On Thu, Sep 28, 2000 at 04:58:29PM -0400, Michael Bacarella wrote: > > find /var -type f -perm +111 > > The only executable files that show up on my system are package pre/post > install scripts. I like to mount /var as noexec which means that I can't > add new packages, or at least their pre/post install scripts don't get to > run.
correct, which would be a VERY bad thing. your system will break if all your package installations don't get these scripts run correctly > Has anyone had a similar dilemna? I can live with having to remount /var > if I want to install packages, but I'm just curious as to what my options > are, if any. i have found mounting /tmp, /var/tmp and /var noexec breaks too much and does not really buy you any added security. your better off with nosuid,nodev which on the other hand breaks nothing (that i have encounterd yet) for an example of why noexec is weak: [EMAIL PROTECTED] /root]# mount -o remount,noexec /var/tmp/ [EMAIL PROTECTED] /root]# mount | grep /var/tmp /dev/hda9 on /var/tmp type ext2 (rw,noexec,nosuid,nodev,usrquota,grpquota) [EMAIL PROTECTED] /root]# [EMAIL PROTECTED] tmp]$ pwd /var/tmp [EMAIL PROTECTED] tmp]$ cat > shellscript #! /bin/sh echo "this is a test shell script" echo "execution complete" exit 0 [EMAIL PROTECTED] tmp]$ chmod 755 shellscript [EMAIL PROTECTED] tmp]$ ./shellscript bash: ./shellscript: Permission denied [EMAIL PROTECTED] tmp]$ ls -l shellscript -rwxr-xr-x 1 eb eb 79 Sep 28 17:50 shellscript [EMAIL PROTECTED] tmp]$ /bin/sh shellscript this is a test shell script execution complete [EMAIL PROTECTED] tmp]$ now that may not be very interesting since shell scripts just execute other commands that anyone could just run manually, so lets try something else: [EMAIL PROTECTED] tmp]$ cp `which date` . [EMAIL PROTECTED] tmp]$ ls -l date -rwxr-xr-x 1 eb eb 30384 Sep 28 17:52 date [EMAIL PROTECTED] tmp]$ file date date: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1, dynamically linked (uses shared libs), stripped [EMAIL PROTECTED] tmp]$ ./date bash: ./date: Permission denied [EMAIL PROTECTED] tmp]$ /lib/ld.so.1 ./date Thu Sep 28 17:54:19 AKDT 2000 [EMAIL PROTECTED] tmp]$ (on x86 the above ld trick would use /lib/ld-linux.so.2, the example is on a powerpc) as you can see noexec does not really prevent anyone from executing a program. -- Ethan Benson http://www.alaska.net/~erbenson/
pgp7UH48qkNkp.pgp
Description: PGP signature
