Re: Mounting filesystems with "noexec"

Borja Marcos wrote:
> 
>     Hello,
> 
> I've been playing a bit with the "noexec" flag for filesystems. It  can
> represent a substantial obstacle against the exploitation of  security
> holes.
> 

I think TPE (trusted path execution) would be the prefered solution to
this problem. As others have pointed out, circumventing the 'noexec'
attribute is pretty easy. That said, i don't think it is a bad idea to
use this, but one should be aware of how this defense might be defeated.

Instead of running "./script.sh" or "./script.pl" you just have to type
/bin/sh script.sh or /usr/bin/perl script.pl which gives pretty much
everything you need when it comes to using exploits. In linux you could
also circumvent it by using /lib/ld.so exploit, but i'm not sure if that
is "fixed" now or not.

TPE requires all the binaries and subpaths to be owned by root. ie
/home/
/home/user and /home/user/file need to be owned by root to allow
execution. GRSec for linux provides this functionality aswell as
Stephanie does for OpenBSD.

Both solves the problems with interperters aswell, but i havent looked
into how, just used system that uses TPE. If  there are problems with
TPE that people know about, please tell. Obvious things are mounted
filesystems from other machines, like nfs.

/andreas
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"