noexec on /tmp but still

stefaandk · 03-04-2007, 06:44 PM

Upon installation of this server I setup this line in fstab:

LABEL=/tmp /tmp ext3 noexec 1 2

Now there was some crap injected into a subdir of /tmp to attack an IRC server.

Was put there by the apache user so it's clearly a vulnerable site that I'm yet to identify.

What gets me is how they execute this stuff while the directory is flagged noexec?

I even tested putting a simple script in there myself and I certainly get access denied when trying to execute it.

Am I missing somethign?

Ta

Electro · 03-04-2007, 06:59 PM

/tmp gets a sticky bit, so noexec will not work alone and you may need an extra option like nosuid. Probably you may to find out if you can use chroot or even better schroot.

Read http://www.linuxtechs.net/securing_tmp_partition.

A lot of scripts can be executed with out the script being set as executable. In this case you may want to lock down interpreters so outsiders can not run scripts.

stefaandk · 03-04-2007, 11:09 PM

Rite, I assume by this that you mean stop a compiler being used by other users? I thought about that many a times but I'm not sure how to achieve this result without "breaking" things?

Are there any howto's on this?

Thx

live_dont_exist · 03-05-2007, 12:59 AM

@Electro: How would that work? I mean nousuid and noexec are two different things..right?

nosuid would probably prevent files like passwd and other files with permissions of 4755 from not being executed at all in /tmp.

noexec would or rather "should" prevent any executables from being executed at all. So for example if while I'm in /tmp I try and do something like ./dos_linux.sh it shouldn't run or should give me a permission denied like stefaandk said.

@Stefaandk: Whats the permissions on this attack script which you discovered?

Cheers
Arvind

win32sux · 03-05-2007, 01:14 AM

Quote:

Originally Posted by live_dont_exist

noexec would or rather "should" prevent any executables from being executed at all. So for example if while I'm in /tmp I try and do something like ./dos_linux.sh it shouldn't run or should give me a permission denied like stefaandk said.

right, but although noexec would prevent you from doing a:

Code:

./dos_linux.sh

it would NOT prevent you from doing a:

Code:

sh dos_linux.sh

live_dont_exist · 03-05-2007, 01:24 AM

Quote:

Code:

sh dos_linux.sh

Ahh okay but isnt that pretty much the same as executing the script? Instead of directly executing the script I'm using a shell to execute it. Is that any different? Obviously it is..but what's the difference?

Thnx
Arvind

win32sux · 03-05-2007, 01:33 AM

Quote:

Originally Posted by live_dont_exist

Ahh okay but isnt that pretty much the same as executing the script? Instead of directly executing the script I'm using a shell to execute it. Is that any different? Obviously it is..but what's the difference?

yeah, the difference is that what is getting *executed* is the shell, which isn't on the noexec partition... the shell script is simply the instructions which are given to the shell - there's no need for the script to be executable (you don't even need it to have a shebang)...

Code:

win32sux@candystore:/tmp$ echo "echo Hello" > test.txt
win32sux@candystore:/tmp$ ls -l test.txt
-rw-r--r-- 1 win32sux win32sux 11 2007-03-05 02:32 test.txt
win32sux@candystore:/tmp$ sh test.txt
Hello
win32sux@candystore:/tmp$

AFAIK the noexec option is essentially for binaries, not scripts...

live_dont_exist · 03-05-2007, 02:02 AM

Great ...that clears things up quite a bit. Just a couple of things though:

1.If I ran this copy of /bin/sh from /tmp(No reason to do this..just asking) the noexec would stop it from executing.Right?

Code:

/tmp/sh test.txt

2.By binaries being restricted this would then mean soemthing like:

If I have a binary in /tmp which is noexec'd and say /bin/sh and I call both from within a script in /tmp; the /bin/sh would execute but the other binary on /tmp itself would not execute.

Correct??

Thnx
Arvind

win32sux · 03-05-2007, 02:21 AM

Quote:

Originally Posted by live_dont_exist

1.If I ran this copy of /bin/sh from /tmp(No reason to do this..just asking) the noexec would stop it from executing.Right?

Code:

/tmp/sh test.txt

yes, you would get a "Permission denied"...

Quote:

2.By binaries being restricted this would then mean soemthing like:

If I have a binary in /tmp which is noexec'd and say /bin/sh and I call both from within a script in /tmp; the /bin/sh would execute but the other binary on /tmp itself would not execute.

Correct??

yes, you would get a "Permission denied" for the binary in /tmp...

live_dont_exist · 03-05-2007, 02:28 AM

Cool...Thnx a lot. That cleared up a few concepts.

Cheers
Arvind

oskiborga · 03-05-2007, 06:02 AM

So, anyway to prevent the execution of /bin/sh bad_script.sh in /tmp without breaking anything ?

On my system, mysql is the only one that uses /bin/sh to start...
/bin/sh ./bin/safe_mysqld --user=mysql5

Any ideas on how to secure this shell and others in the system? Some howtos?