On Wed, 13 Apr 2005 01:41:03 BST, [EMAIL PROTECTED] said: > the real problem with the current linux noexec mount handling is > that by not restricting mprotect one can just construct an ELF file > that when mmap'ed will overlap the stack and call mprotect and > execute your code, effectively circumventing this measure (there was > a longish thread on this topic last May on dailydave), this gives > you a false sense of security only, not security. without such a > restriction a sysadmin cannot enforce a W^X policy at the file > system level. NetBSD (maybe the others as well, i didn't check) > and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this > reason.
Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue. However, this is getting rather far afield, because: 1) This is quite arguably a "design decision" rather than an outright bug. 2) Whether it's a bug or not, it only impacts userspace security - and we started off discussing protecting the kernel itself from kernel bugs.... (Not that I'm adverse to a thread on "what the kernel could do to harden userspace" - but somebody needs to change the Subject: line if we go that way...)
pgpXk9h8zUAdM.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
