From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-731-garchives=archives.gentoo.org@gentoo.org>)
	id 1GgJBM-0002gZ-SA
	for garchives@archives.gentoo.org; Sat, 04 Nov 2006 10:55:25 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kA4ArHLm000700;
	Sat, 4 Nov 2006 10:53:17 GMT
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kA4An6gK002611
	for <gentoo-security@lists.gentoo.org>; Sat, 4 Nov 2006 10:49:06 GMT
Received: (qmail invoked by alias); 04 Nov 2006 10:42:25 -0000
Received: from p5494C323.dip0.t-ipconnect.de (EHLO mail.gagamux.net) [84.148.195.35]
  by mail.gmx.net (mp034) with SMTP; 04 Nov 2006 11:42:25 +0100
X-Authenticated: #19422049
Received: from schnuppi.gagamux.net (schnuppi.gagamux.net [192.168.3.12])
	by mail.gagamux.net (Postfix) with ESMTP id 3159B74BA
	for <gentoo-security@lists.gentoo.org>; Sat,  4 Nov 2006 11:42:24 +0100 (CET)
From: Joe Knall <joe.knall@gmx.net>
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] mount noexec and ro
Date: Sat, 4 Nov 2006 12:11:22 +0100
User-Agent: KMail/1.8
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200611041211.22434.joe.knall@gmx.net>
X-Y-GMX-Trusted: 0
X-Archives-Salt: 730cf74f-cb9e-43a2-99b4-21f43c7dac0d
X-Archives-Hash: 510debc7b05b3642f2cf78184520eecc

Hello,

can/does mounting a partition with noexec, ro etc. provide additional 
security or are those limitations easy to circumvent?

Example: webserver running chrooted
all libs and executables (apache, lib, usr ...) on read only mounted 
partition /srv/www, data dirs (logs, htdocs ...) on 
partition /srv/www/data mounted with noexec (but rw of course), no cgi 
needed.
Server is started with "chroot /srv/www /apache/bin/httpd -k start".

Any cognition? Is this useful, nice, nonsense?
Keeping the chroot updated and so on is not my concern here.

Thanks, Joe
-- 
gentoo-security@gentoo.org mailing list