From owner-freebsd-security@FreeBSD.ORG Fri Sep 23 07:04:30 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B3FF16A41F for ; Fri, 23 Sep 2005 07:04:30 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from sollube.sarenet.es (mx1.sarenet.es [194.30.0.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2DB743D45 for ; Fri, 23 Sep 2005 07:04:29 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by sollube.sarenet.es (Postfix) with ESMTP id 85E1D1ED0; Fri, 23 Sep 2005 09:04:28 +0200 (CEST) In-Reply-To: <43332CD7.4070107@romab.com> References: <43332CD7.4070107@romab.com> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <726F1E71-D4D9-4C34-848D-868C1158834E@sarenet.es> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 23 Sep 2005 09:05:13 +0200 To: Andreas Jonsson X-Mailer: Apple Mail (2.734) Cc: freebsd-security@freebsd.org Subject: Re: Mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 07:04:30 -0000 > Instead of running "./script.sh" or "./script.pl" you just have to > type > /bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much > everything you need when it comes to using exploits. In linux you > could > also circumvent it by using /lib/ld.so exploit, but i'm not sure if > that > is "fixed" now or not. I'm well aware of this, obviously :-) But, with TPE or without TPE, any command with a script language, be it a shell, Perl, Tcl, or whatever (even Java) should perform that check, which is not a good design practice. That said, my point is this: the amount of damage you can do from a "native" program is greater than the damage you can achieve from a script language, afaik. At least a privilege escalation should be harder to obtain. I'm not sure about some languages such as Perl, though. Of course, this is only one among a bigger set of security measures. Borja.