From borjam@garatu.we.lc.ehu.es  Sun Dec 12 02:22:04 1999
Return-Path: <borjam@garatu.we.lc.ehu.es>
Received: from garatu.we.lc.ehu.es (garatu.we.lc.ehu.es [158.227.6.222])
	by hub.freebsd.org (Postfix) with ESMTP id E4D1814F83
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 Dec 1999 02:22:02 -0800 (PST)
	(envelope-from borjam@garatu.we.lc.ehu.es)
Received: (from borjam@localhost)
	by garatu.we.lc.ehu.es (8.9.3/8.9.3) id LAA21435;
	Sun, 12 Dec 1999 11:22:01 +0100 (CET)
	(envelope-from borjam)
Message-Id: <199912121022.LAA21435@garatu.we.lc.ehu.es>
Date: Sun, 12 Dec 1999 11:22:01 +0100 (CET)
From: borjam@garatu.we.lc.ehu.es
Reply-To: borjamar@sarenet.es
To: FreeBSD-gnats-submit@freebsd.org
Subject: Attempts to execute programs from a noexec filesystem should be logged
X-Send-Pr-Version: 3.2

>Number:         15435
>Category:       kern
>Synopsis:       Attempts to execute programs from a noexec filesystem should be logged
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 12 02:30:01 PST 1999
>Closed-Date:    Fri Nov 16 15:09:05 PST 2001
>Last-Modified:  Fri Nov 16 15:17:52 PST 2001
>Originator:     Borja Marcos
>Release:        FreeBSD 3.3-RELEASE i386
>Organization:
>Environment:

(irrelevant)

>Description:
The option to mount a filesystem as "noexec" is a very useful security
option. However, for it to be really useful, attempts to execute
programs from filesystems mounted as "noexec" should be logged. It
could help to detect the use of exploits for security bugs.
The included diff (to kern_exec.c in 3.3-RELEASE) logs the attempts
as kern.notice messages.
Perhaps this should be controlled from a sysctl variable?

>How-To-Repeat:

	

>Fix:
*** kern_exec.c	Sun Oct 31 00:50:32 1999
--- kern_exec.c.new	Sun Oct 31 02:05:55 1999
***************
*** 34,39 ****
--- 34,40 ----
  #include <sys/mount.h>
  #include <sys/filedesc.h>
  #include <sys/fcntl.h>
+ #include <sys/syslog.h>
  #include <sys/acct.h>
  #include <sys/exec.h>
  #include <sys/imgact.h>
***************
*** 678,691 ****
  
  	/*
  	 * 1) Check if file execution is disabled for the filesystem that this
! 	 *	file resides on.
  	 * 2) Insure that at least one execute bit is on - otherwise root
  	 *	will always succeed, and we don't want to happen unless the
  	 *	file really is executable.
  	 * 3) Insure that the file is a regular file.
  	 */
! 	if ((vp->v_mount->mnt_flag & MNT_NOEXEC) ||
! 	    ((attr->va_mode & 0111) == 0) ||
  	    (attr->va_type != VREG)) {
  		return (EACCES);
  	}
--- 679,699 ----
  
  	/*
  	 * 1) Check if file execution is disabled for the filesystem that this
! 	 *	file resides on. In that case, log the attempt. It can be
! 	 *	part of an attack.
! 	 */
! 	if (vp->v_mount->mnt_flag & MNT_NOEXEC) {
! 		log(LOG_NOTICE, "UID %d tried to execute %s in a noexec filesystem", imgp->proc->p_ucred->cr_uid, imgp->fname);
! 		return (EACCES);
! 	}
! 
! 	/*
  	 * 2) Insure that at least one execute bit is on - otherwise root
  	 *	will always succeed, and we don't want to happen unless the
  	 *	file really is executable.
  	 * 3) Insure that the file is a regular file.
  	 */
! 	if (((attr->va_mode & 0111) == 0) ||
  	    (attr->va_type != VREG)) {
  		return (EACCES);
  	}

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Fri Nov 16 15:09:05 PST 2001 
State-Changed-Why:  

While such logging might be useful in certain environments, it is 
not something that would be committed in this form. There are 
numerous other permission checks in virtually all system calls that 
might potentially be useful for security monitoring but we can't 
send syslog messages for every one. Maybe a better solution would 
be to use some kernel-wide syscall logging with filtering as 
necessary. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=15435 
>Unformatted:
 non-critical
 kern
