Re: [gentoo-security] mount noexec and ro

public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed

From: Joe Knall <joe.knall@gmx.net>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 4 Nov 2006 17:27:39 +0100	[thread overview]
Message-ID: <200611041727.39451.joe.knall@gmx.net> (raw)
In-Reply-To: <200611041600.45837.pauldv@gentoo.org>

On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > can/does mounting a partition with noexec, ro etc. provide
> > additional security or are those limitations easy to circumvent?
> >
> > Example: webserver running chrooted
> > all libs and executables (apache, lib, usr ...) on read only
> > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > partition /srv/www/data mounted with noexec (but rw of course), no
> > cgi needed.
> > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > start".
>
> Besides this, you must also add nodev to prevent those kinds of
> circumventions
>
> Paul

correct, it's atually like this
/srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
/srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)

but I need a /dev, currently data/dev with null and urandom there, 
writeable and not nodev (could as well be a separate partition).
Do you think this turns all the rest in vain?

Joe
-- 
gentoo-security@gentoo.org mailing list

next prev parent reply	other threads:[~2006-11-04 16:34 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-04 11:11 [gentoo-security] mount noexec and ro Joe Knall
2006-11-04 12:03 ` Wolfram Schlich
2006-11-04 12:47   ` Eduardo Tongson
2006-11-04 13:27     ` Joe Knall
2006-11-04 15:00 ` Paul de Vrieze
2006-11-04 16:27   ` Joe Knall [this message]
2006-11-04 19:03     ` Paul de Vrieze
2006-11-06  5:58       ` Miguel Angel Tormo Alfaro
2006-12-07 17:44     ` Miguel Sousa Filipe
2006-12-09  2:34       ` Joe Knall
     [not found]         ` <20061209031915.506559@host216-188.pool8250.interbusiness.it>
2006-12-09  4:21           ` ascii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200611041727.39451.joe.knall@gmx.net \
    --to=joe.knall@gmx.net \
    --cc=gentoo-security@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox