From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-security+bounces-754-garchives=archives.gentoo.org@gentoo.org>)
	id 1Gss8X-0003Q9-7U
	for garchives@archives.gentoo.org; Sat, 09 Dec 2006 02:40:25 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kB92cOcb007918;
	Sat, 9 Dec 2006 02:38:24 GMT
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kB92YYDD020631
	for <gentoo-security@lists.gentoo.org>; Sat, 9 Dec 2006 02:34:34 GMT
Received: (qmail invoked by alias); 09 Dec 2006 02:34:34 -0000
Received: from p57AF8697.dip0.t-ipconnect.de (EHLO mail.gagamux.net) [87.175.134.151]
  by mail.gmx.net (mp027) with SMTP; 09 Dec 2006 03:34:34 +0100
X-Authenticated: #19422049
Received: from schnuppi.gagamux.net (schnuppi.gagamux.net [192.168.3.12])
	by mail.gagamux.net (Postfix) with ESMTP id A455F74BA
	for <gentoo-security@lists.gentoo.org>; Sat,  9 Dec 2006 03:34:33 +0100 (CET)
From: Joe Knall <joe.knall@gmx.net>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 9 Dec 2006 03:34:31 +0100
User-Agent: KMail/1.8
References: <200611041211.22434.joe.knall@gmx.net> <200611041727.39451.joe.knall@gmx.net> <f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com>
In-Reply-To: <f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200612090334.31689.joe.knall@gmx.net>
X-Y-GMX-Trusted: 0
X-Archives-Salt: c2675464-f337-4348-a828-00bae39534af
X-Archives-Hash: d939167d4849232d53c27fcdc91b623d

On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote:
> Hi,
>
> On 11/4/06, Joe Knall <joe.knall@gmx.net> wrote:
> > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > > can/does mounting a partition with noexec, ro etc. provide
> > > > additional security or are those limitations easy to
> > > > circumvent?
> > > >
> > > > Example: webserver running chrooted
> > > > all libs and executables (apache, lib, usr ...) on read only
> > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > > partition /srv/www/data mounted with noexec (but rw of course),
> > > > no cgi needed.
> > > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > > start".
> > >
> > > Besides this, you must also add nodev to prevent those kinds of
> > > circumventions
> > >
> > > Paul
> >
> > correct, it's atually like this
> > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
> I cannot have any kind of a intrepreted language supported in those
> environments..
> or a simple perl/php/lisp "data" file can circunvent those attacks!

When I get you right, you mean the P in Lamp makes these limitations 
(ro, noexec, nodev, chroot ...) nonsense.
Ok, what makes you think so?
How do you do it (get a shell, root access, hijack the box ...)?
What's a better approach to prevent it?

Joe

-- 
gentoo-security@gentoo.org mailing list