Poor man's SRP

Discussion in 'all things UNIX' started by Gullible Jones, May 24, 2012.

Thread Status:
Not open for further replies.
  1. How effective would it be as a desktop security measure to mount all user-writeable areas (/var, /tmp, /home, and /dev/shm covers it IIRC) with noexec? I know this doesn't prevent scripts from executing entirely (e.g. you can do 'sh foo.sh' and foo.sh will run), but it would probably put the kibosh on any theoretical drive-by install, wouldn't it? Or could it be easily circumvented?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I've seen setting /tmp and a few areas to no-exec as recommended before.
     
  3. I'll note that /tmp as noexec unfortunately doesn't work on Debian, same with /var - dpkg needs to execute stuff from both areas.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wouldn't really worry about it. What's the worst that can happen?

    I think /tmp already has restrictions on it for reads/writes based on ownership.
     
  5. Sort of. I know the sticky bit prevents deletion of files by anyone other than their owners, but I'm not sure about reading and execution. Anyway I'm thinking more of a drive-by install scenario - your browser downloads something nefarious to /tmp and executes it, etc. In practice this is unlikely because Linux has a minscule user base on the desktop. In theory I don't see why it couldn't be done.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It could be. Apparmor would prevent this though as profiles need explicit permission to execute.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.