On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote:
> I have a complaint/opinion/statement to express.  It seems that every now
> and then when I run 'apt-get upgrade' i get a lot of errors about "Can't
> exec "/tmp/config.xxxxx": Permission denied at...".  I like to keep my
> Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files
> from being executed.  It seems to me that some package maintainers aren't
> aware of issues such as these and are assuming that anything can be done in
> temp.

Couple of things in response to this.  First of all, the +t flag on
/tmp/ has nothing to do with whether you can execute files there.  From
chmod(1):
STICKY DIRECTORIES
       When the sticky bit is set on a directory, files  in  that
       directory may only be unlinked or renamed by root or their
       owner.  (Without the sticky bit, anyone able to  write  to
       the  directory can delete or rename files.) The sticky bit
       is commonly found on directories, such as /tmp, which  are
       world-writable.

Note that +t is the default on /tmp.

Second of all, mounting a filesystem with the noexec flag (assuming
/tmp is a separate filesystem on your system and this is, in fact, what
you're doing) has been shown many many times to not provide any level of
protection.  Try this on your noexec mounted /tmp:
# cp /bin/ls /tmp/
# /lib/ld-linux.so.2 /bin/ls

Basically, what it comes down to is that you *can not* prevent files
from being executed.  Even if you remove the execute bits from /tmp/ls
in the above example, you'll still be able to run it.

So, save yourself the headache and just remove noexec from /tmp/

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to