On 2024-03-25, Lyndon Nerenberg (VE7TFX/VE6BBM) <lyn...@orthanc.ca> wrote: > I am curious to hear peoples thoughts on adding some mount(2) > hardening when the system is running at securelevel 2. Specifically: > > * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID, > or MT_RDONLY in conjunction with MNT_UPDATE > > * do not allow MNT_WXALLOWED in conjunction with > MNT_UPDATE > > Currently, if someone does manage to get a root toehold on a host, > they can remove noexec from /tmp as a possible springboard to upload > nasties, and then change /usr from read-only to read-write and > scribble all over your binaries.
I think you'd need to disable mount completely, otherwise you can mount a new writable filesystem (e.g. MFS) that doesn't have noexec. -- Please keep replies on the mailing list.
