Re: package pre/post install scripts on noexec /var ?

To: Michael Bacarella <mbac@nyct.net>
Cc: debian-user@lists.debian.org
Subject: Re: package pre/post install scripts on noexec /var ?
From: Ethan Benson <erbenson@alaska.net>
Date: Thu, 28 Sep 2000 17:58:11 -0800
Message-id: <[🔎] 20000928175811.G1928@plato.local.lan>
In-reply-to: <[🔎] Pine.BSF.4.21.0009281654190.27806-100000@bsd1.nyct.net>; from mbac@nyct.net on Thu, Sep 28, 2000 at 04:58:29PM -0400
References: <[🔎] Pine.LNX.3.96.1000928141849.28052Q-100000@wakko> <[🔎] Pine.BSF.4.21.0009281654190.27806-100000@bsd1.nyct.net>

On Thu, Sep 28, 2000 at 04:58:29PM -0400, Michael Bacarella wrote:
> 
> find /var -type f -perm +111
> 
> The only executable files that show up on my system are package pre/post
> install scripts. I like to mount /var as noexec which means that I can't
> add new packages, or at least their pre/post install scripts don't get to
> run.

correct, which would be a VERY bad thing.  your system will break if
all your package installations don't get these scripts run correctly

> Has anyone had a similar dilemna? I can live with having to remount /var
> if I want to install packages, but I'm just curious as to what my options
> are, if any.

i have found mounting /tmp, /var/tmp and /var noexec breaks too much
and does not really buy you any added security.  your better off with
nosuid,nodev which on the other hand breaks nothing (that i have
encounterd yet)

for an example of why noexec is weak:

[root@socrates /root]# mount -o remount,noexec /var/tmp/
[root@socrates /root]# mount | grep /var/tmp
/dev/hda9 on /var/tmp type ext2 (rw,noexec,nosuid,nodev,usrquota,grpquota)
[root@socrates /root]#

[eb@socrates tmp]$ pwd
/var/tmp
[eb@socrates tmp]$ cat > shellscript
#! /bin/sh
echo "this is a test shell script"
echo "execution complete"
exit 0
[eb@socrates tmp]$ chmod 755 shellscript
[eb@socrates tmp]$ ./shellscript
bash: ./shellscript: Permission denied
[eb@socrates tmp]$ ls -l shellscript
-rwxr-xr-x    1 eb       eb             79 Sep 28 17:50 shellscript
[eb@socrates tmp]$ /bin/sh shellscript
this is a test shell script
execution complete
[eb@socrates tmp]$

now that may not be very interesting since shell scripts just execute
other commands that anyone could just run manually, so lets try
something else:

[eb@socrates tmp]$ cp `which date` .
[eb@socrates tmp]$ ls -l date
-rwxr-xr-x    1 eb       eb          30384 Sep 28 17:52 date
[eb@socrates tmp]$ file date
date: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1,
dynamically linked (uses shared libs), stripped
[eb@socrates tmp]$ ./date
bash: ./date: Permission denied
[eb@socrates tmp]$ /lib/ld.so.1 ./date
Thu Sep 28 17:54:19 AKDT 2000
[eb@socrates tmp]$

(on x86 the above ld trick would use /lib/ld-linux.so.2, the example
is on a powerpc)

as you can see noexec does not really prevent anyone from executing a
program.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpoQEu6jObL4.pgp
Description: PGP signature

Reply to:

References:
- Re: Woody broke my system
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- package pre/post install scripts on noexec /var ?
  - From: Michael Bacarella <mbac@nyct.net>

Prev by Date: RE: Hostnames not resolving
Next by Date: Re: Which files in /var to back up?
Previous by thread: package pre/post install scripts on noexec /var ?
Next by thread: Install linux with Pentium Pro 200 Bi-Proc.
Index(es):
- Date
- Thread