search for: noexec

Hello Hendrik Can you help input 2 commands 'mount' and 'df -TPh' on OMV, and post the output to us, thank you. -- Regards, Jones Syue | ??? QNAP Systems, Inc.

...in container: cat /proc/mounts [root@Donkey /]# cat /proc/mounts rootfs / rootfs rw 0 0 devpts /dev/pts devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 devfs /dev tmpfs rw,nosuid,relatime,size=64k,mode=755 0 0 /dev/sdb2 / ext4 rw,relatime,data=ordered 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 proc /proc/sys proc ro,relatime 0 0 sysfs /sys sysfs ro,relatime 0 0 libvirt /proc/meminfo fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0 tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=1000,gid=1000 0 0 cgroup /sys/fs/cgroup/cpu,cpu...

...tmpfs 64M 0 64M 0% /sharedfolders/docker_dir/containers/6ba835083cc278f2efc9ca822f30c802d67a064c8646c836b0bcb28be6de17b0/mounts/shm r mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,nosuid,relatime,size=6084724k,nr_inodes=1521181,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,...

Hello, I've been playing a bit with the "noexec" flag for filesystems. It can represent a substantial obstacle against the exploitation of security holes. However, I think it's not perfect yet. First thing, an attempt to execute a program from a noexec-mounted filesystem should be logged. It is either a very significant security...

...ass this error? offlinehacker:~/ $ virsh --debug 0 -c lxc:/// create o1.xml create: file(optdata): o1.xml error: Failed to create domain from o1.xml error: internal error: No valid cgroup for machine c1 My cgroups seem to be mounted: cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/run/current-system/systemd/lib/systemd/systemd-cgroups-agent,name=systemd) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu) cgroup on /sys/fs/cg...

...arch ~]# uname -a Linux arch 4.8.0-39-generic #42~16.04.1-Ubuntu SMP Mon Feb 20 15:06:07 UTC 2017 x86_64 GNU/Linux [root@arch ~]# cat /proc/mounts storage/lxd_root/containers/arch / zfs rw,noatime,xattr,posixacl 0 0 none /dev tmpfs rw,relatime,size=492k,mode=755 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 proc /proc/sys/net proc rw,nosuid,nodev,noexec,relatime 0 0 proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0 proc /proc/sysrq-trigger proc ro,nosuid,nodev,noexec,relatime 0 0 sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0...

Hi all Each lxc container on node have mounted tmpfs for cgroups tree: [root-inside-lxc@tst1 ~]# mount | grep cgroups cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cg...

Hello, I am fixing up a system for someone and they did not make a separate partition for /tmp...but I want to make it noexec, nosuid. I came across a site that said I could skip all the mount/unmount and new partition stuff (which would probably include downsizing a lvm to make room for it)... by adding this in fstab /tmp /tmp bind nosuid,noexec,bind 0 0 and then reboot... There is no /tmp in their fstab at the...

On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: > On 06/09/2013 08:14 PM, pr.G wrote: > > Hello. > > > > Is it possible to start container via libvirt_lxc without mounting /sys > > inside container? > > > > When I start container via lxc-start and do not add mount point to config, > > then /sys inside container is empty. > > >

Hi people,

...:76): Sep 25 13:45:46 ubuntucliente lightdm[702]: (mount.c:76): In some cases useful info is found in syslog - try Sep 25 13:45:46 ubuntucliente lightdm[702]: (mount.c:76): dmesg | tail or so. Sep 25 13:45:46 ubuntucliente lightdm[702]: (mount.c:558): 22 27 0:21 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw Sep 25 13:45:46 ubuntucliente lightdm[702]: (mount.c:558): 23 27 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw Sep 25 13:45:46 ubuntucliente lightdm[702]: (mount.c:558): 24 27 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=99...

...d: >> On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: >> > 2. They already have shell access on the machine in question and they >> > can already run anything in that shell that they can run via what you >> > are pointing out. >> >> No, assuming noexec /home mounts all they can run is system binaries. > > noexec is not that big of a protection. On a normal CentOS system, you > almost certainly have python installed (as well as likely other > scripting languages such as perl), and they can be used to do just about > anything compil...

Am 24.05.2017 um 17:50 schrieb Jeremy Allison via samba: > Here are some mitigation techniques from Red Hat in > case servers cannot be patched immediately: > 2. Mount the filessytem which is used by samba for its writeable share, > using "noexec" option. I would have expected this to be standard security precaution on all pure file servers (which is probably the most common use of Samba). Should the Samba-Wiki tell so, or shouldn't all Linux admins be sane enough do already do this?

Sjors Gielen wrote: > Then I noticed that the partition /dev/sdb2 was mounted noexec, so I > umounted ~/.wine and /media/sdb2, remounted /dev/sdb2 with exec, and > remounted ~/.wine - and it all worked again. > > This is with Wine 1.1.24. Has this always been behavior, or is it a > regression somewhere? Wine will not work / run programs from mount mounted with noex...

Hello Johnny, On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: > 2. They already have shell access on the machine in question and they > can already run anything in that shell that they can run via what you > are pointing out. No, assuming noexec /home mounts all they can run is system binaries. > 3. If they have access to a zeroday issue that give them root .. they > can just use that via their shell that they already have (that you gave > them, which they are using) to get root .. they therefore don't need to > use this...

Does mounting /tmp as noexec,nosuid break anything in CentOS 5? I've been in solaris land forever and a day and this is a pretty standard security measure. I noticed CentOS comes default mounting /tmp with both those options allowed.. I'm getting constant php hack attacks against (mostly script kiddie level stuff right...

Error on domain option !! Sep 25 12:04:33 ubuntucliente lightdm[702]: (mount.c:664): Password will be sent to helper as-is. Sep 25 12:04:33 ubuntucliente lightdm[702]: command: 'mount' '-t' 'cifs' '//domain-server2/FS_PRUEBA_3' '/home/prueba3/compartido' '-o' 'username=prueba3,uid=50006,gid=50027,username=prueba3,uid=50006,gid=50027,domain'

...:22:21 ubuntucliente kernel: [ 1975.010067] CIFS VFS: cifs_mount failed w/return code = -13 Sep 24 10:22:21 ubuntucliente lightdm[708]: (mount.c:76): mount: cannot mount //10.11.37.155/FS_PRUEBA_3 read-only Sep 24 10:22:21 ubuntucliente lightdm[708]: (mount.c:558): 22 27 0:21 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw Sep 24 10:22:21 ubuntucliente lightdm[708]: (mount.c:558): 23 27 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw Sep 24 10:22:21 ubuntucliente lightdm[708]: (mount.c:558): 24 27 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=99...

...got the following error: error: Failed to retrieve CPU statistics for domain 'MY_DOMAIN' error: Requested operation is not valid: cgroup CPUACCT controller is not mounted - I checked that cgroup is well mounted: $ cat /proc/mounts | grep cgroup tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0 cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,...

...:76): Sep 25 10:00:15 ubuntucliente lightdm[702]: (mount.c:76): In some cases useful info is found in syslog - try Sep 25 10:00:15 ubuntucliente lightdm[702]: (mount.c:76): dmesg | tail or so. Sep 25 10:00:15 ubuntucliente lightdm[702]: (mount.c:558): 22 27 0:21 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw Sep 25 10:00:15 ubuntucliente lightdm[702]: (mount.c:558): 23 27 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw Sep 25 10:00:15 ubuntucliente lightdm[702]: (mount.c:558): 24 27 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=99...