[gentoo-dev] Making procfs mount as nosuid,noexec by default

[gentoo-dev] Making procfs mount as nosuid,noexec by default

[Daniel Drake]

Hi,

The local root exploit-of-the-week would have been unable to run if our 
users systems had /proc mounted with nosuid and/or noexec

It would be worthwhile considering making this a default. What are 
people's thoughts?

Additional testing of this change would be appreciated (just ensure that 
nothing breaks). To do it as a one off:

# mount -o remount,nosuid,noexec /proc

To make it more permanent, /etc/fstab has:

	proc	/proc	proc		defaults		0 0

Change to:

	proc	/proc	proc		nosuid,noexec		0 0


Thanks,
Daniel
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Ned Ludd]

On Sat, 2006-07-15 at 17:45 +0100, Daniel Drake wrote:
> Hi,
> 
> The local root exploit-of-the-week would have been unable to run if our 
> users systems had /proc mounted with nosuid and/or noexec
> 
> It would be worthwhile considering making this a default. What are 
> people's thoughts?

I mailed Mike about this very thing a month ago. Pretty sure it should 
be showing up in an upcoming baselayout. But yeah it's a good idea for
the nosuid part anyway. Not 100% sure about the noexec part as that
might break upx which calls /proc/self/exe as part of it's decompresser
routines.

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Ned Ludd]

On Sat, 2006-07-15 at 13:41 -0400, Ned Ludd wrote:
> On Sat, 2006-07-15 at 17:45 +0100, Daniel Drake wrote:
> > Hi,
> > 
> > The local root exploit-of-the-week would have been unable to run if our 
> > users systems had /proc mounted with nosuid and/or noexec
> > 
> > It would be worthwhile considering making this a default. What are 
> > people's thoughts?
> 
> I mailed Mike about this very thing a month ago. Pretty sure it should 
> be showing up in an upcoming baselayout. But yeah it's a good idea for
> the nosuid part anyway. Not 100% sure about the noexec part as that
> might break upx which calls /proc/self/exe as part of it's decompresser
> routines.

Tested it using a and it seems safe across the board. upx,busybox and 
other multicall binaries seem quite content. Linus also recently
suggested that the same be done in the kernel directly via the
proc_fill_super() function. This seems like an ideal route to go for us
as it would get inherited by all the existing users who wont notice 
the change in the default fstab file.

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 687 bytes --]

On Saturday 15 July 2006 13:41, Ned Ludd wrote:
> On Sat, 2006-07-15 at 17:45 +0100, Daniel Drake wrote:
> > The local root exploit-of-the-week would have been unable to run if our
> > users systems had /proc mounted with nosuid and/or noexec
> >
> > It would be worthwhile considering making this a default. What are
> > people's thoughts?
>
> I mailed Mike about this very thing a month ago. Pretty sure it should
> be showing up in an upcoming baselayout. But yeah it's a good idea for
> the nosuid part anyway. Not 100% sure about the noexec part as that
> might break upx which calls /proc/self/exe as part of it's decompresser
> routines.

this will be in baselayout-1.12.2+
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 870 bytes --]

Daniel Drake wrote:
> Hi,
> 
> The local root exploit-of-the-week would have been unable to run if our
> users systems had /proc mounted with nosuid and/or noexec
> 
> It would be worthwhile considering making this a default. What are
> people's thoughts?
> 
> Additional testing of this change would be appreciated (just ensure that
> nothing breaks). To do it as a one off:
> 
> # mount -o remount,nosuid,noexec /proc
> 
> To make it more permanent, /etc/fstab has:
> 
>     proc    /proc    proc        defaults        0 0
> 
> Change to:
> 
>     proc    /proc    proc        nosuid,noexec        0 0
> 
> 
> Thanks,
> Daniel

Daniel,

Turns out that yesterday after we talked about this. I've been running
one of my boxes like that for ages. So far so good.

