On Sat, Jul 12, 2003 at 09:34:16PM -0400, Noah L. Meyerhans wrote: > On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: > > I have a complaint/opinion/statement to express. It seems that every now > > and then when I run 'apt-get upgrade' i get a lot of errors about "Can't > > exec "/tmp/config.xxxxx": Permission denied at...". > > Second of all, mounting a filesystem with the noexec flag (assuming > /tmp is a separate filesystem on your system and this is, in fact, what > you're doing) has been shown many many times to not provide any level of > protection. Try this on your noexec mounted /tmp: > # cp /bin/ls /tmp/ > # /lib/ld-linux.so.2 /bin/ls > > Basically, what it comes down to is that you *can not* prevent files > from being executed.
This is at least the third time this has come up that I remember. However, absolute statements like *can not* get me thinking: Is there any any sort of file that can't be executed from /tmp? What about statically linked ELF binaries? /lib/ld-linux.so.2 /sbin/e2fsck.static segfaults. In five minutes, I haven't thought of a way to execute one. This is of course not useful from a security perspective, as one can simply upload executables that can have interpreters (such as ld-linux.so.2 or /bin/sh) run on them, if one is in a position to upload and run something in the first place. Maybe if there are space constraints on what you can upload (the size of a buffer that you can overflow without segfaulting, maybe?), your carefully constructed assembly-code binary[1] won't be usable on systems run by overly paranoid people with non-executable /tmp directories. Hmm, what about in a chroot jail? If you don't leave any interpreters inside the jail (that means no dynamically linked programs, and no scripts of any sort), noexec could possibly be useful. You'd have to arrange for the software in the jail to do the chroot(2) itself, as there should be nothing to execve(2) inside the jail. [1]http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html http://developers.slashdot.org/article.pl?sid=02/10/19/1233250 -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
pgp00000.pgp
Description: PGP signature
