LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security benefits of noexec?

Security benefits of noexec?

Posted Mar 10, 2008 22:06 UTC (Mon) by epa (subscriber, #39769)
In reply to: Senseless drivel by kraftcheck
Parent article: Secure temporary files in Linux (ZDNet India) 

It would be an inconvenience to a bot author if they couldn't create and run their own
executables anywhere on the system (so all filesystems mounted either readonly or noexec).
But perl is perfectly capable, so while existing bots distributed as a binary executable
wouldn't work, it's not a serious obstacle.

Out of interest, is it possible to implement a simple exec() in user space?

(Log in to post comments)

Security benefits of noexec?

Posted Mar 10, 2008 22:12 UTC (Mon) by ballombe (subscriber, #9523) [Link] 

Do you mean /lib/ld-linux.so.2 ? then yes.
cp /bin/ls /tmp
chmod a-x /tmp/ls
/lib/ld-linux.so.2 /tmp/ls

Security benefits of noexec?

Posted Mar 11, 2008 9:02 UTC (Tue) by Wummel (subscriber, #7591) [Link] 

The /lib/ld-linux.so flaw has been fixed in recent (2.6.24 iirc) kernels:
$ /lib/ld-linux.so.2 /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared
object: Operation not permitted

Security benefits of noexec?

Posted Mar 10, 2008 22:34 UTC (Mon) by jamesm (guest, #2273) [Link]

Just run perl.

Security benefits of noexec?

Posted Mar 10, 2008 23:24 UTC (Mon) by nix (subscriber, #2304) [Link] 

It's trivial to do with mmap (PROT_EXEC). Just look at the implementation 
of the dynamic linker, which has to do all of this stuff anyway.

mmap and PROT_EXEC

Posted Mar 11, 2008 0:00 UTC (Tue) by jreiser (subscriber, #11027) [Link] 

mmap() and mprotect() involving PROT_EXEC are not necessarily trivial when Security Enhanced
Linux (SELinux) is present.  In particular, in some environments it is reasonable to attempt
to enforce the policy: "Any instruction ever executed must be fetched from the unchanging
PROT_EXEC pages of the following explicit list of files."  Accurate implementation of this
policy is a successful defense against many exploits.

mmap and PROT_EXEC

Posted Mar 11, 2008 12:36 UTC (Tue) by nix (subscriber, #2304) [Link] 

Yes, SELinux can plug this hole (although it might be annoying to do so).

simple exec() in user space

Posted Mar 10, 2008 23:32 UTC (Mon) by jreiser (subscriber, #11027) [Link]

Yes, it is possible to implement a simple exec() in user space; it takes about 1.4KB of code on x86. For instance: UPX (http://upx.sourceforge.net)

Security benefits of noexec?

Posted Mar 11, 2008 10:35 UTC (Tue) by PaXTeam (subscriber, #24616) [Link] 

> Out of interest, is it possible to implement a simple exec() in user space?

check out grugq's ul_exec in http://www.phrack.org/issues.html?issue=62&id=8

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds