Poor man's SRP

Discussion in 'all things UNIX' started by Gullible Jones, May 24, 2012.

Thread Status:
Not open for further replies.
  1. How effective would it be as a desktop security measure to mount all user-writeable areas (/var, /tmp, /home, and /dev/shm covers it IIRC) with noexec? I know this doesn't prevent scripts from executing entirely (e.g. you can do 'sh foo.sh' and foo.sh will run), but it would probably put the kibosh on any theoretical drive-by install, wouldn't it? Or could it be easily circumvented?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I've seen setting /tmp and a few areas to no-exec as recommended before.
     
  3. I'll note that /tmp as noexec unfortunately doesn't work on Debian, same with /var - dpkg needs to execute stuff from both areas.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I wouldn't really worry about it. What's the worst that can happen?

    I think /tmp already has restrictions on it for reads/writes based on ownership.
     
  5. Sort of. I know the sticky bit prevents deletion of files by anyone other than their owners, but I'm not sure about reading and execution. Anyway I'm thinking more of a drive-by install scenario - your browser downloads something nefarious to /tmp and executes it, etc. In practice this is unlikely because Linux has a minscule user base on the desktop. In theory I don't see why it couldn't be done.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It could be. Apparmor would prevent this though as profiles need explicit permission to execute.
     
Loading...
Thread Status:
Not open for further replies.