Date: Fri, 23 Sep 2005 17:22:13 +0000 From: Aristeu Gil Alves Jr <suporte@wahtec.com.br> To: freebsd-security@freebsd.org Subject: Re: Mounting filesystems with "noexec" Message-ID: <200509231722.14978.suporte@wahtec.com.br>
next in thread | raw e-mail | index | archive | help
>> Borja Marcos wrote: >> >> Hello, >> >> I've been playing a bit with the "noexec" flag for filesystems. It can >> represent a substantial obstacle against the exploitation of security >> holes. >> > > I think TPE (trusted path execution) would be the prefered solution to > this problem. As others have pointed out, circumventing the 'noexec' > attribute is pretty easy. That said, i don't think it is a bad idea to > use this, but one should be aware of how this defense might be defeated. > > Instead of running "./script.sh" or "./script.pl" you just have to type > /bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much > everything you need when it comes to using exploits. In linux you could > also circumvent it by using /lib/ld.so exploit, but i'm not sure if that > is "fixed" now or not. > > TPE requires all the binaries and subpaths to be owned by root. ie > /home/ > /home/user and /home/user/file need to be owned by root to allow > execution. GRSec for linux provides this functionality aswell as > Stephanie does for OpenBSD. > > Both solves the problems with interperters aswell, but i havent looked > into how, just used system that uses TPE. If there are problems with > TPE that people know about, please tell. Obvious things are mounted > filesystems from other machines, like nfs. > > /andreas IMHO, It can be used as a security layer, if the noexec partition is used by a chroot'ed aplication. chroot'ing on the noexec partition would increase the eficiency of noexec. I think at least the intruder won't feel in a confortable enviroment when exploiting the chrooted aplication... --Aristeu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509231722.14978.suporte>