From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1GsNOX-0004wf-Tm for garchives@archives.gentoo.org; Thu, 07 Dec 2006 17:50:54 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kB7HmS4o028620; Thu, 7 Dec 2006 17:48:28 GMT Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kB7HiX5r022530 for ; Thu, 7 Dec 2006 17:44:33 GMT Received: by an-out-0708.google.com with SMTP id b8so70129ana for ; Thu, 07 Dec 2006 09:44:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CE3OMCd9whMJutCpVYMTpnMI6tK6KR4nWZ1hc/ypP5BRQeu+vN7N/t4MpO87+Qj3nQcFyJ9zZAIG8tPfZc9heSKle+rck3udi0dPiyt+BgM0FUAnL7LmtobrLpKHZlaMBjC2mPB5KALdJiZq5phZfoSti79LJyS2lAE/aU4WXbM= Received: by 10.78.203.13 with SMTP id a13mr146187hug.1165513471436; Thu, 07 Dec 2006 09:44:31 -0800 (PST) Received: by 10.78.172.10 with HTTP; Thu, 7 Dec 2006 09:44:31 -0800 (PST) Message-ID: Date: Thu, 7 Dec 2006 17:44:31 +0000 From: "Miguel Sousa Filipe" To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] mount noexec and ro In-Reply-To: <200611041727.39451.joe.knall@gmx.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200611041211.22434.joe.knall@gmx.net> <200611041600.45837.pauldv@gentoo.org> <200611041727.39451.joe.knall@gmx.net> X-Archives-Salt: b9114b34-9d9e-4057-911c-dced79a7671c X-Archives-Hash: 27a9cadf25a62f4ae194ae819930e035 Hi, On 11/4/06, Joe Knall wrote: > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: > > On Saturday 04 November 2006 12:11, Joe Knall wrote: > > > can/does mounting a partition with noexec, ro etc. provide > > > additional security or are those limitations easy to circumvent? > > > > > > Example: webserver running chrooted > > > all libs and executables (apache, lib, usr ...) on read only > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on > > > partition /srv/www/data mounted with noexec (but rw of course), no > > > cgi needed. > > > Server is started with "chroot /srv/www /apache/bin/httpd -k > > > start". > > > > Besides this, you must also add nodev to prevent those kinds of > > circumventions > > > > Paul > > correct, it's atually like this > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) > I cannot have any kind of a intrepreted language supported in those environments.. or a simple perl/php/lisp "data" file can circunvent those attacks! > but I need a /dev, currently data/dev with null and urandom there, > writeable and not nodev (could as well be a separate partition). > Do you think this turns all the rest in vain? > > Joe > -- > gentoo-security@gentoo.org mailing list > > -- Miguel Sousa Filipe -- gentoo-security@gentoo.org mailing list