HPE Community
Operating System - HP-UX
1833534 Members
3407 Online
110061 Solutions
New Discussion

mount options

 
Florian Heigl (new acc)
Honored Contributor

‎04-10-2005 12:14 AM

‎04-10-2005 12:14 AM

mount options

Hi,

does anyone know the reason why HP didn't include the noexec and nodev options to mount -Fvxfs?
Those are really desirable for i.e. /tmp or /home

At least it would appear that they are missing - maybe I'm just blind.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
6 REPLIES 6
Henk Geurts
Esteemed Contributor

‎04-10-2005 07:12 AM

‎04-10-2005 07:12 AM

Re: mount options

you're not blind .
there are no such options, don't know why not
did you find his thread?
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=73047

regards.
0 Kudos
Florian Heigl (new acc)
Honored Contributor

‎04-10-2005 09:37 AM

‎04-10-2005 09:37 AM

Re: mount options

Thanks Henk,

so it's verified now :(
I hadn't come upon that thread - I'll leave the current open for a few days, I'd like to hear the consensus about these options, maybe I'll open a call for a change request. That would surely take a year or so, but one gains a lot of additional security from it, at least in my personal opinion.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎04-10-2005 12:43 PM

‎04-10-2005 12:43 PM

Re: mount options

I doubt that those options really add that much to the security of the system. At best, they limit the scope of the routine searches that your security scripts have to examine. The problem is that it is not unheard of to create temporary device files (especially named pipes) and temporary executable files. For example, I often have scripts that write scripts "on the fly" and execute them and then remove them.
If it ain't broke, I can fix that.
0 Kudos
Florian Heigl (new acc)
Honored Contributor

‎04-11-2005 12:29 AM

‎04-11-2005 12:29 AM

Re: mount options

I'd read a quite interesting thread about these options in an apache mailinglist a few months ago - one suscriber had a 'visit' on his box - they exploited an at that time not widely known problem with apache 2.0.52 and uploaded some scripts to /tmp - due to the noexec flag, the weren't able to run them.

(they continued in apache's shared memory area, but at least the filesystems were kept clean)

While I'd say Apache like every other internet daemon should always be chrooted and not listening an a priveleged port, limiting the world-writable places further in permissions doesn't appear such a bad idea to me.

I've enabled this flag where possible and didn't really run into big problems. (one has to keep it in mind anyway, which some might find too much risk)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Florian Heigl (new acc)
Honored Contributor

‎04-16-2005 09:15 AM

‎04-16-2005 09:15 AM

Re: mount options

I'll close the thread now, I think this *is* a security feature as it will stop people from executing things where they shouldn't before it's too late and You need to start doing forensics.

on the other hand I'm only the second person to ask, so I'll close the thread due as this is obviously not a critical issue to the majority.

I'll dig into achiving a similar solution on acl-basis by leaving /tmp with permissions of 1777 but disabling file execution for all users but root in there.

or maybe I'll just chroot away some more services ;)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Florian Heigl (new acc)
Honored Contributor

‎02-07-2006 10:12 AM

‎02-07-2006 10:12 AM

Re: mount options

For the record, this seems not achievable using ACLs, there seems not to be inheritance from directory to newly created files.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=998812
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.