1 |
On 14 Jan 2006 at 15:54, Nicolas MASSE wrote: |
2 |
> > ------- Comment #1 from jakub@g.o 2006-01-14 05:07 PST ------- |
3 |
> > (In reply to comment #0) |
4 |
> > |
5 |
> > > So, I watched my /etc/fstab and found : |
6 |
> > > udev /dev tmpfs nosuid,noexec,size=16M 0 0 |
7 |
> > > |
8 |
> > > After I removed the noexec flag, all worked perfectly. |
9 |
> > |
10 |
> > You are not supposed to have noexec for udev, it doesn't work on multiple |
11 |
> > occasions. |
12 |
> |
13 |
> I think it's my fault because noexec and nosuid are not standard flags for |
14 |
> udev. But I don't understand why it doesn't work... |
15 |
|
16 |
and in my mind i mixed up /dev with /dev/shm which is noexec by |
17 |
default on gentoo. anyway, making /dev noexec would be good as |
18 |
well, and i'd like to know what else (besides mmap(PROT_EXEC) |
19 |
of /dev/zero) breaks. does anyone have more info? |
20 |
|
21 |
> The man page of mount does'nt mention the bug : |
22 |
> > noexec Do not allow direct execution of any binaries on the mounted |
23 |
> > file system. (Until recently it was possible to run binaries anyway using |
24 |
> > a command like /lib/ld*.so /mnt/binary. This trick fails since |
25 |
> > Linux 2.4.25 / 2.6.0.) |
26 |
|
27 |
'execution' doesn't mean 'execve', it means 'create an executable |
28 |
file mapping', which is what eventually execve does internally. |
29 |
and the noexec mount enforcement (quite correctly) operates at the |
30 |
mmap level (and with PaX, mprotect as well). so mmap(PROT_EXEC) |
31 |
of any file (including /dev/zero) on a noexec mount will be denied. |
32 |
|
33 |
|
34 |
-- |
35 |
gentoo-hardened@g.o mailing list |