RE: execute permissions in /tmp

To: debian-security@lists.debian.org
Subject: RE: execute permissions in /tmp
From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>
Date: Thu, 17 Jul 2003 10:30:11 +0200
Message-id: <[🔎] 435C366F075ED211B12200204840172D0629354D@petitsuix.coe.int>

>  Looks that way.  I guess I mis-interpreted the grsec docs 
> (and since I don't have a kernel compiled with TPE, I didn't 
> test it).  It seems that it already does what I suggested it 
> do: not allow mmap with PROT_EXEC under certain conditions.  
> (You did make sure that this behaviour isn't the result of 
> some other grsecurity option, right?)

Yes I did.
Tested it with a whole bunch of grsec options on, but not TPE.
Then with the same config, only diff is TPE option is set.

First time the /tmp/bash worked "normally", 2nd time gave the 
result I pasted in my last post.


> 
>  Anyway, that's pretty cool.  However, I don't suppose it 
> stops you from running perl scripts, or anything other than 
> ELF binaries, since files that don't contain machine code 
> wouldn't need to be mapped with PROT_EXEC.  In fact, I 
> straced perl, and it uses read(2) instead of mmap(2) to load 
> the code.  Unless grsec is really clever, perl programs would 
> still work, by running /usr/bin/perl /tmp/foo.pl, as long as 
> you can read /tmp/foo.pl.


Correct. I've just tested it just in case :-)
$cat foo.pl
#!/usr/bin/perl
print "foo\n";

$/tmp/foo.pl
su: ./toto.pl: /usr/bin/perl: bad interpreter: Permission denied

$/usr/bin/perl /tmp/foo.pl
foo

Which seems pretty logical, indeed.


Vincent

Reply to:

Prev by Date: Re: execute permissions in /tmp
Next by Date: php4 vulnerability - is potato affected?
Previous by thread: Re: execute permissions in /tmp
Next by thread: php4 vulnerability - is potato affected?
Index(es):
- Date
- Thread