Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

mount options for /dev/shm?

 

 

Gentoo security RSS feed   Index | Next | Previous | View Threaded


alexander.puchmayr at linznet

Apr 30, 2005, 9:14 AM

Post #1 of 6 (1081 views)
Permalink
mount options for /dev/shm?

Hi there!

/dev/shm is a volatile memory, which does not survive a reboot; hence it is
a prefered location for some hackers to place their evil code there and get
rid of evidences when an admin reboots the machine from a secure media
(e.g. a knoppix-cd) to perform further analysis.

My suggestion to prevent such attacks is to change the mount permissions
of /dev/shm per default. I can't imagine any reason why anyone should place
a temporary executeable there and start from there, except when doing
something evil.

So, please consider changing the defaults in /etc/fstab in

none /dev/shm tmpfs noexec,rw 0 0

Greetings,
Alex Puchmayr
--
gentoo-security [at] gentoo mailing list


koon at gentoo

Apr 30, 2005, 9:33 AM

Post #2 of 6 (1065 views)
Permalink
Re: mount options for /dev/shm? [In reply to]

Alexander Puchmayr wrote:

> /dev/shm is a volatile memory, which does not survive a reboot; hence it is
> a prefered location for some hackers to place their evil code there and get
> rid of evidences when an admin reboots the machine from a secure media
> (e.g. a knoppix-cd) to perform further analysis.
>
> My suggestion to prevent such attacks is to change the mount permissions
> of /dev/shm per default. I can't imagine any reason why anyone should place
> a temporary executeable there and start from there, except when doing
> something evil.
>
> So, please consider changing the defaults in /etc/fstab in
>
> none /dev/shm tmpfs noexec,rw 0 0

Created bug 90980. Next time, please use bugzilla directly to submit
ideas to improve default configurations.

https://bugs.gentoo.org/show_bug.cgi?id=90980

--
Thierry Carrez (Koon)
Gentoo Linux Security
Attachments: signature.asc (0.25 KB)


vapier at gentoo

Apr 30, 2005, 9:22 PM

Post #3 of 6 (1061 views)
Permalink
Re: mount options for /dev/shm? [In reply to]

On Saturday 30 April 2005 12:14 pm, Alexander Puchmayr wrote:
> So, please consider changing the defaults in /etc/fstab in

we already did ... over 6 months ago in fact
-mike
--
gentoo-security [at] gentoo mailing list


npinkerton at gmail

May 1, 2005, 11:39 AM

Post #4 of 6 (1064 views)
Permalink
Re: mount options for /dev/shm? [In reply to]

On 4/30/05, Mike Frysinger <vapier [at] gentoo> wrote:
> On Saturday 30 April 2005 12:14 pm, Alexander Puchmayr wrote:
> > So, please consider changing the defaults in /etc/fstab

what do you mean by changing the defaults in /etc/fstab? I thought you
had to write your own fstab... I've always had to write my own when
doing a gentoo install.

--
If at first you don't succeed, get a bigger hammer.

--
gentoo-security [at] gentoo mailing list


cgysin at gmx

May 2, 2005, 6:55 AM

Post #5 of 6 (1053 views)
Permalink
Re: mount options for /dev/shm? [In reply to]

Nathan Pinkerton wrote:
> what do you mean by changing the defaults in /etc/fstab? I thought you
> had to write your own fstab... I've always had to write my own when
> doing a gentoo install.

A default fstab is included in baselayout. You just have to modify it to your
configuration.

Christoph
--
echo mailto: NOSPAM !#$.'<*>'|sed 's. ..'|tr "<*> !#:2" org [at] fr33z
--
gentoo-security [at] gentoo mailing list


rlynch at mail

May 2, 2005, 7:20 AM

Post #6 of 6 (1062 views)
Permalink
Re: mount options for /dev/shm? [In reply to]

On Mon, 02 May 2005 15:55:49 +0200
Christoph Gysin <cgysin [at] gmx> wrote:

Plus you can mount a device using the mount "default" options: rw, suid, dev, exec, auto, nouser, and async. Mounting a device "noexec" could be considered modifying the default.

-Ryan Lynch

> Nathan Pinkerton wrote:
> > what do you mean by changing the defaults in /etc/fstab? I thought you
> > had to write your own fstab... I've always had to write my own when
> > doing a gentoo install.
>
> A default fstab is included in baselayout. You just have to modify it to your
> configuration.
>
> Christoph
> --
> echo mailto: NOSPAM !#$.'<*>'|sed 's. ..'|tr "<*> !#:2" org [at] fr33z
> --
> gentoo-security [at] gentoo mailing list
>
--
gentoo-security [at] gentoo mailing list

Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.