[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] SuSE webserver
John Richard Moser wrote:
| > For /tmp, use a tmpfs:
| > I use a 2G tmpfs with a 2G swap and 768M physical ram.
| Which will make it easy to overload your machine if you don't use quotas
| + a specifically hardened kernel. A local attacker can fill up your 2GB
Ok local attacker loses his account and gets fired. Still no chance of
lamers coming in from the web server.
Assume you have a file owned by root called /tmp/foo. Now user bob comes
and does "ln /tmp/foo /tmp/bar". Then the hardlink /tmp/bar will be
owned by root and you will _never_ know who did it unless you do syscall
loggin (which I doubt).
Keep creating hardlinks until /tmp runs out of space or out of inodes.
Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so
flooding /tmp isn't a problem. Quotas don't help either since the
attacker doesn't own the file. The only thing that helps are special
hardening patches (OpenWall, GRSec) or special permission patches
(SELinux, RSBAC), but not everybody uses them.
This attack can be truly annoying since it fills up /tmp and may keep
Apache from working. But with your setup (/tmp on tmpfs) it will bring
the server to a grinding halt where you can't even login remotely to fix
the server (assuming you don't have physical access).
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here