[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?

* Thomas Bleher <bleher informatik uni-muenchen de> [2006-05-12 20:22]:
> * Martin Ebourne <lists ebourne me uk> [2006-05-12 17:19]:
> > On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > > > If the quota limits need to be as strict as your first message indicates, then 
> > > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with 
> > > > separate quotas set.  Additionally, I always split off /tmp/ so *if* it 
> > > > fills, it doesn't "damage" my root filesystem.
> > > 
> > > Actually, /home is not part of the root-partition and /tmp could be a 
> > > symlink to /home/tmp so both can use the some quota definitions. But how 
> > > can I setup a system-wide policy that disallows to execute files from 
> > > /tmp or /home/tmp?
> > 
> > That sounds like a very hard way of doing things. And difficult to prove
> > correct too.
> > 
> > How about:
> > 
> > mkdir /home/tmp
> > mount -o bind,noexec,nosuid /home/tmp /tmp
> I don't think this will work. I just tried to do it and I could still
> execute files in the mounted dir. I thought that per-mountpoint noexec
> flags were in the kernel, but I can't find any definitive information on
> it and fs/namespace.c is not the best information source either. (Anyone 
> knows why this doesn't work? It would be really neat.)

Umm, this mailing list post explains it:
http://www.cs.helsinki.fi/linux/linux-kernel/2001-41/0082.html (plus
followup from Al Viro).
Mount seems really broken in this regard as it reports the noexec flags
in /etc/mtab.

> The other issue here is that the user still can execute files through
> /home/tmp. So you should --move the dir instead of bind-mounting it.

There's another issue here: You can't mount --move a directory that is
not a mountpoint. So if you want to guard against people accessing
/home/tmp directly, either move it to /home/secure/tmp and bind-mount it
from there (where /home/secure is mode 0000), or bind mount /home/tmp
over itself.

That means a fully working solution looks something like this:
$ mount --bind /home/tmp/ /home/tmp/
$ mount -o remount,noexec /home/tmp/
$ mount --bind /home/tmp/ /tmp/

Lesson learnt here: Test to see if you actually protect against your


Attachment: signature.asc
Description: Digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]