RE: execute permissions in /tmp
> Looks that way. I guess I mis-interpreted the grsec docs
> (and since I don't have a kernel compiled with TPE, I didn't
> test it). It seems that it already does what I suggested it
> do: not allow mmap with PROT_EXEC under certain conditions.
> (You did make sure that this behaviour isn't the result of
> some other grsecurity option, right?)
Yes I did.
Tested it with a whole bunch of grsec options on, but not TPE.
Then with the same config, only diff is TPE option is set.
First time the /tmp/bash worked "normally", 2nd time gave the
result I pasted in my last post.
>
> Anyway, that's pretty cool. However, I don't suppose it
> stops you from running perl scripts, or anything other than
> ELF binaries, since files that don't contain machine code
> wouldn't need to be mapped with PROT_EXEC. In fact, I
> straced perl, and it uses read(2) instead of mmap(2) to load
> the code. Unless grsec is really clever, perl programs would
> still work, by running /usr/bin/perl /tmp/foo.pl, as long as
> you can read /tmp/foo.pl.
Correct. I've just tested it just in case :-)
$cat foo.pl
#!/usr/bin/perl
print "foo\n";
$/tmp/foo.pl
su: ./toto.pl: /usr/bin/perl: bad interpreter: Permission denied
$/usr/bin/perl /tmp/foo.pl
foo
Which seems pretty logical, indeed.
Vincent
Reply to: