1 |
On Sunday 16 July 2006 10:07, Josh Saddler wrote: |
2 |
>Daniel Drake wrote: |
3 |
>> Hi, |
4 |
>> |
5 |
>> The local root exploit-of-the-week would have been unable to run if our |
6 |
>> users systems had /proc mounted with nosuid and/or noexec |
7 |
>> |
8 |
>> It would be worthwhile considering making this a default. What are |
9 |
>> people's thoughts? |
10 |
>> |
11 |
>> Additional testing of this change would be appreciated (just ensure that |
12 |
>> nothing breaks). To do it as a one off: |
13 |
>> |
14 |
>> # mount -o remount,nosuid,noexec /proc |
15 |
>> |
16 |
>> To make it more permanent, /etc/fstab has: |
17 |
>> |
18 |
>> proc /proc proc defaults 0 0 |
19 |
>> |
20 |
>> Change to: |
21 |
>> |
22 |
>> proc /proc proc nosuid,noexec 0 0 |
23 |
> |
24 |
>Is there an open bug or security advisory for this exploit I missed? I tried |
25 |
> the CLI solution; works just fine here. No wild behavior so far. Any |
26 |
> suggestions on what to look for, or how to really hammer /proc? :) |
27 |
|
28 |
There is bug #140444. |
29 |
|
30 |
|
31 |
-- |
32 |
Christian Heim <phreak@g.o> |
33 |
Gentoo Linux Developer |
34 |
You're friendly kernel/vserver/openvz monkey |