Mailing List Archive

mount noexec and ro
Hello,

can/does mounting a partition with noexec, ro etc. provide additional
security or are those limitations easy to circumvent?

Example: webserver running chrooted
all libs and executables (apache, lib, usr ...) on read only mounted
partition /srv/www, data dirs (logs, htdocs ...) on
partition /srv/www/data mounted with noexec (but rw of course), no cgi
needed.
Server is started with "chroot /srv/www /apache/bin/httpd -k start".

Any cognition? Is this useful, nice, nonsense?
Keeping the chroot updated and so on is not my concern here.

Thanks, Joe
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
* Joe Knall <joe.knall@gmx.net> [2006-11-04 11:52]:
> Hello,
>
> can/does mounting a partition with noexec, ro etc. provide additional
> security or are those limitations easy to circumvent?

It only helps against scriptkiddie-attacks.
'/lib/ld-linux.so.2 /tmp/somedynamicallylinkedbinary' still works.
See http://www.seifried.org/lasg/installation/, section
"Filesystem layout and structuring".
--
Wolfram Schlich
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
On 11/4/06, Wolfram Schlich <lists@wolfram.schlich.org> wrote:
>
> It only helps against scriptkiddie-attacks.
> '/lib/ld-linux.so.2 /tmp/somedynamicallylinkedbinary' still works.

Should not work on recent kernels anymore.
Last time i tried it on 2.6.17.

> See http://www.seifried.org/lasg/installation/, section
> "Filesystem layout and structuring".

Outdated?

> --
> Wolfram Schlich

- ed
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
On Sat, 2006-11-04 13:47 Eduardo Tongson wrote:
> On 11/4/06, Wolfram Schlich <lists@wolfram.schlich.org> wrote:
> > It only helps against scriptkiddie-attacks.
> > '/lib/ld-linux.so.2 /tmp/somedynamicallylinkedbinary' still works.
>
> Should not work on recent kernels anymore.
> Last time i tried it on 2.6.17.

seems not to work with SuSE 2.6.11.4-21.14-default, Gentoo 2.6.16.28-xen
and 2.6.17-gentoo-r8

cp -a dynamically linked /bin/date /home/joe as root
joe@checkbox:~> /lib/ld-linux.so.2 /home/joe/date
/home/joe/date: error while loading shared libraries: /home/joe/date:
failed to map segment from shared object: Operation not permitted

Joe
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
On Saturday 04 November 2006 12:11, Joe Knall wrote:
> Hello,
>
> can/does mounting a partition with noexec, ro etc. provide additional
> security or are those limitations easy to circumvent?
>
> Example: webserver running chrooted
> all libs and executables (apache, lib, usr ...) on read only mounted
> partition /srv/www, data dirs (logs, htdocs ...) on
> partition /srv/www/data mounted with noexec (but rw of course), no cgi
> needed.
> Server is started with "chroot /srv/www /apache/bin/httpd -k start".
>
> Any cognition? Is this useful, nice, nonsense?
> Keeping the chroot updated and so on is not my concern here.

Besides this, you must also add nodev to prevent those kinds of circumventions

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: mount noexec and ro [ In reply to ]
On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > can/does mounting a partition with noexec, ro etc. provide
> > additional security or are those limitations easy to circumvent?
> >
> > Example: webserver running chrooted
> > all libs and executables (apache, lib, usr ...) on read only
> > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > partition /srv/www/data mounted with noexec (but rw of course), no
> > cgi needed.
> > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > start".
>
> Besides this, you must also add nodev to prevent those kinds of
> circumventions
>
> Paul

correct, it's atually like this
/srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
/srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)

but I need a /dev, currently data/dev with null and urandom there,
writeable and not nodev (could as well be a separate partition).
Do you think this turns all the rest in vain?

Joe
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
On Saturday 04 November 2006 17:27, Joe Knall wrote:
> correct, it's atually like this
> /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
> but I need a /dev, currently data/dev with null and urandom there,
> writeable and not nodev (could as well be a separate partition).
> Do you think this turns all the rest in vain?

Nodev is mainly for those situations where you may not have full control over
the disk (like usb sticks). But the ability to have devices will mean that
those who can make devices can abuse them.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: mount noexec and ro [ In reply to ]
But normally only root can make devices, right?

El Sábado 04 Noviembre 2006 20:03, Paul de Vrieze escribió:
> On Saturday 04 November 2006 17:27, Joe Knall wrote:
> > correct, it's atually like this
> > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
> >
> > but I need a /dev, currently data/dev with null and urandom there,
> > writeable and not nodev (could as well be a separate partition).
> > Do you think this turns all the rest in vain?
>
> Nodev is mainly for those situations where you may not have full control over
> the disk (like usb sticks). But the ability to have devices will mean that
> those who can make devices can abuse them.
>
> Paul
>

--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
Hi,


On 11/4/06, Joe Knall <joe.knall@gmx.net> wrote:
> On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > can/does mounting a partition with noexec, ro etc. provide
> > > additional security or are those limitations easy to circumvent?
> > >
> > > Example: webserver running chrooted
> > > all libs and executables (apache, lib, usr ...) on read only
> > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > partition /srv/www/data mounted with noexec (but rw of course), no
> > > cgi needed.
> > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > start".
> >
> > Besides this, you must also add nodev to prevent those kinds of
> > circumventions
> >
> > Paul
>
> correct, it's atually like this
> /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>


I cannot have any kind of a intrepreted language supported in those
environments..
or a simple perl/php/lisp "data" file can circunvent those attacks!

> but I need a /dev, currently data/dev with null and urandom there,
> writeable and not nodev (could as well be a separate partition).
> Do you think this turns all the rest in vain?
>
> Joe
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote:
> Hi,
>
> On 11/4/06, Joe Knall <joe.knall@gmx.net> wrote:
> > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > > can/does mounting a partition with noexec, ro etc. provide
> > > > additional security or are those limitations easy to
> > > > circumvent?
> > > >
> > > > Example: webserver running chrooted
> > > > all libs and executables (apache, lib, usr ...) on read only
> > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > > partition /srv/www/data mounted with noexec (but rw of course),
> > > > no cgi needed.
> > > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > > start".
> > >
> > > Besides this, you must also add nodev to prevent those kinds of
> > > circumventions
> > >
> > > Paul
> >
> > correct, it's atually like this
> > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
> I cannot have any kind of a intrepreted language supported in those
> environments..
> or a simple perl/php/lisp "data" file can circunvent those attacks!

When I get you right, you mean the P in Lamp makes these limitations
(ro, noexec, nodev, chroot ...) nonsense.
Ok, what makes you think so?
How do you do it (get a shell, root access, hijack the box ...)?
What's a better approach to prevent it?

Joe

--
gentoo-security@gentoo.org mailing list
Re: mount noexec and ro [ In reply to ]
Joe Knall wrote:
> When I get you right, you mean the P in Lamp makes these limitations
> (ro, noexec, nodev, chroot ...) nonsense.

only the noexec is defeated from scripts, ro nodev chrooting are
obviously safe from this

..but..

noexec on linux is futile since you could use /lib/ld-linux.so to exec
bins on a noexec mount point

if you make ld-linux.so -x then you have to rebuild all binaries
statically linked : )

..so..

it's better to get some acl/rbac system like grsec+pax and (rsbac or
selinux) to get sure things happens right

yes, it could be some time expensive to write/adapt the rules to your
current system but it worth the effort

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/
--
gentoo-security@gentoo.org mailing list