At least on linux. Make your tmp or whatever as noexec and it can still be executed.

/bin/sh /tmp/myhack

another example:

/usr/bin/perl /tmp/mybackdoor.pl

So if you thought you just secured your /tmp folder by making it noexec, you did nothing ;)

No, it won't prevent scripting languages, but no one thing is a magic bullet. Just like removing the compilers, it won't stop everything, but it does kill a large swath of script kiddie exploits. If nothing else, you probably bought yourself some time, which can be a very valuable commodity.

even binary can be executed from /tmp with noexec; noexec only protects from low-knowledged attacker.

regards,
M.

Quoted from http://www.seifried.org/lasg/installation/:
noexec, if you mount /tmp noexec for example you can copy a binary in, but it will not run, however if you execute it using ld-linux.so it will work fine:

[seifried@stench /tmp]$ ./date
bash: ./date: Permission denied
[seifried@stench /tmp]$ /lib/ld-linux.so.2 ./date
Thu Aug 24 21:59:08 MDT 2000
[seifried@stench /tmp]$
In short, we are trying to add as many "layers" of protection to our system and none of each "layer" of protection can protect your system 100% ;)

"You cannot gain 100% security, you can however gain increased security. Only way to gain 100% security is to remove the internet, and lock it up in a safe where no one can get to it. But even then its not secure because someone could crack the safe."

To quote me from another post

[seifried@stench /tmp]$ /lib/ld-linux.so.2 ./date
Thu Aug 24 21:59:08 MDT 2000


^ this is said to be fixed in 2.6 kernel.

You cannot gain 100% security

that's not the issue. the issue is false sense of security ;)

No server is 100% secure..
and all we can do is try our best to secure it and use all available means

We all die one day, but it does not mean we should stop eating, or breathing ..

I was thinking ..

can't we chmod 700 /lib/ld-linux.so.2? :D


:homer:

chmod 700 /lib/ld-linux.so.2


havn't seen if that would break anything or not (may be you can check and let us know ;) ), but at the same time i have yet to see any script kiddie use it. the most common is

/usr/bin/perl /tmp/mybackdoor.pl

and

/bin/bash /tmp/muhahaha :D

No server is 100% secure..

Thanks for the news :D but for me this looks more like a security hole in linux...

I have read elsewhere that kernel 2.6 does honour the noexec bit on other partitions. If that's true then that's the way to go.

Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

/usr/bin/perl /tmp/mybackdoor.pl
(of course tmp partition need to be noexec)

I don't have a spare machine right now for 2.6, poor me :(

Originally posted by webx
<snip> ..Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

/usr/bin/perl /tmp/mybackdoor.pl
(of course tmp partition need to be noexec)

I don't have a spare machine right now for 2.6, poor me :(

sorry for bringing up this old thread, but this is a very interesting question which has never been answered.

does anybody can give an answer by now? :)

thank you all.
coma.

like all other layers noexec is not a 100% lockdown, most people will know this so I dont see the point of this post, noexec protects against at least 1 type of exploit which makes it useful.

Originally posted by webx
Thanks for the news :D but for me this looks more like a security hole in linux...

I have read elsewhere that kernel 2.6 does honour the noexec bit on other partitions. If that's true then that's the way to go.

Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

/usr/bin/perl /tmp/mybackdoor.pl
(of course tmp partition need to be noexec)

I don't have a spare machine right now for 2.6, poor me :(

I have tried this on server, running CentOS 3 with kernel 2.6.9:

#pwd
/tmp
#./test.pl
-bash: ./test.pl: Permission denied
#perl /tmp/test.pl
Hello World
#


As you can see, that its the same with kernel 2.6.

Your not going to block interperter based execution with noexec.

since the topic is reopened
Originally posted by admin0

can't we chmod 700 /lib/ld-linux.so.2? :D

i would not recommend it
/lib/ld-linux.so.2 is a symlink to e.g. /lib/ld-2.2.5.so
default permissions to that file on my box are 755,
if you try 700, only root will be able to run commands (and login)
other uses will get "Permission denied"
so seems the file needs to be at least executable (e.g. 711)

Originally posted by almahdi
I have tried this on server, running CentOS 3 with kernel 2.6.9:

#pwd
/tmp
#./test.pl
-bash: ./test.pl: Permission denied
#perl /tmp/test.pl
Hello World
#


As you can see, that its the same with kernel 2.6.

thank you for testing this out!

I think that the /tmp partition causes about 80% of all the problems with script kiddies which run their crap there..

A solution which prevents the execution of perl and php in the /tmp partition could save a lot of trouble..
so there should be a solution fo this, shouldn't it?

I've heard that you can do this with grsecurity and acl's.

I would appreciate if someone can give me some pointers or a how-to on how to do this..
thanks in avance.
coma.

A grsecurity acl howto.. cant really be tutorialized.. it has to be built on a per server basis.

Hello ,

Even if you chmod binaries , Most binaries can be called because they are a shell builtin :) .


mount it manually , loop , nodev,nosuid , good security steps,OS hardening, paths & Assign users to group with specific permissions .

Another option to change the path of the mysql.sock in /etc/my.cnf, and set the correct permission of /tmp , should be set to 1777



Regards,