Your message dated Fri, 24 Oct 2003 11:00:47 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#217386: libc6: ld.so allows execution of programs on noexec mounts has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 24 Oct 2003 10:19:28 +0000 >From [EMAIL PROTECTED] Fri Oct 24 05:19:28 2003 Return-path: <[EMAIL PROTECTED]> Received: from mailout06.sul.t-online.com [194.25.134.19] by master.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1ACz2V-0002be-00; Fri, 24 Oct 2003 05:19:27 -0500 Received: from fwd04.aul.t-online.de by mailout06.sul.t-online.com with smtp id 1ACz2V-0003gp-01; Fri, 24 Oct 2003 12:19:27 +0200 Received: from nukunuku.yamamaya.is-a-geek.org ([EMAIL PROTECTED]) by fmrl04.sul.t-online.com with esmtp id 1ACz2A-1W1tsu0; Fri, 24 Oct 2003 12:19:06 +0200 Received: from localhost (localhost [127.0.0.1]) by nukunuku.yamamaya.is-a-geek.org (Postfix) with ESMTP id 46C11103C08 for <[EMAIL PROTECTED]>; Fri, 24 Oct 2003 12:18:58 +0200 (CEST) Received: from melchior.yamamaya.is-a-geek.org (melchior.yamamaya.is-a-geek.org [192.168.8.241]) by nukunuku.yamamaya.is-a-geek.org (Postfix) with SMTP id 6B705103C07; Fri, 24 Oct 2003 12:18:54 +0200 (CEST) Received: by melchior.yamamaya.is-a-geek.org (sSMTP sendmail emulation); Fri, 24 Oct 2003 12:18:54 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Tobias Diedrich <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: libc6: ld.so allows execution of programs on noexec mounts X-Mailer: reportbug 2.35 Date: Fri, 24 Oct 2003 12:18:54 +0200 Message-Id: <[EMAIL PROTECTED]> X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at yamamaya.is-a-geek.org X-Seen: false X-ID: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_20,HAS_PACKAGE version=2.53-bugs.debian.org_2003_10_21 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_21 (1.174.2.15-2003-03-30-exp) Package: libc6 Version: 2.3.2-8 Severity: normal Tags: security,upstream Using ld.so one can execute programs on noexec mounts, which renders noexec useless: melchior:/boot# mount -o remount,noexec /boot melchior:/boot# cp /bin/bash . melchior:/boot# sed -i -e 's/Software/Saftware/g' ./bash melchior:/boot# /lib/ld-2.3.2.so /boot/bash --version GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2002 Free Saftware Foundation, Inc. Appearently this is known since 1999, see: http://sources.redhat.com/ml/libc-alpha/2000-09/msg00071.html -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux melchior 2.4.22 #15 Wed Oct 15 00:35:05 CEST 2003 i686 Locale: LANG=en_US, LC_CTYPE=en_US Versions of packages libc6 depends on: ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl -- no debconf information --------------------------------------- Received: (at 217386-done) by bugs.debian.org; 24 Oct 2003 15:00:50 +0000 >From [EMAIL PROTECTED] Fri Oct 24 10:00:48 2003 Return-path: <[EMAIL PROTECTED]> Received: from nevyn.them.org [66.93.172.17] by master.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1AD3Qm-0001UF-00; Fri, 24 Oct 2003 10:00:48 -0500 Received: from drow by nevyn.them.org with local (Exim 4.24 #1 (Debian)) id 1AD3Ql-0006ol-An; Fri, 24 Oct 2003 11:00:47 -0400 Date: Fri, 24 Oct 2003 11:00:47 -0400 From: Daniel Jacobowitz <[EMAIL PROTECTED]> To: Tobias Diedrich <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Bug#217386: libc6: ld.so allows execution of programs on noexec mounts Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.1i Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=-5.7 required=4.0 tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT version=2.53-bugs.debian.org_2003_10_21 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_21 (1.174.2.15-2003-03-30-exp) On Fri, Oct 24, 2003 at 12:18:54PM +0200, Tobias Diedrich wrote: > Package: libc6 > Version: 2.3.2-8 > Severity: normal > Tags: security,upstream > > Using ld.so one can execute programs on noexec mounts, which renders > noexec useless: > > melchior:/boot# mount -o remount,noexec /boot > melchior:/boot# cp /bin/bash . > melchior:/boot# sed -i -e 's/Software/Saftware/g' ./bash > melchior:/boot# /lib/ld-2.3.2.so /boot/bash --version > GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu) > Copyright (C) 2002 Free Saftware Foundation, Inc. > > Appearently this is known since 1999, see: > http://sources.redhat.com/ml/libc-alpha/2000-09/msg00071.html And it's not considered a bug since at least 2000, either. Ulrich's response was quite clear, and ths has been discussed on linux-kernel a few times. If they can't run programs you can't give them a writeable directory and that's all there is to it. I know of at least three other ways to make code on a noexec partition run: LD_LIBRARY_PATH, LD_PRELOAD, and the combination of GDB and a lot of patience. You could probably do it with elisp in emacs. You could almost certainly do it with Perl, Python, or anything else that loads dynamic modules. -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer