On Wed, February 15, 2017 10:22 am, Chris Adams wrote:
Once upon a time, Leonard den Ottolander leonard@den.ottolander.nl said:
On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote:
- They already have shell access on the machine in question and they
can already run anything in that shell that they can run via what you are pointing out.
No, assuming noexec /home mounts all they can run is system binaries.
noexec is not that big of a protection. On a normal CentOS system, you almost certainly have python installed (as well as likely other scripting languages such as perl), and they can be used to do just about anything compiled code can do.
Indeed, perl and often python are installed on most of servers I run. Not considering myself security expert, I would like to ask: could you point to some elevation of privileges exploit written in perl or python? All I've seen were c/c++, but again I'm just a humble sysadmin.
Plus there's /tmp, /var/tmp, and other directories (depending on software installed) that are writable by users, so unless you mount something noexec on all of them, you haven't gained much.
And yes, ALL user writable places (including often overlooked /dev/shm) are mounted with nosuid, nosgid, nodev, noexec options on servers where users are allowed to have shell. Or you should be able to do something like jail on FreeBSD which you dedicate to user shell login, and restrict it the way you need - don't know off hand how you do it on Linux box, experts will definitely name several ways.
Valeri
noexec is largely a legacy option at this point.
Chris Adams linux@cmadams.net _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++