On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent wrote: > > > On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote: > > > If the user can read files in /tmp, they can execute the > > code in them. > > > > even if the user is a "nobody" that owns no files or > > directories and grsecurity, selinux or the like prevents > > him/her to execute directly code from world writeable directories? > > > > (I do not know, so I ask) > > Grsecurity has a "trusted path execution" option. > Paste from config help : > > > CONFIG_GRKERNSEC_TPE: > If you say Y here, you will be able to choose a gid to add to the > supplementary groups of users you want to mark as "untrusted." > These users will not be able to execute any files that are not in > root-owned directories writeable only by root. If the sysctl option > is enabled, a sysctl option with name "tpe" is created.
That doesn't help. /lib is root-owned and not writeable by non-root. TPE won't stop them from running /lib/ld-linux.so.2 or /bin/sh, will it? (Is TPE useful for anything against attackers that know about using ld-linux.so.2? I guess it makes it inconvenient to set up and use your own software on an account restricted with that.) grsecurity does have stuff about limitting mprotect(2), but the docs explicitly say that grsecurity won't stop an attacker from running code they can mmap from a file. A possibly-useful extension to grsecurity would be to require execute permission on a file to mmap(2) it with PROT_EXEC. (On normal Debian systems, shared libraries don't have the execute permission bit set, so maybe checking just the noexec mount flag, or integrating with TPE would make it easier to get started with. Otherwise, you'd have to make sure all libraries on the system were chmod +x, and check every new software package you installed.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
pgpVAHGZ8YVNy.pgp
Description: PGP signature
