LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-04-2007, 06:44 PM   #1
stefaandk
Member
 
Registered: Jun 2005
Distribution: Centos
Posts: 215

Rep: Reputation: 30
noexec on /tmp but still


Upon installation of this server I setup this line in fstab:

LABEL=/tmp /tmp ext3 noexec 1 2


Now there was some crap injected into a subdir of /tmp to attack an IRC server.

Was put there by the apache user so it's clearly a vulnerable site that I'm yet to identify.

What gets me is how they execute this stuff while the directory is flagged noexec?

I even tested putting a simple script in there myself and I certainly get access denied when trying to execute it.

Am I missing somethign?

Ta
 
Old 03-04-2007, 06:59 PM   #2
Electro
LQ Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
/tmp gets a sticky bit, so noexec will not work alone and you may need an extra option like nosuid. Probably you may to find out if you can use chroot or even better schroot.

Read http://www.linuxtechs.net/securing_tmp_partition.

A lot of scripts can be executed with out the script being set as executable. In this case you may want to lock down interpreters so outsiders can not run scripts.
 
Old 03-04-2007, 11:09 PM   #3
stefaandk
Member
 
Registered: Jun 2005
Distribution: Centos
Posts: 215

Original Poster
Rep: Reputation: 30
Rite, I assume by this that you mean stop a compiler being used by other users? I thought about that many a times but I'm not sure how to achieve this result without "breaking" things?

Are there any howto's on this?

Thx
 
Old 03-05-2007, 12:59 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
@Electro: How would that work? I mean nousuid and noexec are two different things..right?

nosuid would probably prevent files like passwd and other files with permissions of 4755 from not being executed at all in /tmp.

noexec would or rather "should" prevent any executables from being executed at all. So for example if while I'm in /tmp I try and do something like ./dos_linux.sh it shouldn't run or should give me a permission denied like stefaandk said.

@Stefaandk: Whats the permissions on this attack script which you discovered?

Cheers
Arvind
 
Old 03-05-2007, 01:14 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by live_dont_exist
noexec would or rather "should" prevent any executables from being executed at all. So for example if while I'm in /tmp I try and do something like ./dos_linux.sh it shouldn't run or should give me a permission denied like stefaandk said.
right, but although noexec would prevent you from doing a:
Code:
./dos_linux.sh
it would NOT prevent you from doing a:
Code:
sh dos_linux.sh

Last edited by win32sux; 03-05-2007 at 02:37 AM.
 
Old 03-05-2007, 01:24 AM   #6
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Quote:
Code:
sh dos_linux.sh
Ahh okay but isnt that pretty much the same as executing the script? Instead of directly executing the script I'm using a shell to execute it. Is that any different? Obviously it is..but what's the difference?

Thnx
Arvind
 
Old 03-05-2007, 01:33 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by live_dont_exist
Ahh okay but isnt that pretty much the same as executing the script? Instead of directly executing the script I'm using a shell to execute it. Is that any different? Obviously it is..but what's the difference?
yeah, the difference is that what is getting *executed* is the shell, which isn't on the noexec partition... the shell script is simply the instructions which are given to the shell - there's no need for the script to be executable (you don't even need it to have a shebang)...
Code:
win32sux@candystore:/tmp$ echo "echo Hello" > test.txt
win32sux@candystore:/tmp$ ls -l test.txt
-rw-r--r-- 1 win32sux win32sux 11 2007-03-05 02:32 test.txt
win32sux@candystore:/tmp$ sh test.txt
Hello
win32sux@candystore:/tmp$
AFAIK the noexec option is essentially for binaries, not scripts...

Last edited by win32sux; 03-05-2007 at 01:37 AM.
 
Old 03-05-2007, 02:02 AM   #8
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Great ...that clears things up quite a bit. Just a couple of things though:

1.If I ran this copy of /bin/sh from /tmp(No reason to do this..just asking) the noexec would stop it from executing.Right?
Code:
/tmp/sh test.txt
2.By binaries being restricted this would then mean soemthing like:

If I have a binary in /tmp which is noexec'd and say /bin/sh and I call both from within a script in /tmp; the /bin/sh would execute but the other binary on /tmp itself would not execute.

Correct??

Thnx
Arvind
 
Old 03-05-2007, 02:21 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by live_dont_exist
1.If I ran this copy of /bin/sh from /tmp(No reason to do this..just asking) the noexec would stop it from executing.Right?
Code:
/tmp/sh test.txt
yes, you would get a "Permission denied"...

Quote:
2.By binaries being restricted this would then mean soemthing like:

If I have a binary in /tmp which is noexec'd and say /bin/sh and I call both from within a script in /tmp; the /bin/sh would execute but the other binary on /tmp itself would not execute.

Correct??
yes, you would get a "Permission denied" for the binary in /tmp...

Last edited by win32sux; 03-05-2007 at 02:22 AM.
 
Old 03-05-2007, 02:28 AM   #10
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Cool...Thnx a lot. That cleared up a few concepts.

Cheers
Arvind
 
Old 03-05-2007, 06:02 AM   #11
oskiborga
LQ Newbie
 
Registered: Feb 2007
Posts: 11

Rep: Reputation: 0
So, anyway to prevent the execution of /bin/sh bad_script.sh in /tmp without breaking anything ?

On my system, mysql is the only one that uses /bin/sh to start...
/bin/sh ./bin/safe_mysqld --user=mysql5

Any ideas on how to secure this shell and others in the system? Some howtos?

Last edited by oskiborga; 03-05-2007 at 06:05 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what is nosuid, noexec & nodevel?? coolblue Linux - Newbie 3 03-14-2005 10:58 AM
reinstall --> /tmp & noexec issue Fuel Slackware 1 11-30-2004 10:43 PM
NOEXEC, NOSUID, READONLY in Linux CarlosSunden Linux - General 0 05-05-2004 02:56 PM
Numerous scb_*.tmp files in /tmp dburk Programming 3 08-18-2003 04:28 PM
Newbie question - /tmp /var/tmp Mr happy Linux - Security 3 01-27-2003 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration