| 1 |
On 14 Jan 2006 at 15:54, Nicolas MASSE wrote: |
| 2 |
> > ------- Comment #1 from jakub@g.o 2006-01-14 05:07 PST ------- |
| 3 |
> > (In reply to comment #0) |
| 4 |
> > |
| 5 |
> > > So, I watched my /etc/fstab and found : |
| 6 |
> > > udev /dev tmpfs nosuid,noexec,size=16M 0 0 |
| 7 |
> > > |
| 8 |
> > > After I removed the noexec flag, all worked perfectly. |
| 9 |
> > |
| 10 |
> > You are not supposed to have noexec for udev, it doesn't work on multiple |
| 11 |
> > occasions. |
| 12 |
> |
| 13 |
> I think it's my fault because noexec and nosuid are not standard flags for |
| 14 |
> udev. But I don't understand why it doesn't work... |
| 15 |
|
| 16 |
and in my mind i mixed up /dev with /dev/shm which is noexec by |
| 17 |
default on gentoo. anyway, making /dev noexec would be good as |
| 18 |
well, and i'd like to know what else (besides mmap(PROT_EXEC) |
| 19 |
of /dev/zero) breaks. does anyone have more info? |
| 20 |
|
| 21 |
> The man page of mount does'nt mention the bug : |
| 22 |
> > noexec Do not allow direct execution of any binaries on the mounted |
| 23 |
> > file system. (Until recently it was possible to run binaries anyway using |
| 24 |
> > a command like /lib/ld*.so /mnt/binary. This trick fails since |
| 25 |
> > Linux 2.4.25 / 2.6.0.) |
| 26 |
|
| 27 |
'execution' doesn't mean 'execve', it means 'create an executable |
| 28 |
file mapping', which is what eventually execve does internally. |
| 29 |
and the noexec mount enforcement (quite correctly) operates at the |
| 30 |
mmap level (and with PaX, mprotect as well). so mmap(PROT_EXEC) |
| 31 |
of any file (including /dev/zero) on a noexec mount will be denied. |
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-hardened@g.o mailing list |
Archives