[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security Implications of DKMS?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/12 08:48, Yves-Alexis Perez wrote:
> On mar., 2012-03-27 at 14:18 +0300, Rares Aioanei wrote:
>> I see that as a myth. Look at it this way: if an attacker already has
>> access to your machine, he/she can install anything he/she wants,
>> including compilers, interpreters, whatever.
>
> A good way to prevent that is to enforce W^X. There are various kernel
> ways to do that (MAC, Grsec trusted execution path), but also at mount
> time, it might be interesting to not have rw and exec on the same
> filesystem.
>
> Regards,
I'd advise doing this or at *least marking home and tmp folders noexec! 
One could still nullify this, fuse and executing anonymous files are two
things to try.

/usr does not have to have the permissions that would allow users to
write there and / and /var don't needed exec either, though that might
not be totally true.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPdT2KAAoJEOPRqa2O3KuKNf8P/2vesr8EkmB55rHAS5qlYNed
Ib/XItmsO6cS4YCG7s/Ilqh1OWGmZlT0FqJJzCYkrfMQ1/QmFo2kQc+ti0FjPknA
zJU0DklhUrmrii0bAhtnZL30fqS8Mqq08+WKoxudPcmIg3J6CRPSdWqxQIpPQ/He
q4gDCfGvUgD/aLR+dk/PsMPV6uaGo+T0bhBTT3cD2lMaYiJdws1jdedBqDZOy7yk
ryPMNxcCX5DEAbrpwDfj0XsT9jcvtAnu7z59ypnqDOPyrS7iwOxayqMLD/pRmoiz
jv6srJu2lSkojHhnw14uyGHvXxZAxoKJqzQaD7MpzQtvVcxiuFfy68xkI/gyfXS0
SCpaDCpqzZYiwElwT8a87fAJycIyg1URUwZ1YYUzppOzsNLC3j3Giq9bc9hEmIry
UhJzfv3OFuz0Ajk/66jEq+e1LS0euayKyOVlP0ffl0raNqNWzxDq0dQk5aGJaify
5b4qBpA4UvcpkZq1UZPAZKIJL8I4Gu3Ro9v1tT2LArjDwLbRzHku0PYy24Zc+/YN
AiNb9zw1MJJzEIWbwGRohHqESFl6fD0cOYZEjp4mDvODDGA2vx0MNEljolFKZqEg
fB055QQCqiUhPxiszLIVKWgzL/HJqaxn2DfwM/S7EOZXDN5B6M4FmVMoAiU3hm36
yUiYlMUZpdQQg/c1U2yM
=MuIi
-----END PGP SIGNATURE-----
Reply to: