Well now, that is interesting. You are absolutely correct about the sticky bit. It is the noexec flag that this is happening with, and I agree that it alone is not a total security solution. However, it is a piece of a much bigger pie and really should be enforced.
-Jim P. > -----Original Message----- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Behalf Of Noah L. > Meyerhans > Sent: Saturday, 12 July, 2003 21:34 > To: [EMAIL PROTECTED] > Subject: Re: execute permissions in /tmp > > > On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: > > I have a complaint/opinion/statement to express. It seems that > every now > > and then when I run 'apt-get upgrade' i get a lot of errors about "Can't > > exec "/tmp/config.xxxxx": Permission denied at...". I like to keep my > > Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files > > from being executed. It seems to me that some package > maintainers aren't > > aware of issues such as these and are assuming that anything > can be done in > > temp. > > Couple of things in response to this. First of all, the +t flag on > /tmp/ has nothing to do with whether you can execute files there. From > chmod(1): > STICKY DIRECTORIES > When the sticky bit is set on a directory, files in that > directory may only be unlinked or renamed by root or their > owner. (Without the sticky bit, anyone able to write to > the directory can delete or rename files.) The sticky bit > is commonly found on directories, such as /tmp, which are > world-writable. > > Note that +t is the default on /tmp. > > Second of all, mounting a filesystem with the noexec flag (assuming > /tmp is a separate filesystem on your system and this is, in fact, what > you're doing) has been shown many many times to not provide any level of > protection. Try this on your noexec mounted /tmp: > # cp /bin/ls /tmp/ > # /lib/ld-linux.so.2 /bin/ls > > Basically, what it comes down to is that you *can not* prevent files > from being executed. Even if you remove the execute bits from /tmp/ls > in the above example, you'll still be able to run it. > > So, save yourself the headache and just remove noexec from /tmp/ > > noah > > -- > _______________________________________________________ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
