Re: Long Exim break-in analysis
* Bastian Blank <email@example.com> [101222 11:30]:
> On Wed, Dec 22, 2010 at 10:18:50AM +0100, Bernhard R. Link wrote:
> > That said, having /tmp noexec,nosuid and /var nosuid will only make some
> > script-kiddies slower and the more people use it the less it helps.
> It is a start.
I'd not call it a start. It is more little a pillow at the ground of the
pit. It's nice to have if someone falls but only helps once it is
already to late.
> > As long as you have things like /dev/shm world-writeable and not
> > mounted nosuid there are trivial other ways for attackers.
> /dev/shm _is_ mounted nosuid by default.
Indeed. Since lenny (and perhaps etchnhalf) it is nosuid by default.
Sorry, I sometimes lose track of the many little things I let my
installer patch after installing.
> > And history
> > show that there were often ways around noexec and nosuid and though many
> > of the known ones should be closed by now,
> Around noexec: not much, at least for real binaries.
In the past there was the ld.so trick. That is said to be closed now.
But I would make no bet that on a full desktop-system there is nothing
that cane still be used to execute something (perhaps some of those
start-programs-with-libraries already loaded tricks or things like
> Around nosuid:
> please show me.
In the past there was perl-suid. I hope noone will do something stupid
as that again. But then I was already quite perplex something like that
Bernhard R. Link