From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 11:11:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EB4F16A41F for ; Thu, 22 Sep 2005 11:11:05 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from sollube.sarenet.es (mx1.sarenet.es [194.30.0.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1293843D4C for ; Thu, 22 Sep 2005 11:11:04 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by sollube.sarenet.es (Postfix) with ESMTP id 8E6E41D6B for ; Thu, 22 Sep 2005 13:11:00 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v734) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Thu, 22 Sep 2005 13:11:43 +0200 X-Mailer: Apple Mail (2.734) Subject: Mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 11:11:05 -0000 Hello, I've been playing a bit with the "noexec" flag for filesystems. It can represent a substantial obstacle against the exploitation of security holes. However, I think it's not perfect yet. First thing, an attempt to execute a program from a noexec-mounted filesystem should be logged. It is either a very significant security event, or it can drive nuts an administrator trying to install software. (I like to mount with noexec filesystems such as /var, /var/ www, /var/spool, /var/tmp, /tmp, /home whenever the users are not supposed to install software...). I opened a PR (a change request, actually) years ago about this, and it was closed with a reasonable answer. http://www.FreeBSD.org/cgi/ query-pr.cgi?pr=15435 However, as far as I know there is no such general logging facility. Wouldn't it be possible for especially sensible events to be logged? The patch I submitted is ugly, but it's better than nothing. There is another change about which I would like to read some opinions. Right now, the "noexec" flag is an all-or-nothing, which greatly reduces its usefulness. Packages and ports use to run programs from /var/tmp or /tmp, and the noexec flags applied to those filesystems won't allow software to be installed. Of course, you can upgrade the status of the filesystems with a mount -u, but that opens a window of opportunity; while the noexec flag has been removed, it is possible for any user to run programs from those directories. I think that it would be useful to have a man point here. What about allowing root, and only root, to run programs from a noexec mounted fs? Its behavior could be changed (for example) with a sysctl variable. My point here is this: I want to prevent a privilege escalation, so I want to prevent a user from executing a file he/she has just written. If it's not possible to execute programs from a directory where a normal user can write, either a public-write directory (/tmp et al) or a directory owned by him (take, for example, a directory with temporary files written by a PHP program or a CGI) it will be very difficult to achieve a privilege escalation. And, anyway, if the intruder found a way to achieve it, he could remove the noexec restriction with a mount -u. I know, both situations have their own caveats (and I can imagine an intruder leaving a periodic process trying to run a program from /var/ tmp), but imho this new behavior can make the noexec feature much more useful. Borja.