[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Partition mount options (was Re: apg-get: "Can't exec "/var...)

On Mon, Nov 27, 2000 at 12:57:53PM -0800, kmself@ix.netcom.com wrote:
> I suspect this isn't something Debian can fix and make go away.

it would be non-trivial and wouldn't create much benifit.

> Following discussion here a few weeks ago, I tweaked several of my
> partition mount options, specifically disallowing suid, dev, and exec
> privileges on a number of partitions.  I suspect 'noexec' is going to be
> a bit problematic in a number of places.  I've since changed /var to
> allow 'exec' privileges. 

nosuid,nodev is really the more important ones IMO.  noexec is really
quite weak since you can execute binaries and shell scripts on noexec
mounted filesystems anyway:

[eb@socrates /tmp]$ cp /bin/date .
[eb@socrates /tmp]$ ls -l ./date
-rwxr-xr-x    1 eb       eb          30384 Nov 28 04:32 ./date
[eb@socrates /tmp]$ file date
date: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1,
dynamically linked (uses shared libs), stripped
[eb@socrates /tmp]$ mount | grep " /tmp"
/dev/hda10 on /tmp type ext2 (rw,noexec,nosuid,nodev,usrquota,grpquota)
[eb@socrates /tmp]$ ./date
bash: ./date: Permission denied
[eb@socrates /tmp]$ /lib/ld-2.1.3.so ./date
Tue Nov 28 04:32:41 AKST 2000
[eb@socrates /tmp]$

>   # <fs>   <mountpt>  <type> <options>		<dump> <pass>
>   /dev/hda3  /		ext2 defaults,errors=remount-ro   		0 1
>   /dev/sdb5  /tmp 	ext2 defaults,nosuid,noexec,nodev 		0 2

noexec will cause you problems here too, some programs create
temporary shell scripts in /tmp and execute them.  

>   /dev/sdb6  /var 	ext2 defaults,nosuid,nodev			0 2
>   /dev/hda5  /var/spool/news ext2 defaults,nosuid,noexec,nodev 		0 2
>   /dev/sda5  /usr 	ext2 defaults,ro,nodev 				0 2
>   /dev/sdb7  /usr/local ext2 defaults,ro,nosuid,nodev 			0 2
>   /dev/sda7  /home 	ext2 defaults,nosuid,nodev			0 2

these should be fine, though if you allow exec on /home why bother
with noexec on other user writable filesystems?  

>   /dev/hdc   /mnt/cdrom iso9660 noauto,user,ro,nodev,nosuid		2 2
>   /dev/fd0   /mnt/floppy auto noauto,gid=disk,umask=007,rw,user 	2 2
> Note that 'user' implies noexec, nosuid, and nodev.
> Thoughts, anyone?

IMO trying to prevent users from running arbitary binaries is futile,
its better to use nosuid,nodev to improve security a bit (though in
theory you need root to create a device file or create a suid binary
in which case you can remount exec,suid but i suppose there might be
some odd exploits where a device or suid binary could be created but
not a direct root shell) 

also think about why you would try and prevent a user from executing
thier own programs:  resource starvation, they can do this with
already installed programs, say su `cat /dev/urandom`.  this is better
solved by resource limits.  

one case i can see where you would not want users running things is
some sort of tcp service, like a irc proxy or something.  i am not
sure how you can prevent this other then very clever firewalling

Ethan Benson

Attachment: pgpFNFiDHXpjb.pgp
Description: PGP signature

Reply to: