[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE webserver



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



nordi wrote:
| John Richard Moser wrote:
|
|> |  > For /tmp, use a tmpfs:
|> | [...]
|> |  > I use a 2G tmpfs with a 2G swap and 768M physical ram.
|> | Which will make it easy to overload your machine if you don't use
|> quotas
|> | + a specifically hardened kernel. A local attacker can fill up your 2GB
|>
|> Ok local attacker loses his account and gets fired.  Still no chance of
|> lamers coming in from the web server.
|
|
| Assume you have a file owned by root called /tmp/foo. Now user bob comes
| and does "ln /tmp/foo /tmp/bar". Then the hardlink /tmp/bar will be
| owned by root and you will _never_ know who did it unless you do syscall
| loggin (which I doubt).
|

So what are you doing running a server where local users are allowed to
create hardlinks to root-owned files in /tmp anyway?  ;)

| Keep creating hardlinks until /tmp runs out of space or out of inodes.

nr_inodes= is your friend.

| Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so
| flooding /tmp isn't a problem. Quotas don't help either since the
| attacker doesn't own the file. The only thing that helps are special
| hardening patches (OpenWall, GRSec) or special permission patches
| (SELinux, RSBAC), but not everybody uses them.
|
| This attack can be truly annoying since it fills up /tmp and may keep
| Apache from working. But with your setup (/tmp on tmpfs) it will bring
| the server to a grinding halt where you can't even login remotely to fix
| the server (assuming you don't have physical access).
|
| nordi
|

you raise interesting points.  We should clip these issues off at the
source.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA9G6bhDd4aOud5P8RAqgyAJ9HCyIdzqUHIy4t9IQvjR3g5enz8gCfefZW
UaiUha6ezKXWVBFIGwkK/p4=
=LxXK
-----END PGP SIGNATURE-----

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here