Gentoo Archives: gentoo-security

From: Joe Knall <joe.knall@×××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 09 Dec 2006 02:40:25
Message-Id: 200612090334.31689.joe.knall@gmx.net
In Reply to: Re: [gentoo-security] mount noexec and ro by Miguel Sousa Filipe
1 On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote:
2 > Hi,
3 >
4 > On 11/4/06, Joe Knall <joe.knall@×××.net> wrote:
5 > > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
6 > > > On Saturday 04 November 2006 12:11, Joe Knall wrote:
7 > > > > can/does mounting a partition with noexec, ro etc. provide
8 > > > > additional security or are those limitations easy to
9 > > > > circumvent?
10 > > > >
11 > > > > Example: webserver running chrooted
12 > > > > all libs and executables (apache, lib, usr ...) on read only
13 > > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
14 > > > > partition /srv/www/data mounted with noexec (but rw of course),
15 > > > > no cgi needed.
16 > > > > Server is started with "chroot /srv/www /apache/bin/httpd -k
17 > > > > start".
18 > > >
19 > > > Besides this, you must also add nodev to prevent those kinds of
20 > > > circumventions
21 > > >
22 > > > Paul
23 > >
24 > > correct, it's atually like this
25 > > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
26 > > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
27 >
28 > I cannot have any kind of a intrepreted language supported in those
29 > environments..
30 > or a simple perl/php/lisp "data" file can circunvent those attacks!
31
32 When I get you right, you mean the P in Lamp makes these limitations
33 (ro, noexec, nodev, chroot ...) nonsense.
34 Ok, what makes you think so?
35 How do you do it (get a shell, root access, hijack the box ...)?
36 What's a better approach to prevent it?
37
38 Joe
39
40 --
41 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] mount noexec and ro ascii <ascii@××××××××.com>