On 2024-03-25, Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@orthanc.ca> wrote:
> I am curious to hear peoples thoughts on adding some mount(2)
> hardening when the system is running at securelevel 2. Specifically:
>
> * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
> or MT_RDONLY in conjunction with MNT_UPDATE
>
> * do not allow MNT_WXALLOWED in conjunction with
> MNT_UPDATE
>
> Currently, if someone does manage to get a root toehold on a host,
> they can remove noexec from /tmp as a possible springboard to upload
> nasties, and then change /usr from read-only to read-write and
> scribble all over your binaries.
I think you'd need to disable mount completely, otherwise you can mount
a new writable filesystem (e.g. MFS) that doesn't have noexec.
--
Please keep replies on the mailing list.
No comments:
Post a Comment