-- 
Doug Goldstein <cardoe@gentoo.org>
http://dev.gentoo.org/~cardoe/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Drake Wyrm]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

Ned Ludd <solar@gentoo.org> wrote:
>  Not 100% sure about the noexec part as that might break upx which
>  calls /proc/self/exe as part of it's decompresser routines.

/proc/self/exe is a symlink, and the permissions of symlinks aren't used
for anything. It's less than trivial (and I think impossible) to set
them to anything but 0777. In any case, the noexec option only affects
regular files. Directories, for example, also keep their execute flags.


-- 
Batou: Hey, Major... You ever hear of "human rights"?
Kusanagi: I understand the concept, but I've never seen it in action.
  --Ghost in the Shell

[-- Attachment #2: Type: application/pgp-signature, Size: 206 bytes --]

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Josh Saddler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Drake wrote:
> Hi,
> 
> The local root exploit-of-the-week would have been unable to run if our
> users systems had /proc mounted with nosuid and/or noexec
> 
> It would be worthwhile considering making this a default. What are
> people's thoughts?
> 
> Additional testing of this change would be appreciated (just ensure that
> nothing breaks). To do it as a one off:
> 
> # mount -o remount,nosuid,noexec /proc
> 
> To make it more permanent, /etc/fstab has:
> 
>     proc    /proc    proc        defaults        0 0
> 
> Change to:
> 
>     proc    /proc    proc        nosuid,noexec        0 0

Is there an open bug or security advisory for this exploit I missed? I tried the
CLI solution; works just fine here. No wild behavior so far. Any suggestions on
what to look for, or how to really hammer /proc? :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEufPcrsJQqN81j74RAjHhAJ9wbrRi/h8b603Ra8W6F5uk0biDVACcCy62
WX+lVNRJoJNTLAG2wxg9Mlc=
=RVRq
-----END PGP SIGNATURE-----
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Christian Heim]

[-- Attachment #1: Type: text/plain, Size: 1054 bytes --]

On Sunday 16 July 2006 10:07, Josh Saddler wrote:
>Daniel Drake wrote:
>> Hi,
>>
>> The local root exploit-of-the-week would have been unable to run if our
>> users systems had /proc mounted with nosuid and/or noexec
>>
>> It would be worthwhile considering making this a default. What are
>> people's thoughts?
>>
>> Additional testing of this change would be appreciated (just ensure that
>> nothing breaks). To do it as a one off:
>>
>> # mount -o remount,nosuid,noexec /proc
>>
>> To make it more permanent, /etc/fstab has:
>>
>>     proc    /proc    proc        defaults        0 0
>>
>> Change to:
>>
>>     proc    /proc    proc        nosuid,noexec        0 0
>
>Is there an open bug or security advisory for this exploit I missed? I tried
> the CLI solution; works just fine here. No wild behavior so far. Any
> suggestions on what to look for, or how to really hammer /proc? :)

There is bug #140444.


-- 
Christian Heim <phreak@gentoo.org>
Gentoo Linux Developer
You're friendly kernel/vserver/openvz monkey

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Making procfs mount as nosuid,noexec by default

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1043 bytes --]

On Sat, 2006-07-15 at 15:20 -0400, Mike Frysinger wrote:
> On Saturday 15 July 2006 13:41, Ned Ludd wrote:
> > On Sat, 2006-07-15 at 17:45 +0100, Daniel Drake wrote:
> > > The local root exploit-of-the-week would have been unable to run if our
> > > users systems had /proc mounted with nosuid and/or noexec
> > >
> > > It would be worthwhile considering making this a default. What are
> > > people's thoughts?
> >
> > I mailed Mike about this very thing a month ago. Pretty sure it should
> > be showing up in an upcoming baselayout. But yeah it's a good idea for
> > the nosuid part anyway. Not 100% sure about the noexec part as that
> > might break upx which calls /proc/self/exe as part of it's decompresser
> > routines.
> 
> this will be in baselayout-1.12.2+

Great.  I'm guessing I should artificially bump 1.12.1 with a revision
in my snapshot for 2006.1 or we'll end up not having fixed much.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]