From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 11:24:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 280DD16A41F for ; Thu, 22 Sep 2005 11:24:51 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) Received: from the-macgregors.org (82-46-96-19.cable.ubr06.stav.blueyonder.co.uk [82.46.96.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C6E543D45 for ; Thu, 22 Sep 2005 11:24:49 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) X-Urban-Legend: Mail headers contain urban legends Received: from fire (rob@fire.macgregor [192.168.32.100]) (user=freebsd mech=LOGIN bits=0) by the-macgregors.org (8.13.5/8.13.5) with ESMTP id j8MBOkMM017056 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Thu, 22 Sep 2005 11:24:46 GMT Message-Id: <200509221124.j8MBOkMM017056@the-macgregors.org> From: "Rob MacGregor" To: Date: Thu, 22 Sep 2005 12:24:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: thread-index: AcW/Zq7Kkf8J0/7STsy5zjj8NFzpMQAAQwwQ X-Virus-Scanned: by amavisd-new Subject: RE: Mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 11:24:51 -0000 On Thursday, September 22, 2005 12:12 PM, Borja Marcos <> unleashed the infinite monkeys and produced: > First thing, an attempt to execute a program from a noexec-mounted > filesystem should be logged. It is either a very significant security > event, or it can drive nuts an administrator trying to install > software. (I like to mount with noexec filesystems such as /var, /var/ > www, /var/spool, /var/tmp, /tmp, /home whenever the users are not > supposed to install software...). As long as you can disable/limit the logging. One very nasty "attack" would be to loop trying to run a binary. Blow your logging partition. Somebody could then use that to do other things that would normally be logged, safe in the knowledge that their activities wouldn't be logged. I've seen systems brought to their knees by similar well intentioned logging activities. It's not pretty :) -- Rob | Oh my God! They killed init! You bastards!