[CentOS] Serious attack vector on pkcheck ignored by Red Hat

Wed Feb 15 20:08:17 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, February 15, 2017 12:23 pm, Gordon Messmer wrote:
> On 02/15/2017 08:47 AM, Valeri Galtsev wrote:
>> And yes, ALL user writable places (including often overlooked /dev/shm)
>> are mounted with nosuid, nosgid, nodev, noexec options on servers where
>> users are allowed to have shell.
>
>
> How sure are you?

I just run a bunch of find commands before rolling out system to find what
I might not like, e.g. finding all world writable files...:

find / -perm -2 ! -type l -ls
...

> On the system I'm looking at right now

Oh, yes, I must confess, I do not tighten up latest Linuxes, my machines
that do need this level of attitude to users are FreeBSD since long ago.
The last Linuxes that needed that were CentOS 5, so logically, you are
right again. And on CentOS 5, as far as the following list is concerned (I
am just marking those that did not exists there on my boxes):

>, any user can
> write to:
>
/dev/mqueue - NOT on CentOS 5
/dev/shm    - there and was mounted with noexec (and others)
/run/user/<uid> - NOT on CentOS 5
/run/screen/S-<user> - NOT on CentOS 5
/var/spool/samba - NOT on CentOS 5 that needs extra security - in our shop;

but there is /var/spool/mail (needs to be writable for locks if it is mbox
format, not maildir)

/home/<user> - mounted with noexec and friends
/tmp - mounted with noexec and friends
/var/tmp - mounted with noexec and friends

And you are right again, there is a lot of hassle (and using separate
partitions to have them noexec). I guess, I was not too lazy with respect
to security back then (and now too, hopefully ;-)

Valeri

>
> Notably, the "screen" and "samba" locations only appear when the
> respective packages are installed, so the places users can write may
> vary from system to system.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++