 Jul 2003 18:17:10 -0300
Message-id: <[🔎] 20030716211710.GA11951@llama.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 435C366F075ED211B12200204840172D06293543@petitsuix.coe.int>
References: <[🔎] 435C366F075ED211B12200204840172D06293543@petitsuix.coe.int>

On Wed, Jul 16, 2003 at 10:46:14AM +0200, DEFFONTAINES Vincent wrote:
> $ /lib/ld-linux.so.2 /tmp/bash
> Segmentation fault
> 
> $strace /lib/ld-linux.so.2 /tmp/bash
> execve("/lib/ld-linux.so.2", ["/lib/ld-linux.so.2", "/tmp/bash"], [/* 12
> vars */]) = 0 uname({sys="Linux", node="hostname", ...}) = 0
> brk(0)                                  = 0x106f8678
> brk(0x106f9000)                         = 0x106f9000
> open("/tmp/bash", O_RDONLY)             = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\320\221"..., 1024)
> = 1024 fstat64(3, {st_mode=S_IFREG|0755, st_size=511400, ...}) = 0
> old_mmap(0x8048000, 487424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
> 0) = -1 EACCES (Permission denied)
> close(3)                                = 0
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++
> 
> 
> TPE does not prevent attackers from running /lib/ld-linux.so.2, but 
> restricts them from mmaping files in /tmp (and some other dirs, of course).
> Since the question was about "execute permissions in /tmp", not 
> restraining attackers from running /bin/sh, I tend to believe it 
> does indeed help.

 Looks that way.  I guess I mis-interpreted the grsec docs (and since I
don't have a kernel compiled with TPE, I didn't test it).  It seems that it
already does what I suggested it do: not allow mmap with PROT_EXEC under
certain conditions.  (You did make sure that this behaviour isn't the result
of some other grsecurity option, right?)

 Anyway, that's pretty cool.  However, I don't suppose it stops you from
running perl scripts, or anything other than ELF binaries, since files that
don't contain machine code wouldn't need to be mapped with PROT_EXEC.  In
fact, I straced perl, and it uses read(2) instead of mmap(2) to load the
code.  Unless grsec is really clever, perl programs would still work, by
running /usr/bin/perl /tmp/foo.pl, as long as you can read /tmp/foo.pl.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug.n , s.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Attachment: pgpqEhR5cyrcr.pgp
Description: PGP signature

Reply to:

References:
- RE: execute permissions in /tmp
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>

Prev by Date: RE: execute permissions in /tmp
Next by Date: RE: execute permissions in /tmp
Previous by thread: RE: execute permissions in /tmp
Next by thread: RE: execute permissions in /tmp
Index(es):
- Date
- Thread