Mounting filesystems with "noexec"
Aristeu Gil Alves Jr
suporte at wahtec.com.br
Fri Sep 23 10:22:21 PDT 2005
>> Borja Marcos wrote:
>>
>> Hello,
>>
>> I've been playing a bit with the "noexec" flag for filesystems. It can
>> represent a substantial obstacle against the exploitation of security
>> holes.
>>
>
> I think TPE (trusted path execution) would be the prefered solution to
> this problem. As others have pointed out, circumventing the 'noexec'
> attribute is pretty easy. That said, i don't think it is a bad idea to
> use this, but one should be aware of how this defense might be defeated.
>
> Instead of running "./script.sh" or "./script.pl" you just have to type
> /bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much
> everything you need when it comes to using exploits. In linux you could
> also circumvent it by using /lib/ld.so exploit, but i'm not sure if that
> is "fixed" now or not.
>
> TPE requires all the binaries and subpaths to be owned by root. ie
> /home/
> /home/user and /home/user/file need to be owned by root to allow
> execution. GRSec for linux provides this functionality aswell as
> Stephanie does for OpenBSD.
>
> Both solves the problems with interperters aswell, but i havent looked
> into how, just used system that uses TPE. If there are problems with
> TPE that people know about, please tell. Obvious things are mounted
> filesystems from other machines, like nfs.
>
> /andreas
IMHO, It can be used as a security layer, if the noexec partition is used by
a chroot'ed aplication. chroot'ing on the noexec partition would increase the
eficiency of noexec.
I think at least the intruder won't feel in a confortable enviroment when
exploiting the chrooted aplication...
--Aristeu
More information about the freebsd-security
mailing list