On Wed, February 15, 2017 1:29 pm, Chris Adams wrote: > Once upon a time, Valeri Galtsev <galtsev at kicp.uchicago.edu> said: >> Indeed, perl and often python are installed on most of servers I run. >> Not >> considering myself security expert, I would like to ask: could you point >> to some elevation of privileges exploit written in perl or python? All >> I've seen were c/c++, but again I'm just a humble sysadmin. > > That wasn't the point; the point was that users can only run system > binaries so they can only do what is "permitted". I don't know about > python, but perl can make arbitrary kernel system calls (even if they > aren't actually supported by perl), so having perl installed allows > users to do anything a compiled program can do. Trying to control what > users can do by mounting "noexec" is not particularly limiting, at least > to somebody determined. Thanks for answering. Well, I have seen attempts on my systems, more than once, and they were unsuccessful, as all user writable on these two machines was mounted noexec (and also nosuid, nosgid, nodev). Of course, systems didn't have unpatched known exploits, here we are on the same page: you have to keep your system updated. So they shouldn't be successful even if they were executed. Still, noexec is like yet one more line of defense. Pretty much like we lock front doors of our buildings, even though we do lock doors of our apartments. Or the same as having firewall, even though you don't have anything listening to some ports which is not supposed to. I kind of was repeated too many times by many people in my life that there is no overdoing when the security is concerned. Valeri > > So it may be harder/more cumbersome/etc., but I believe that you could > write exploits in perl or python; it just isn't commonly done in > examples because of the extra work (it's also probably harder to read). > > -- > Chris Adams <linux at cmadams.net> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++