From: "Miguel Sousa Filipe" <miguel.filipe@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] mount noexec and ro
Date: Thu, 7 Dec 2006 17:44:31 +0000 [thread overview]
Message-ID: <f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com> (raw)
In-Reply-To: <200611041727.39451.joe.knall@gmx.net>
Hi,
On 11/4/06, Joe Knall <joe.knall@gmx.net> wrote:
> On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > can/does mounting a partition with noexec, ro etc. provide
> > > additional security or are those limitations easy to circumvent?
> > >
> > > Example: webserver running chrooted
> > > all libs and executables (apache, lib, usr ...) on read only
> > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > partition /srv/www/data mounted with noexec (but rw of course), no
> > > cgi needed.
> > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > start".
> >
> > Besides this, you must also add nodev to prevent those kinds of
> > circumventions
> >
> > Paul
>
> correct, it's atually like this
> /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
I cannot have any kind of a intrepreted language supported in those
environments..
or a simple perl/php/lisp "data" file can circunvent those attacks!
> but I need a /dev, currently data/dev with null and urandom there,
> writeable and not nodev (could as well be a separate partition).
> Do you think this turns all the rest in vain?
>
> Joe
> --
> gentoo-security@gentoo.org mailing list
>
>
--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list
next prev parent reply other threads:[~2006-12-07 17:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-04 11:11 [gentoo-security] mount noexec and ro Joe Knall
2006-11-04 12:03 ` Wolfram Schlich
2006-11-04 12:47 ` Eduardo Tongson
2006-11-04 13:27 ` Joe Knall
2006-11-04 15:00 ` Paul de Vrieze
2006-11-04 16:27 ` Joe Knall
2006-11-04 19:03 ` Paul de Vrieze
2006-11-06 5:58 ` Miguel Angel Tormo Alfaro
2006-12-07 17:44 ` Miguel Sousa Filipe [this message]
2006-12-09 2:34 ` Joe Knall
[not found] ` <20061209031915.506559@host216-188.pool8250.interbusiness.it>
2006-12-09 4:21 ` ascii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com \
--to=miguel.filipe@gmail.com \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox