Re: Long Exim break-in analysis

To: Vladislav Kurz <vladislav.kurz@webstep.net>
Cc: debian-security@lists.debian.org
Subject: Re: Long Exim break-in analysis
From: Martin Zobel-Helas <zobel@ftbfs.de>
Date: Tue, 21 Dec 2010 23:19:37 +0100
Message-id: <[🔎] 20101221221937.GS1822@ftbfs.de>
In-reply-to: <[🔎] 201012212307.37241.vladislav.kurz@webstep.net>
References: <[🔎] 201012212307.37241.vladislav.kurz@webstep.net>

Hi, 

On Tue Dec 21, 2010 at 23:07:37 +0100, Vladislav Kurz wrote:
> 
> Lessons learned:
> 1. subscribe to DSA and run apt-get 
> 2. /var/spool, /var/tmp, /tmp and other places where unprivileged users can 
> write, should be mounted nosuid and even better noexec. It seems that this 
> could prevent the attack, or at least make it much more difficult. 
> 
> As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/ to run 
> scripts during installation and removal of packages. It would be nice if 
> whole /var could be mounted noexec.
> 

# cat apt.conf.d/01remount
DPkg::Pre-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then /bin/mount -o remount,exec /tmp; fi";};
DPkg::Post-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then /bin/mount -o remount,noexec /tmp; fi";};


-- 
 Martin Zobel-Helas <zobel@debian.org>  | Debian System Administrator
 Debian & GNU/Linux Developer           |           Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870

Reply to:

Follow-Ups:
- Re: Long Exim break-in analysis
  - From: Marc Haber <mh+debian-security@zugschlus.de>

References:
- Long Exim break-in analysis
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>

Prev by Date: Long Exim break-in analysis
Next by Date: Re: Long Exim break-in analysis
Previous by thread: Long Exim break-in analysis
Next by thread: Re: Long Exim break-in analysis
Index(es):
- Date
- Thread