On Sat, Oct 05, 2019 at 09:39:06AM -0000, Curt wrote: > On 2019-10-05, Keith Bainbridge <ke1th3216@gmail.com> wrote: > > > I'm still lurking here, but not sure what this suggestion means. > > He's not making one. > > He's offering examples of the trivial circumvention of the noexec option > (but they all appear to be faulty for one reason or another). OK. Calculemus, as Leibnitz used to say. At least one of them isn't faulty. Here is a session transcript (interspersed with comments by me, prefixed with '#'), which shows that method 1 actually works (I wouldn't have expected otherwise): # Make two directories. The one will be mounted onto the other: tomas@trotzki:~$ mkdir foo bar # Create a shell script in foo, make it executable, and run it... tomas@trotzki:~$ echo -e '#!/bin/sh\necho hello, world' > foo/hello tomas@trotzki:~$ chmod ugo+x foo/hello tomas@trotzki:~$ foo/hello hello, world # OK, that works. Now mount bind foo onto bar... tomas@trotzki:~$ sudo mount --bind foo bar [sudo] password for tomas: # and remount it noexec # (NB this two-step process seems needed, I failed trying # to pass the noexec option to the first bind-mount. # Possibly PEBKAC) tomas@trotzki:~$ sudo mount -oremount,bind,noexec foo bar # What do we have? tomas@trotzki:~$ ls -al foo bar bar: total 20 drwxr-xr-x 2 tomas tomas 4096 Oct 5 11:53 . drwxr-x--x 228 tomas tomas 12288 Oct 5 11:53 .. -rwxr-xr-x 1 tomas tomas 28 Oct 5 11:53 hello foo: total 20 drwxr-xr-x 2 tomas tomas 4096 Oct 5 11:53 . drwxr-x--x 228 tomas tomas 12288 Oct 5 11:53 .. -rwxr-xr-x 1 tomas tomas 28 Oct 5 11:53 hello # Strangely enough, bar/hello shows as executable, although # we clearly ordered noexec. WTF? But... # # ...noexec works as advertised! tomas@trotzki:~$ bar/hello bash: bar/hello: Permission denied # But we can bypass it with Jonathan's first method: tomas@trotzki:~$ /bin/sh bar/hello hello, world The other two methods are left as an exercise to the reader. I'm pretty confident that they'll work. Firstly, Jonathan knows his stuff. Secondly, for each method, for the interpreter (be it the shell, be it ld.so), the thing coming from the "noexec" file system are just data: the interpreter is what is being executed (and that is outside of the noexec mount). The system can't know that the interpreter is going to "pass the buck". Cheers -- tomás
Attachment:
signature.asc
Description: Digital signature