On Mon, Nov 27, 2000 at 12:57:53PM -0800, kmself@ix.netcom.com wrote: > > I suspect this isn't something Debian can fix and make go away. it would be non-trivial and wouldn't create much benifit. > Following discussion here a few weeks ago, I tweaked several of my > partition mount options, specifically disallowing suid, dev, and exec > privileges on a number of partitions. I suspect 'noexec' is going to be > a bit problematic in a number of places. I've since changed /var to > allow 'exec' privileges. nosuid,nodev is really the more important ones IMO. noexec is really quite weak since you can execute binaries and shell scripts on noexec mounted filesystems anyway: [eb@socrates /tmp]$ cp /bin/date . [eb@socrates /tmp]$ ls -l ./date -rwxr-xr-x 1 eb eb 30384 Nov 28 04:32 ./date [eb@socrates /tmp]$ file date date: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1, dynamically linked (uses shared libs), stripped [eb@socrates /tmp]$ mount | grep " /tmp" /dev/hda10 on /tmp type ext2 (rw,noexec,nosuid,nodev,usrquota,grpquota) [eb@socrates /tmp]$ ./date bash: ./date: Permission denied [eb@socrates /tmp]$ /lib/ld-2.1.3.so ./date Tue Nov 28 04:32:41 AKST 2000 [eb@socrates /tmp]$ > > # <fs> <mountpt> <type> <options> <dump> <pass> > /dev/hda3 / ext2 defaults,errors=remount-ro 0 1 > > /dev/sdb5 /tmp ext2 defaults,nosuid,noexec,nodev 0 2 noexec will cause you problems here too, some programs create temporary shell scripts in /tmp and execute them. > /dev/sdb6 /var ext2 defaults,nosuid,nodev 0 2 > /dev/hda5 /var/spool/news ext2 defaults,nosuid,noexec,nodev 0 2 > /dev/sda5 /usr ext2 defaults,ro,nodev 0 2 > /dev/sdb7 /usr/local ext2 defaults,ro,nosuid,nodev 0 2 > /dev/sda7 /home ext2 defaults,nosuid,nodev 0 2 these should be fine, though if you allow exec on /home why bother with noexec on other user writable filesystems? > /dev/hdc /mnt/cdrom iso9660 noauto,user,ro,nodev,nosuid 2 2 > /dev/fd0 /mnt/floppy auto noauto,gid=disk,umask=007,rw,user 2 2 > > Note that 'user' implies noexec, nosuid, and nodev. > > Thoughts, anyone? IMO trying to prevent users from running arbitary binaries is futile, its better to use nosuid,nodev to improve security a bit (though in theory you need root to create a device file or create a suid binary in which case you can remount exec,suid but i suppose there might be some odd exploits where a device or suid binary could be created but not a direct root shell) also think about why you would try and prevent a user from executing thier own programs: resource starvation, they can do this with already installed programs, say su `cat /dev/urandom`. this is better solved by resource limits. one case i can see where you would not want users running things is some sort of tcp service, like a irc proxy or something. i am not sure how you can prevent this other then very clever firewalling rules. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpFNFiDHXpjb.pgp
Description: PGP signature