From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1Gss8X-0003Q9-7U for garchives@archives.gentoo.org; Sat, 09 Dec 2006 02:40:25 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kB92cOcb007918; Sat, 9 Dec 2006 02:38:24 GMT Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kB92YYDD020631 for ; Sat, 9 Dec 2006 02:34:34 GMT Received: (qmail invoked by alias); 09 Dec 2006 02:34:34 -0000 Received: from p57AF8697.dip0.t-ipconnect.de (EHLO mail.gagamux.net) [87.175.134.151] by mail.gmx.net (mp027) with SMTP; 09 Dec 2006 03:34:34 +0100 X-Authenticated: #19422049 Received: from schnuppi.gagamux.net (schnuppi.gagamux.net [192.168.3.12]) by mail.gagamux.net (Postfix) with ESMTP id A455F74BA for ; Sat, 9 Dec 2006 03:34:33 +0100 (CET) From: Joe Knall To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] mount noexec and ro Date: Sat, 9 Dec 2006 03:34:31 +0100 User-Agent: KMail/1.8 References: <200611041211.22434.joe.knall@gmx.net> <200611041727.39451.joe.knall@gmx.net> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612090334.31689.joe.knall@gmx.net> X-Y-GMX-Trusted: 0 X-Archives-Salt: c2675464-f337-4348-a828-00bae39534af X-Archives-Hash: d939167d4849232d53c27fcdc91b623d On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote: > Hi, > > On 11/4/06, Joe Knall wrote: > > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: > > > On Saturday 04 November 2006 12:11, Joe Knall wrote: > > > > can/does mounting a partition with noexec, ro etc. provide > > > > additional security or are those limitations easy to > > > > circumvent? > > > > > > > > Example: webserver running chrooted > > > > all libs and executables (apache, lib, usr ...) on read only > > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on > > > > partition /srv/www/data mounted with noexec (but rw of course), > > > > no cgi needed. > > > > Server is started with "chroot /srv/www /apache/bin/httpd -k > > > > start". > > > > > > Besides this, you must also add nodev to prevent those kinds of > > > circumventions > > > > > > Paul > > > > correct, it's atually like this > > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) > > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) > > I cannot have any kind of a intrepreted language supported in those > environments.. > or a simple perl/php/lisp "data" file can circunvent those attacks! When I get you right, you mean the P in Lamp makes these limitations (ro, noexec, nodev, chroot ...) nonsense. Ok, what makes you think so? How do you do it (get a shell, root access, hijack the box ...)? What's a better approach to prevent it? Joe -- gentoo-security@gentoo.org mailing list