Hello,
I have a cPanel server and have a new client that needed customization of the server for their application.
They are running a program called NAND
http://www1.lib.uchicago.edu/cgi-bin/nand/search/about
To get it to run I had to install TCLKIT:
http://www.equi4.com/tclkit/download.html
We thought enough had been done to run their app, but now they are saying the noexec on TMP is keeping it from running. They say none of their own servers have that restriction.
Do I need to remove noexec from TMP or is there another way to run their app?
Thanks,
Lew
Full Version: /tmp noexec causes problem for a new client
90 view and no responses yet on what to do? Based on that, can I assume you all have your TMP locked down and you make your users modify their apps or not run them?
Lew
Lew
QUOTE (vividere @ May 3 2009, 01:47 AM) 
Hello,
I have a cPanel server and have a new client that needed customization of the server for their application.
They are running a program called NAND
http://www1.lib.uchicago.edu/cgi-bin/nand/search/about
To get it to run I had to install TCLKIT:
http://www.equi4.com/tclkit/download.html
We thought enough had been done to run their app, but now they are saying the noexec on TMP is keeping it from running. They say none of their own servers have that restriction.
Do I need to remove noexec from TMP or is there another way to run their app?
Thanks,
Lew
I have a cPanel server and have a new client that needed customization of the server for their application.
They are running a program called NAND
http://www1.lib.uchicago.edu/cgi-bin/nand/search/about
To get it to run I had to install TCLKIT:
http://www.equi4.com/tclkit/download.html
We thought enough had been done to run their app, but now they are saying the noexec on TMP is keeping it from running. They say none of their own servers have that restriction.
Do I need to remove noexec from TMP or is there another way to run their app?
Thanks,
Lew
noexec is a security feature which most administrators aren't willing to remove. Is there a specific reason why the package would need to execute a file in a place where files shouldn't be executable?
This could possibly lead to an unwanted privilege escalations if another user, or a remote attack, were to replace the executables in /tmp with something malicious.
This could possibly lead to an unwanted privilege escalations if another user, or a remote attack, were to replace the executables in /tmp with something malicious.
QUOTE (Tomy Durden @ May 4 2009, 06:27 PM)
noexec is a security feature which most administrators aren't willing to remove. Is there a specific reason why the package would need to execute a file in a place where files shouldn't be executable?
This could possibly lead to an unwanted privilege escalations if another user, or a remote attack, were to replace the executables in /tmp with something malicious.
This could possibly lead to an unwanted privilege escalations if another user, or a remote attack, were to replace the executables in /tmp with something malicious.
Thanks for the feedback. Apparently the app was written in a cloistered environment where they don't have the noexec option on their /tmp directory so this probably wasn't discovered when running the app in their environment.
I am waiting to find out if the client can or will get the author to change the location to execute from. Could they use their own /tmp directory vs. the server /tmp directory, or are they the same directory?
If an executable was going to be spawned vs. ran where installed, what would the appropriate directory be?
Thanks
QUOTE (vividere @ May 4 2009, 02:24 PM)
Thanks for the feedback. Apparently the app was written in a cloistered environment where they don't have the noexec option on their /tmp directory so this probably wasn't discovered when running the app in their environment.
I am waiting to find out if the client can or will get the author to change the location to execute from. Could they use their own /tmp directory vs. the server /tmp directory, or are they the same directory?
If an executable was going to be spawned vs. ran where installed, what would the appropriate directory be?
Thanks
I am waiting to find out if the client can or will get the author to change the location to execute from. Could they use their own /tmp directory vs. the server /tmp directory, or are they the same directory?
If an executable was going to be spawned vs. ran where installed, what would the appropriate directory be?
Thanks
You can do per-user tmp directories(http://www.wlug.org.nz/PerUserTempDirs), but I couldn't tell you what impact it would have on other applications. Likely none, but you never know. If the solution isn't in production, or is a flexible, you can try it out. http://www.wlug.org.nz/PerUserTempDirs
Most developers are willing to accept input, especially if it'll make their applications more secure. Sometimes they'll build the application where the tmp file locations can be set at runtime.
I don't recommend it, but if it's preventing you from providing the solution your customer needs, then you may need to drop the noexec flag. If you do need to resort to this, try to reduce the amount of opportunities outsiders have to manipulate the tmp files.
QUOTE (Tomy Durden @ May 4 2009, 09:05 PM)
You can do per-user tmp directories(http://www.wlug.org.nz/PerUserTempDirs), but I couldn't tell you what impact it would have on other applications. Likely none, but you never know. If the solution isn't in production, or is a flexible, you can try it out. http://www.wlug.org.nz/PerUserTempDirs
Most developers are willing to accept input, especially if it'll make their applications more secure. Sometimes they'll build the application where the tmp file locations can be set at runtime.
I don't recommend it, but if it's preventing you from providing the solution your customer needs, then you may need to drop the noexec flag. If you do need to resort to this, try to reduce the amount of opportunities outsiders have to manipulate the tmp files.
Most developers are willing to accept input, especially if it'll make their applications more secure. Sometimes they'll build the application where the tmp file locations can be set at runtime.
I don't recommend it, but if it's preventing you from providing the solution your customer needs, then you may need to drop the noexec flag. If you do need to resort to this, try to reduce the amount of opportunities outsiders have to manipulate the tmp files.
Turns out they contacted the programmer and he came up with a way to add a line to their CGI script to change the directory some libraries are stored in, in their own directory. Seems it works and the client has two libraries up already and they are working.
thanks
QUOTE (vividere @ May 4 2009, 04:58 PM)
Turns out they contacted the programmer and he came up with a way to add a line to their CGI script to change the directory some libraries are stored in, in their own directory. Seems it works and the client has two libraries up already and they are working.
thanks
thanks
Nice! It's always good to see developers work with their clients.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.