Security Incidents mailing list archives
Re: cron exploit?
From: Steffen Kluge <kluge () fujitsu com au>
Date: Thu, 02 Oct 2003 11:44:42 +1000
On Thu, 2003-10-02 at 05:08, Barry Fitzgerald wrote:
Rule of thumb: anything that the user doesn't need to write to, mount as ro and only take it out of ro if necessary, mount all other write-required locations as nodev,nosuid,noexec...
Noexec seems to be a waste of time, at least on the Linux boxes I've tested it. It is trivially circumvented, since it appears to be checked only by the exec* system calls. Something like `/lib/ld-linux.so.2 /tmp/prog' runs anything from a noexec mounted /tmp filesystem, and is safe and easy to build into root kits. Nevertheless, noexec frustrates the occasional software installer (vmware, openoffice), that extracts an install script to /tmp... I'd be interested to hear how noexec is implemented on other Unixes, at the moment I haven't got access to any I could play with. Cheers Steffen.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: cron exploit? Vinicius Moreira Mello (Oct 01)
- Re: cron exploit? Barry Fitzgerald (Oct 01)
- Re: cron exploit? Steffen Kluge (Oct 02)
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- <Possible follow-ups>
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- Re: cron exploit? Matt Zimmerman (Oct 10)
- Re: cron exploit? Barry Fitzgerald (Oct 01)