WARNING:DO NOT UPGRADE TO CORE 4

Wed Jul 13 20:53:40 UTC 2005

Robert Locke wrote:

>On Wed, 2005-07-13 at 14:16 -0500, Mike McCarty wrote:
>  
>
>>Paul Howarth wrote:
>>
>>    
>>
>>><snip>
>>>
>>>My point was that there's no way of knowing what undiscovered
>>>vulnerabilities there are on your system, so having multiple layers of
>>>defences such as firewalls, mounting /var and /tmp partitions with
>>>noexec, selinux etc. all help to mitigate the risk.
>>> 
>>>
>>>      
>>>
>>Ah, an aswer. I'm perhaps vulnerable to something being put into
>>/var or /tmp (/tmp world writable) and then being executed from there.
>>
>>Now that's useful information. So, I possibly should remove '..x..x..x' from
>>/tmp? That's an idea. BTW, on my system, /tmp is not a separate volume.
>>
>>    
>>
>
>Whoa, Mike.  Do not change the permissions on /tmp as you seem to be
>implying.  Lots o' things will break if you change /tmp from it's normal
>1777 permissions (drwxrwxrwt).  Remember that "x" on a directory has
>nothing to do with executing something really but rather is allowing
>someone to "cd" into that directory....
>  
>
I had forgotten that.

>What the earlier suggestion was getting at for you was to modify the
>"mount options" for your separate /tmp filesystem (presuming you have a
>separate filesystem for /tmp).  You would edit /etc/fstab and find the
>line relating to /tmp and change the fourth column to include "noexec"
>and/or perhaps "nosuid".  Of course, some applications may presume an
>ability to "exec" a file in /tmp and some applications may rely on that
>file having the "SUID" bit set, so doing this could break something,
>YMMV.....
>  
>
Hmm. Sounds like a security violation to me. My machine is mine, not yours.
I don't intend to grant cycles/disc storage/anything to anyone but me, 
and those
I allow to log in. That's one reason I don't permit cookies. I know that 
one reason
not to allow cookies is to prohibit someone from collecting information 
about
where I browse etc. Well, that bothers me, but isn't the main reason I 
prohibit
cookies. You don't allow me to store files on your machine do you? You paid
for your disc, and you intend to use it. You don't intend for me to use 
it. I
have the same feelings. I don't grant anyone privilege of storing 
anything on
discs I paid for. End of discusion. Anyone wants to store cookies on my 
machine,
ok, you give me 100MB of exclusive use space on your hard disc, I'll let 
you
store one cookie. Deal?

I feel even more strongly about CPU time, partly because programs often
have defects and running them may have unintended consequences. Even
if the java is not intended to be malicious, that doesn't make my files come
back.

>The goal in "hardening" a Linux box is always to try to figure out the
>different ways that someone may try to inject code to execute on your
>machine to grant them a) access, b) privilege, c) your data, or d) your
>cycles.....  Best bet for you is probably to do some google'ing or pick
>up an O'Reilly book or two on Security to assess some of the more common
>exploitable areas.  Look for topics on "hardening Linux".  That will
>keep you busy for quite some time.... :-)
>  
>
Ok, I'll look for some NutShell stuff.

>Good luck,
>
>--Rob
>
>  
>

Thanks.

Mike

-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!