From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GgN7O-0000px-GB for garchives@archives.gentoo.org; Sat, 04 Nov 2006 15:07:34 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kA4F5EkE010950; Sat, 4 Nov 2006 15:05:15 GMT Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.247.8]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kA4F0nKj029730 for ; Sat, 4 Nov 2006 15:00:49 GMT Received: from pavlvs2.devrieze.net (ip5457f303.direct-adsl.nl [84.87.243.3]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0J8700AJFODB53@smtp17.wxs.nl> for gentoo-security@lists.gentoo.org; Sat, 04 Nov 2006 16:00:47 +0100 (CET) Received: by pavlvs2.devrieze.net (Postfix, from userid 1000) id BB911E42E1; Sat, 04 Nov 2006 16:00:46 +0100 (CET) Date: Sat, 04 Nov 2006 16:00:29 +0100 From: Paul de Vrieze X-Face: #Lb+'V@sGJ;ptgo5}V"W+5OCoo{LZv;bh,s,`WKLi/J)ed1_$0;6X<=?utf-8?q?700LVV/=3BLqPhiDP=5E=0A=09=27f=5Dfnv?=@%6M8\'HR1t=aFx;ePfp{ZQoBe+e)JOQ8T5*(_;mHY+cltLGq<;@$Y,=?utf-8?q?O=5C=24=0A=09Tm=23G6M?=,g![Q62J{na*S9d;R[^8pc%u\aiLqU@`kJtYl"^6pxdW Subject: Re: [gentoo-security] mount noexec and ro In-reply-to: <200611041211.22434.joe.knall@gmx.net> To: gentoo-security@lists.gentoo.org Message-id: <200611041600.45837.pauldv@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=nextPart1228043.8UZ6pfgZTK Content-transfer-encoding: 7bit User-Agent: KMail/1.9.5 References: <200611041211.22434.joe.knall@gmx.net> X-Archives-Salt: 4de858a4-52bf-4dae-8b1d-0ffe3c74aa54 X-Archives-Hash: f6e35689b415e5bb6c07fb17390dc740 --nextPart1228043.8UZ6pfgZTK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 04 November 2006 12:11, Joe Knall wrote: > Hello, > > can/does mounting a partition with noexec, ro etc. provide additional > security or are those limitations easy to circumvent? > > Example: webserver running chrooted > all libs and executables (apache, lib, usr ...) on read only mounted > partition /srv/www, data dirs (logs, htdocs ...) on > partition /srv/www/data mounted with noexec (but rw of course), no cgi > needed. > Server is started with "chroot /srv/www /apache/bin/httpd -k start". > > Any cognition? Is this useful, nice, nonsense? > Keeping the chroot updated and so on is not my concern here. Besides this, you must also add nodev to prevent those kinds of circumventi= ons Paul =2D-=20 Paul de Vrieze Gentoo Developer Mail: pauldv@gentoo.org Homepage: http://www.devrieze.net --nextPart1228043.8UZ6pfgZTK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5-ecc0.1.6 (GNU/Linux) iD8DBQBFTKsdbKx5DBjWFdsRAv6BAKCma+hSVReWteMj2AmUe8UOyqcPSwCgjUdD goSpL+BmfmFLGAivXAYx6Xg= =00wV -----END PGP SIGNATURE----- --nextPart1228043.8UZ6pfgZTK-- -- gentoo-security@gentoo.org mailing list