Re: [suse-security] perl script drop
Only a small hint for the /tmp-partition: mount it as follows in /etc/fstab /dev/hda5 /tmp ext2 rw,nosuid,nodev,noexec with the noexec-parameter so no one is able to execute a created script from that directory Greetings olaf
"Gerhard Stegmann" <gerhard.stegmann@magelan.net> 12.05.2003 13:12 >>> hi there i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2
somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file #>ps ax 1234 perl /tmp/.ps the file was created under wwwrun.www - ownership, which tells me that apache created it. the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered.
petry wrote:
Only a small hint for the /tmp-partition: mount it as follows in /etc/fstab
/dev/hda5 /tmp ext2 rw,nosuid,nodev,noexec
with the noexec-parameter so no one is able to execute a created script from that directory
Only when the script interpreter is located on the noexec partition: $ cat FreeSpace/hello.pl print "Hello world\n"; wiersig@peter:~ $ ls -l FreeSpace/hello* -rw-r--r-- 1 wiersig wiersig 23 May 12 13:47 FreeSpace/hello.pl -rw-r--r-- 1 wiersig wiersig 17 May 12 13:45 FreeSpace/hello.sh wiersig@peter:~ $ perl FreeSpace/hello.pl Hello world mount options don't help when faced with scripts. Have fun, Peter
On Montag, 12. Mai 2003 13:48, Peter Wiersig wrote:
mount options don't help when faced with scripts.
they don´t even help when faced with binaries: seife@mixi:~ > cp /bin/ps . seife@mixi:~ > chmod -x ps seife@mixi:~ > /lib/ld-linux.so.2 ./ps PID TTY TIME CMD 7847 pts/7 00:00:00 bash 7865 pts/7 00:00:00 ld-linux.so.2 seife@mixi:~ > ls -l ps -r--r--r-- 1 seife it 90496 2003-05-12 13:54 ps seife@mixi:~ > they are just useless for this. -- Stefan Seyfried "Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" -- [Andrew S. Tanenbaum]
On Montag, 12. Mai 2003 13:48, Peter Wiersig wrote:
mount options don't help when faced with scripts.
they don´t even help when faced with binaries:
/dev/hda5 on /tmp type reiserfs (rw,noexec,nosuid,nodev) cd /tmp cp /bin/touch . ls -al -rwxr-xr-x 1 root root 26504 May 12 16:06 touch ./touch a.txt -bash: ./touch: Permission denied touch a.txt ls -al -rw-r--r-- 1 root root 0 May 12 16:07 a.txt -rwxr-xr-x 1 root root 26504 May 12 16:06 touch ... so it looks like binaries are blocked (tested on SuSE 8.1). Shell scripts are also blocked, perl scripts indeed run. Cheers, Andre
Hi folks, Andre ten Bohmer (WU) wrote:
Shell scripts are also blocked, perl scripts indeed run.
Did you try to run them via source? Or cating it into bash? I think the bottom line is that mounting noexec does not protect you from a dedicated hacker. But it may protect against stupid automated attacks and may buy you the time you need to dicover intrusion attempts. If you really want to control what kind of files can be executed you'll have to use tools like LIDS or RSBAC. baba, Tom -- this is a maillist account, so please send personal replies to cso[at]trium[dot]de
participants (5)
-
Andre ten Bohmer (WU) -
Peter Wiersig -
petry -
Stefan Seyfried -
Thomas Seliger