Monday, March 25, 2024

Re: securelevel=2 and mount hardening

On 2024/03/24 19:01:00 -0700, "Lyndon Nerenberg (VE7TFX/VE6BBM)" <lyndon@orthanc.ca> wrote:
> I am curious to hear peoples thoughts on adding some mount(2)
> hardening when the system is running at securelevel 2. Specifically:
>
> * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
> or MT_RDONLY in conjunction with MNT_UPDATE
>
> * do not allow MNT_WXALLOWED in conjunction with
> MNT_UPDATE
>
> Currently, if someone does manage to get a root toehold on a host,
> they can remove noexec from /tmp as a possible springboard to upload
> nasties, and then change /usr from read-only to read-write and
> scribble all over your binaries.

or they can just upload to /usr/local or /home, or mess with /etc, or...
I don't see how this would help.

> This somewhat follows from how securelevel 1 removes the ability
> to muck with the immutable and append only bits on files.
>
> --lyndon

No comments:

Post a Comment