|
|
Log in / Subscribe / Register

The /proc vulnerability

The /proc vulnerability

Posted Jul 20, 2006 5:57 UTC (Thu) by sweikart (guest, #4276)
Parent article: The /proc vulnerability

> It should be noted that this workaround was the right thing to do for /proc
> all along; nothing good can come from allowing those bits to be used.

Luckily, I'd already mounted most of my filing systems nosuid. [And the writable filing systems in my chroot jails are mounted noexe,nodev]

But, your point brings up some obvious questions. Should /proc also be mounted noexe? And how should we mount /sys, /dev/shm, /dev/pts, /selinux?

-scott

to post comments

The /proc vulnerability

Posted Jul 20, 2006 6:39 UTC (Thu) by ekj (guest, #1524) [Link] (4 responses)

noexe pretty much doesn't do anything.

If it's a script of some sort, then it simply means you need to type "python foo.py" instead of "./foo.py" (substitute your favourite interpreter).

If it's a executable, you only need to type "/lib/ld.so program" instead of "./program"

Really. Any program that can be executed from a normal filesystem can just as well be executed, perhaps at the cost of 10 extra keystrokes, from a noexe mounted filesystem.

The /proc vulnerability

Posted Jul 20, 2006 9:50 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)

The latter doesn't work in recent versions of glibc, but a determined attacker could build a modified ld.so that doesn't check noexec.

efficacy of mounting with noexec

Posted Jul 20, 2006 13:15 UTC (Thu) by sweikart (guest, #4276) [Link]

> The latter doesn't work in recent versions of glibc ...

It worked with ld-2.2.5.so (Red Hat Linux 7.3), but not ld-2.3.3.so (Fedora Core 2).

> ... but a determined attacker could build a modified ld.so that
> doesn't check noexec.

Which can be foiled in a chroot jail by mounting writable filing systems noexec.

-scott

The /proc vulnerability

Posted Jul 22, 2006 16:21 UTC (Sat) by Ross (guest, #4065) [Link]

If an attacker could write to a filesystem with exec permissions, then they wouldn't have to bother with trying to run an existing executable.

The /proc vulnerability

Posted Jul 24, 2006 23:32 UTC (Mon) by bluefoxicy (guest, #25366) [Link]

Recent kernels don't allow you to mmap() stuff on noexec file systems with PROT_EXEC I think.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds