Results 1 to 7 of 7
  1. #1
    Join Date
    Mar 2004
    Posts
    183

    Turning off execute in /tmp

    Hi,

    I've been reading about the above security fix, basically re-mounting /tmp with noexecute so that downloaded scripts can't be ran.

    However, one thing I dont understand. If someone has access to the box, in order to be able to execute something anyway, then they'll have access to other directories too - i.e. they will have found a way in as a valid user on the system. So they could just execute programs from their home dir right?

    Or have I missed something here?

    Rgds,
    Dan

  2. #2
    Join Date
    Dec 2003
    Location
    Sunny So. Calif.
    Posts
    204
    If you server is already compromised, you would have to clean it up first and secure it (including but not only noexec /tmp).

    Programs/scripts executed on a secured server from a user's home directory normally do not pose a threat, as long as the users only have permissions to their own home directories.

    If a user has root access or access to certain other directories, then of course, there may be security concerns.

    Turning of execute in /tmp is only a single security item you can do. Locking down or hardening a server should be left to those who have broader experience in running servers and securing them.

    If someone has access to the box, in order to be able to execute something anyway, then they'll have access to other directories too
    Actually the noexec /tmp is to prevent people from exploiting scripts into being able to upload their own files into /tmp and executing them from there. Doesn't matter if it's a home grown script, or a open source (ie. phpBB) or commercial script. After being able to upload their own malicious code and execute it, then they most likely would have access to your entire server!
    Last edited by jamesyeeoc; 06-24-2005 at 03:55 AM.

  3. #3
    Join Date
    Mar 2004
    Posts
    183
    Many thanks for the reply, but you havent actually answered the question, and your comment about using experienced server admins is ridiculous.

    I fully understand that this is only one tool in an arsenal of security options available. I'm merely trying to find out what it is that this one tool actually protects against - As I can't see anything at the moment.

    Sure, if they have root access, you're screwed.

    But if they have a level of access where they can execute scripts, then they can execute scripts in home dirs too, so they'll just do it there rather than in /tmp.

    Unless of course, like i said im missing something???

  4. #4
    Join Date
    Mar 2004
    Posts
    183
    Originally posted by codek
    Many thanks for the reply, but you havent actually answered the question, and your comment about using experienced server admins is ridiculous.

    I fully understand that this is only one tool in an arsenal of security options available. I'm merely trying to find out what it is that this one tool actually protects against - As I can't see anything at the moment.

    Sure, if they have root access, you're screwed.

    But if they have a level of access where they can execute scripts, then they can execute scripts in home dirs too, so they'll just do it there rather than in /tmp.

    Unless of course, like i said im missing something???
    Ah i see you've now edited the post.

    I still dont understand the difference between letting them upload scripts to /home/xxx compared to uploading them to /tmp ???

  5. #5
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,159
    One difference is that allowing users access tot heir home directories, you know its them.. whereas a shared host will let everyone write to /tmp.

    Ie. I have a server, several vhosts, each one is open_basedir restricted to home directories and /tmp. Now, if one of them uploads a bad script, sticks in into /tmp and executes it.. you can't easily say who it was.

    I guess you don't *need* to make /tmp non-executable, but every little helps.

    (after reading this, look what the next post I read said: http://www.webhostingtalk.com/showth...hreadid=416990)
    Last edited by gbjbaanb; 06-24-2005 at 05:37 AM.

  6. #6
    Join Date
    Mar 2004
    Posts
    183
    ah, ok that makes good sense, and yes, i agree, every little thing should be done - I guess i just like to know the reasoning behind every little thing rather than blindly following instructions on the net!

  7. #7
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    your comment about using experienced server admins is ridiculous.
    Given the userbase here, it's not at all ridiculous. Most of the individuals here have no clue how to truly run a server, or administrate it, hence the point was very valid.

    As for the problem:
    Yes, it is possible to use something to get around this, beit /home/ , /var/tmp , etc. However, most scripts are written to use /tmp as a hack, and most script kiddies out there don't know how to modify things to work like this.

    It's also entirely possible to use perl to overwrite the noexec on tmp. All you have to do is call perl itself, and boom , you've got instant hack script, and there's nothing that anyone , or any settings can do about it.

    The solutions?
    A> KNOW what your server is doing at all times! Make it tell you when stuff goes a bit wrong, do constant checks for rootkits, and the like.
    B> Use mod_security. You can disable a good number of hacks by adding in the appropriate mod_security rules.
    C> Configure your application. If you REALLY don't want people using exec(), disable it in php, though that WILL turn people away from your hosting, as exec() has very good uses.

    Eventually, you're going to get hacked, that's a fact. The question is will you know about it, or will you just continue to let your server affect every other server out there adversely? If you're a competent enough admin, you'll know about it within 24 hours (usually much less).

    Enjoy
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •