Once upon a time, Leonard den Ottolander <leonard@xxxxxxxxxxxxxxxxx> said: > On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: > > 2. They already have shell access on the machine in question and they > > can already run anything in that shell that they can run via what you > > are pointing out. > > No, assuming noexec /home mounts all they can run is system binaries. noexec is not that big of a protection. On a normal CentOS system, you almost certainly have python installed (as well as likely other scripting languages such as perl), and they can be used to do just about anything compiled code can do. Plus there's /tmp, /var/tmp, and other directories (depending on software installed) that are writable by users, so unless you mount something noexec on all of them, you haven't gained much. noexec is largely a legacy option at this point. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
Re: Serious attack vector on pkcheck ignored by Red Hat
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Chris Adams <linux@xxxxxxxxxxx>
- Date: Wed, 15 Feb 2017 10:22:37 -0600
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <1487174115.5199.14.camel@quad>
- Mail-followup-to: centos@xxxxxxxxxx
- References: <4a8f0e53-c5b2-61fd-b6cb-21e97f713b7c@gmail.com> <1486067854.12088.47.camel@quad> <c034e273-2c7b-1709-242c-c162f4967a13@gmail.com> <1486674227.5127.39.camel@quad> <271BC3C5-E237-40B3-93C2-A2A384F03521@etr-usa.com> <1486676382.5127.55.camel@quad> <84B9DF36-7475-4562-8879-22B1F16CC8A6@etr-usa.com> <1487173028.5199.11.camel@quad> <eb645a59-4a19-2189-7b6d-bcc3a19ecca3@centos.org> <1487174115.5199.14.camel@quad>
- User-agent: Mutt/1.5.20 (2009-12-10)
- Follow-Ups:
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Gordon Messmer
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Valeri Galtsev
- Re: Serious attack vector on pkcheck ignored by Red Hat
- References:
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Gordon Messmer
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Leonard den Ottolander
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Gordon Messmer
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Leonard den Ottolander
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Warren Young
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Leonard den Ottolander
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Warren Young
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Leonard den Ottolander
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Johnny Hughes
- Re: Serious attack vector on pkcheck ignored by Red Hat
- From: Leonard den Ottolander
- Re: Serious attack vector on pkcheck ignored by Red Hat
- Prev by Date: Re: Serious attack vector on pkcheck ignored by Red Hat
- Next by Date: Re: (re)build sssd-client.i686 for x86_64
- Previous by thread: Re: Serious attack vector on pkcheck ignored by Red Hat
- Next by thread: Re: Serious attack vector on pkcheck ignored by Red Hat
- Index(es):
 |