Re: Re[4]: Linux hardening

On Tue, Aug 30, 2005 at 07:35:02PM +0100, Adam D. Barratt wrote:

> noexec is almost always bypassable.

Which is why I mentioned TPE (the security of which may be questionable
as well; I don't know much about it). Though as someone here previously
noted, the ld issue has been fixed, though noexec is still not exactly
impervious to a clever attacker. In mentioning noexec, though, my point
was that there are perhaps more systematic approaches one can take than
patching a wget binary here or there.


> > > Or did I misunderstand you?
> >
> > You  misunderstood.  Method  above was meant to be used with
> > wget,  that  dumps  received  file  into  file.
>
> Exactly the same applies:
>
>   wget http://some.host/path -O - > /tmp/foo

Right. Original poster claimed to have patched curl and wget, though
curl doesn't print to a file (at least not my version). It doesn't
matter, though, because I still think that this is, to be generous, an
incredibly rough stopgap measure. I, personally, would not be happy to
have someone able to execute arbitrary commands on my machine, even if
he has to go out of his way to figure out how to load his rootkit on.
Even if he, for some reason, cannot download code from the Web, he can
a) write it to a file bit by bit and then execute it, b) rm -rf / just
to mess with you, c) copy out all your secret data and then leave, etc.
Preventing him from using wget doesn't really get you anywhere.

Like I said, I don't see what this "measure" gets you. Why bother?

--
Dan

[Edited of profanity at behest of focus-linux moderators. Oops!]