topic Re: mount options in Operating System - HP-UX

mount options

Florian Heigl (new acc) — Sun, 10 Apr 2005 07:14:38 GMT

Hi,

does anyone know the reason why HP didn't include the noexec and nodev options to mount -Fvxfs?
Those are really desirable for i.e. /tmp or /home

At least it would appear that they are missing - maybe I'm just blind.

Re: mount options

Henk Geurts — Sun, 10 Apr 2005 14:12:05 GMT

you're not blind .
there are no such options, don't know why not
did you find his thread?
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=73047

regards.

Re: mount options

Florian Heigl (new acc) — Sun, 10 Apr 2005 16:37:16 GMT

Thanks Henk,

so it's verified now :(
I hadn't come upon that thread - I'll leave the current open for a few days, I'd like to hear the consensus about these options, maybe I'll open a call for a change request. That would surely take a year or so, but one gains a lot of additional security from it, at least in my personal opinion.

Re: mount options

A. Clay Stephenson — Sun, 10 Apr 2005 19:43:00 GMT

I doubt that those options really add that much to the security of the system. At best, they limit the scope of the routine searches that your security scripts have to examine. The problem is that it is not unheard of to create temporary device files (especially named pipes) and temporary executable files. For example, I often have scripts that write scripts "on the fly" and execute them and then remove them.

Re: mount options

Florian Heigl (new acc) — Mon, 11 Apr 2005 07:29:17 GMT

I'd read a quite interesting thread about these options in an apache mailinglist a few months ago - one suscriber had a 'visit' on his box - they exploited an at that time not widely known problem with apache 2.0.52 and uploaded some scripts to /tmp - due to the noexec flag, the weren't able to run them.

(they continued in apache's shared memory area, but at least the filesystems were kept clean)

While I'd say Apache like every other internet daemon should always be chrooted and not listening an a priveleged port, limiting the world-writable places further in permissions doesn't appear such a bad idea to me.

I've enabled this flag where possible and didn't really run into big problems. (one has to keep it in mind anyway, which some might find too much risk)

Re: mount options

Florian Heigl (new acc) — Sat, 16 Apr 2005 16:15:06 GMT

I'll close the thread now, I think this *is* a security feature as it will stop people from executing things where they shouldn't before it's too late and You need to start doing forensics.

on the other hand I'm only the second person to ask, so I'll close the thread due as this is obviously not a critical issue to the majority.

I'll dig into achiving a similar solution on acl-basis by leaving /tmp with permissions of 1777 but disabling file execution for all users but root in there.

or maybe I'll just chroot away some more services ;)

Re: mount options

Florian Heigl (new acc) — Tue, 07 Feb 2006 18:12:56 GMT

For the record, this seems not achievable using ACLs, there seems not to be inheritance from directory to newly created files.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=998812