Re: question about SSH / IPTABLES
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Beware that noexec can be easily cheated:
<---------->
adelita:/tmp# dd if=/dev/zero of=mypartition bs=512 count=4K
4096+0 records in
4096+0 records out
2097152 bytes transferred in 0.034112 seconds (61478483 bytes/sec)
adelita:/tmp# mkfs.ext2 mypartition
mke2fs 1.30-WIP (30-Sep-2002)
mypartition is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
256 inodes, 2048 blocks
102 blocks (4.98%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
256 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 20 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
adelita:/tmp# mkdir mounted
adelita:/tmp# mount mypartition mounted/ -o loop,noexec
adelita:/tmp# cd mounted/
adelita:/tmp/mounted# cp /bin/ls .
adelita:/tmp/mounted# ./ls
-su: ./ls: Permission denied
adelita:/tmp/mounted# /lib/ld-linux.so.2 ./ls -la
total 74
drwxr-xr-x 3 root root 1024 Jan 24 03:39 .
drwxrwxrwt 9 root root 416 Jan 24 03:37 ..
drwx------ 2 root root 12288 Jan 24 03:37 lost+found
-rwxr-xr-x 1 root root 59592 Jan 24 03:39 ls
<----------->
That's the common proof of concept for the fact that noexec is (almost)
useless.
> You may also want to prevent users to run other programs such as telnet,
> ping, nc, traceroute and so many others...
...and so many others that, simply, you can't. Either deny every kind of
traffic originating from your machine, or give up :-(
Regards
Pope
--
Luis Gomez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
lgomez@infoemergencias.com
PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Reply to: