On Wed, February 15, 2017 12:23 pm, Gordon Messmer wrote:
On 02/15/2017 08:47 AM, Valeri Galtsev wrote:
And yes, ALL user writable places (including often overlooked /dev/shm) are mounted with nosuid, nosgid, nodev, noexec options on servers where users are allowed to have shell.
How sure are you?
I just run a bunch of find commands before rolling out system to find what I might not like, e.g. finding all world writable files...:
find / -perm -2 ! -type l -ls ...
On the system I'm looking at right now
Oh, yes, I must confess, I do not tighten up latest Linuxes, my machines that do need this level of attitude to users are FreeBSD since long ago. The last Linuxes that needed that were CentOS 5, so logically, you are right again. And on CentOS 5, as far as the following list is concerned (I am just marking those that did not exists there on my boxes):
, any user can write to:
/dev/mqueue - NOT on CentOS 5 /dev/shm - there and was mounted with noexec (and others) /run/user/<uid> - NOT on CentOS 5 /run/screen/S-<user> - NOT on CentOS 5 /var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop;
but there is /var/spool/mail (needs to be writable for locks if it is mbox format, not maildir)
/home/<user> - mounted with noexec and friends /tmp - mounted with noexec and friends /var/tmp - mounted with noexec and friends
And you are right again, there is a lot of hassle (and using separate partitions to have them noexec). I guess, I was not too lazy with respect to security back then (and now too, hopefully ;-)
Valeri
Notably, the "screen" and "samba" locations only appear when the respective packages are installed, so the places users can write may vary from system to system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++