On Thu, 2007-01-11 at 18:52 -0500, Roberto C. Sanchez wrote:
> Yup. While that will thwart the most naïve of attacks, put a binary
> (not a script) in there (something like ls works) and run this:
>
> /lib/ld-linux.so.2 /tmp/ls
That is actually not possible if you have a recent linux kernel.
"Newer versions of the kernel do however handle the noexec flag
properly:
angrist:/tmp# mount | grep /tmp
/dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
angrist:/tmp# ./date
bash: ./tmp: Permission denied
angrist:/tmp# /lib/ld-linux.so.2 ./date
./date: error while loading shared libraries: ./date: failed to map segment
from shared object: Operation not permitted"
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10
There might still be an easy way around that of course.
--
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 760BDD22
Attachment:
signature.asc
Description: This is a digitally signed message part