[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    RE: execute permissions in /tmp
From:       DEFFONTAINES Vincent <Vincent.DEFFONTAINES () coe ! int>
Date:       2003-07-17 8:30:11
[Download RAW message or body]

>  Looks that way.  I guess I mis-interpreted the grsec docs 
> (and since I don't have a kernel compiled with TPE, I didn't 
> test it).  It seems that it already does what I suggested it 
> do: not allow mmap with PROT_EXEC under certain conditions.  
> (You did make sure that this behaviour isn't the result of 
> some other grsecurity option, right?)

Yes I did.
Tested it with a whole bunch of grsec options on, but not TPE.
Then with the same config, only diff is TPE option is set.

First time the /tmp/bash worked "normally", 2nd time gave the 
result I pasted in my last post.


> 
>  Anyway, that's pretty cool.  However, I don't suppose it 
> stops you from running perl scripts, or anything other than 
> ELF binaries, since files that don't contain machine code 
> wouldn't need to be mapped with PROT_EXEC.  In fact, I 
> straced perl, and it uses read(2) instead of mmap(2) to load 
> the code.  Unless grsec is really clever, perl programs would 
> still work, by running /usr/bin/perl /tmp/foo.pl, as long as 
> you can read /tmp/foo.pl.


Correct. I've just tested it just in case :-)
$cat foo.pl
#!/usr/bin/perl
print "foo\n";

$/tmp/foo.pl
su: ./toto.pl: /usr/bin/perl: bad interpreter: Permission denied

$/usr/bin/perl /tmp/foo.pl
foo

Which seems pretty logical, indeed.


Vincent


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]