Re: Mounting filesystems with "noexec"

From: Andreas Jonsson (andreas_at_romab.com)
Date: 09/23/05

  • Next message: Borja Marcos: "Re: Mounting filesystems with "noexec""
    Date: Fri, 23 Sep 2005 00:14:47 +0200
    To: Borja Marcos <borjamar@sarenet.es>
    
    

    Borja Marcos wrote:
    >
    > Hello,
    >
    > I've been playing a bit with the "noexec" flag for filesystems. It can
    > represent a substantial obstacle against the exploitation of security
    > holes.
    >

    I think TPE (trusted path execution) would be the prefered solution to
    this problem. As others have pointed out, circumventing the 'noexec'
    attribute is pretty easy. That said, i don't think it is a bad idea to
    use this, but one should be aware of how this defense might be defeated.

    Instead of running "./script.sh" or "./script.pl" you just have to type
    /bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much
    everything you need when it comes to using exploits. In linux you could
    also circumvent it by using /lib/ld.so exploit, but i'm not sure if that
    is "fixed" now or not.

    TPE requires all the binaries and subpaths to be owned by root. ie
    /home/
    /home/user and /home/user/file need to be owned by root to allow
    execution. GRSec for linux provides this functionality aswell as
    Stephanie does for OpenBSD.

    Both solves the problems with interperters aswell, but i havent looked
    into how, just used system that uses TPE. If there are problems with
    TPE that people know about, please tell. Obvious things are mounted
    filesystems from other machines, like nfs.

    /andreas
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Borja Marcos: "Re: Mounting filesystems with "noexec""