Re: cron exploit?

[Steffen Kluge <kluge () fujitsu com au>]

On Thu, 2003-10-02 at 05:08, Barry Fitzgerald wrote:
> Rule of thumb: anything that the user doesn't need to write to, mount as 
> ro and only take it out of ro if necessary, mount all other 
> write-required locations as nodev,nosuid,noexec...

Noexec seems to be a waste of time, at least on the Linux boxes I've
tested it. It is trivially circumvented, since it appears to be checked
only by the exec* system calls.

Something like `/lib/ld-linux.so.2 /tmp/prog' runs anything from a
noexec mounted /tmp filesystem, and is safe and easy to build into root
kits.

Nevertheless, noexec frustrates the occasional software installer
(vmware, openoffice), that extracts an install script to /tmp...

I'd be interested to hear how noexec is implemented on other Unixes, at
the moment I haven't got access to any I could play with.

Cheers
Steffen.

Attachment: signature.asc
Description: This is a digitally signed message part