Mounting filesystems with "noexec"
Andreas Jonsson
andreas at romab.com
Thu Sep 22 15:12:48 PDT 2005
Borja Marcos wrote:
>
> Hello,
>
> I've been playing a bit with the "noexec" flag for filesystems. It can
> represent a substantial obstacle against the exploitation of security
> holes.
>
I think TPE (trusted path execution) would be the prefered solution to
this problem. As others have pointed out, circumventing the 'noexec'
attribute is pretty easy. That said, i don't think it is a bad idea to
use this, but one should be aware of how this defense might be defeated.
Instead of running "./script.sh" or "./script.pl" you just have to type
/bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much
everything you need when it comes to using exploits. In linux you could
also circumvent it by using /lib/ld.so exploit, but i'm not sure if that
is "fixed" now or not.
TPE requires all the binaries and subpaths to be owned by root. ie
/home/
/home/user and /home/user/file need to be owned by root to allow
execution. GRSec for linux provides this functionality aswell as
Stephanie does for OpenBSD.
Both solves the problems with interperters aswell, but i havent looked
into how, just used system that uses TPE. If there are problems with
TPE that people know about, please tell. Obvious things are mounted
filesystems from other machines, like nfs.
/andreas
More information about the freebsd-security
mailing list