Linux的提权rootkit基本都是已编译的执行文件。禁止其在/tmp下的运行可降低黑客入侵的可能性。
Perl、PHP脚本属于解释型语言,可通过perl/php命令直接调用,即使脚本存放于/tmp也不受限制。
先以有独立/tmp分区的为例
1.mount 查看一下/tmp为default
/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw)
/dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw)
/dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
2.给/tmp加上(nosuid,noexec)
vi /etc/fstab
/dev/VolGroup00/LogVol01 / ext3 defaults 1 1
/dev/VolGroup01/LogVol00 /opt ext3 defaults 1 2
/dev/VolGroup00/LogVol03 /var ext3 defaults 1 2
/dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol00 swap swap defaults 0 0
3.依据fstab重新载入/tmp
mount -oremount /tmp
4.再次查看
mount
/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw)
/dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw)
/dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw,noexec,nosuid)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
5.执行文件测试
vi test.sh
#!/bin/bash
echo ‘/tmp test’
chmod u+x ./test.sh
./test.sh
-bash: ./test.sh: /bin/bash: bad interpreter: Permission denied
6.迁移/var/tmp目录
mv /var/tmp/* /tmp/
rm -fr /var/tmp
ln -s /tmp /var/tmp
对不存在独立/tmp分区的可以用dd创建个10G大小文件作/tmp
cd /usr/
dd if=/dev/zero of=Tmp bs=1024 count=10000000
mkfs -t ext3 /usr/Tmp
mkdir /tmp_backup
cp -ar /tmp /tmp_backup
mount -o loop,rw,noexec,nosuid /usr/Tmp /tmp
cp -ar /tmp_backup/tmp/* /tmp/
chmod 0777 /tmp
chmod +t /tmp
rm -rf /tmp_backup
#放入fstab 中启动加载
echo “/usr/Tmp /tmp ext3 loop,rw,noexec,nosuid 0 0” >> /etc/fstab
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.