From: Jens Knoell <jens@surefoot.com>
To: linux-admin@vger.kernel.org
Cc: Glynn Clements <glynn.clements@virgin.net>
Subject: Re: Making directories non-executable?
Date: Tue, 23 Mar 2004 15:20:22 -0700 [thread overview]
Message-ID: <200403231520.22925.jens@surefoot.com> (raw)
In-Reply-To: <16480.39709.489781.328048@cerise.nosuchdomain.co.uk>
On Tuesday 23 March 2004 13:16, Glynn Clements wrote:
> Jens Knoell wrote:
> > In an effort to tighten security, I'm trying to find out if there is any
> > solution out there to make certain world-writable directories
> > non-executable? I'd imagine an execve() wrapper should be able to do
> > that, but I was not graced with finding any solution at all.
>
> When you refer to making a directory non-executable, presumably you
> aren't talking about clearing the execute bit on the directory itself,
> but refusing to treat files within that directory as executables,
> right?
Correct.
> In which case, what exactly are you trying to achieve? Is this meant
> to be a security measure? If so, against what type of attack?
The specific scenario is that we'll run a webserver where an outside
webdesigner can and does upload CGI's of his own choosing. From experience I
know that this means a few of them will allow injection attacks, sometimes
resulting in shell access. Since the only directories our webserver can write
to are temp directories, that's where they could conceivably download
malicious binaries.
I believe that the restrictions are tight enough to not allow them to do much
harm, yet I do think any additional hurdle I can throw in harms way will at
least keep script kiddies away. That's why I don't want any files being
executed if they are in the temp directory.
> An execve() wrapper would help to protect legitimate programs against
> inadvertantly executing malicious code, but it won't restrict what
> malicious code can execute, as malicious code can just bypass the
> execve() function.
*nods* that's the idea. The legitimate program would be the webserver, and
presumably legitimate CGI's (which would be spawned via suexec). CGI's
commonly won't be able to write to the CGI directory, which I intend to make
the _only_ directory from where the webserver itself can execute binaries.
> Nor will it prevent the execution of malicious code which is stored as
> a shared library rather than an executable.
I'd think if someone manages to get a library onto the machine I have a bigger
problem at hand. Libraries should only be writeable by root, and if someone
has root on the machine it's too late...
Thanks
Jens
next prev parent reply other threads:[~2004-03-23 22:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-23 18:25 Making directories non-executable? Jens Knoell
2004-03-23 20:16 ` Glynn Clements
2004-03-23 22:20 ` Jens Knoell [this message]
2004-03-24 12:30 ` Glynn Clements
2004-03-23 22:37 ` Nico Schottelius
-- strict thread matches above, loose matches on Subject: below --
2004-03-24 6:47 George Iosif
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200403231520.22925.jens@surefoot.com \
--to=jens@surefoot.com \
--cc=glynn.clements@virgin.net \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).