From owner-freebsd-security@FreeBSD.ORG Fri Sep 23 17:22:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39C5016A41F for ; Fri, 23 Sep 2005 17:22:21 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: from galois.wahtec.com.br (galois.wahtec.com.br [200.96.65.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1E8143D49 for ; Fri, 23 Sep 2005 17:22:18 +0000 (GMT) (envelope-from suporte@wahtec.com.br) Received: (qmail 65699 invoked by uid 98); 23 Sep 2005 17:22:16 -0000 Received: from 127.0.0.1 by brasil.intranet (envelope-from , uid 1024) with qmail-scanner-1.24 (f-prot: 4.4.7/3.14.13. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.115739 secs); 23 Sep 2005 17:22:16 -0000 X-Qmail-Scanner-Mail-From: suporte@wahtec.com.br via brasil.intranet X-Qmail-Scanner: 1.24 (Clear:RC:1(127.0.0.1):. Processed in 0.115739 secs) Received: from unknown (HELO buddyguy) (arisjr@unknown) by unknown with SMTP; 23 Sep 2005 17:22:15 -0000 From: Aristeu Gil Alves Jr To: freebsd-security@freebsd.org Date: Fri, 23 Sep 2005 17:22:13 +0000 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200509231722.14978.suporte@wahtec.com.br> Subject: Re: Mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 17:22:21 -0000 >> Borja Marcos wrote: >> >> Hello, >> >> I've been playing a bit with the "noexec" flag for filesystems. It can >> represent a substantial obstacle against the exploitation of security >> holes. >> > > I think TPE (trusted path execution) would be the prefered solution to > this problem. As others have pointed out, circumventing the 'noexec' > attribute is pretty easy. That said, i don't think it is a bad idea to > use this, but one should be aware of how this defense might be defeated. > > Instead of running "./script.sh" or "./script.pl" you just have to type > /bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much > everything you need when it comes to using exploits. In linux you could > also circumvent it by using /lib/ld.so exploit, but i'm not sure if that > is "fixed" now or not. > > TPE requires all the binaries and subpaths to be owned by root. ie > /home/ > /home/user and /home/user/file need to be owned by root to allow > execution. GRSec for linux provides this functionality aswell as > Stephanie does for OpenBSD. > > Both solves the problems with interperters aswell, but i havent looked > into how, just used system that uses TPE. If there are problems with > TPE that people know about, please tell. Obvious things are mounted > filesystems from other machines, like nfs. > > /andreas IMHO, It can be used as a security layer, if the noexec partition is used by a chroot'ed aplication. chroot'ing on the noexec partition would increase the eficiency of noexec. I think at least the intruder won't feel in a confortable enviroment when exploiting the chrooted aplication... --Aristeu