I have this line in my fstab: /dev/hda5 /tmp ext3 defaults,noexec,nosuid,nodev,usrquota,grpquota 0 0 Issuing the "mount" command after a fresh boot shows: /dev/hda5 on /tmp type ext3 (rw,noexec,nosuid,nodev,usrquota,grpquota) However, the noexec flags seems to be not working. Copying /bin/ls in /tmp and executing it effectively runs ls. However, doing a manual remount fixes it. mount -o remount /tmp Then, running the copied ls binary produces an error, which is expected behaviour. I have no clue what could be causing this, and especially what would cause "mount" to lie so blatantly. Because of this, one of my servers got compromised through the awstats exploit, they executed a crappy rootkit in /tmp. Reproducible: Always Steps to Reproduce: 1.Boot server 2.copy /bin/ls to /tmp 3.cd /tmp ; ./ls Actual Results: The output of ls is shown. Expected Results: Not executed ls, obeying the fstab options. emerge info Portage 2.0.51-r15 (default-linux/x86/2004.0, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.10-angeldust i686) ================================================================= System uname: 2.6.10-angeldust i686 AMD Athlon(tm) Processor Gentoo Base System version 1.4.16 Python: dev-lang/python-2.1.3-r1,dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb 7 2005, 19:04:43)] distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.1.3-r1, 2.3.4-r1 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.7.9, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-tbird -mcpu=athlon-tbird -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict userprivs usersandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/ http://mirrors.tds.net/gentoo http://mirror.datapipe.net/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 acl apache apm arts avi bash-completion berkdb bitmap-fonts cdr crypt docs encode f77 font-server foomaticdb fortran gd gdbm gif gpm gtk2 imap imlib java jpeg jpg ldap libg++ libwww mad mailbox mikmod motif mpeg mysql ncurses nls oggvorbis opengl openssl oss pam pdf pdflib perl png python quicktime readline samba sdl slang snmp spell ssl svga tcpd tiff truetype truetype-fonts type1-fonts xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, PORTDIR_OVERLAY
can you /proc/mounts ? If noexec is listed there, there is a kernel-bug, else it is likely a bug in mount. Both are a security problem, as you mentioned.
please post the info mentioned by Stian seems to work fine here: root@vapier 0 ~ # tail -n 1 /etc/fstab none /blah tmpfs defaults,noexec,nosuid,nodev 0 0 root@vapier 0 ~ # mkdir /blah root@vapier 0 ~ # mount | grep /blah none on /blah type tmpfs (rw,noexec,nosuid,nodev)
