CAS-001 · Question #105
CAS-001 Question #105: Real Exam Question with Answer & Explanation
The correct answer is C: Mount all tmp directories nosuid, noexec. The file listing shows -rwsr-xr-x, where the 's' in the owner execute position is the setuid (SUID) bit. When a file has the SUID bit set and is owned by root, any user who executes it runs it with root-level privileges. A malicious actor who placed this file in /tmp can use it t
Question
Options
- ANever mount the /tmp directory over NFS
- BStop the rpcidmapd service from running
- CMount all tmp directories nosuid, noexec
- DRestrict access to the /tmp directory
Explanation
The file listing shows -rwsr-xr-x, where the 's' in the owner execute position is the setuid (SUID) bit. When a file has the SUID bit set and is owned by root, any user who executes it runs it with root-level privileges. A malicious actor who placed this file in /tmp can use it to escalate to root. The /tmp directory is world-writable by design, making it a common staging area for such attacks. Mounting /tmp (and other temp directories) with the nosuid mount option prevents the kernel from honoring the SUID/SGID bits on any executable in that filesystem, neutralizing this attack vector. The noexec option adds an additional layer by preventing any file in that mount from being directly executed. Option A (no NFS mount) and Option B (rpcidmapd) address NFS-related vulnerabilities irrelevant here. Option D (restricting access) does not stop users who already have write access from planting such a file.
Community Discussion
No community discussion yet for this question.