On Fri, 2006-02-17 at 22:35 +0100, Alexander Skwar wrote: > Maarten wrote: > > Okay, can we stop with the flamefest, already ? > > Certainly. > > > Alexander Skwar wrote: > >> Hemmann, Volker Armin wrote: > >>>On Thursday 16 February 2006 20:40, Alexander Skwar wrote: > >>>>Hemmann, Volker Armin wrote: > >>>>>On Thursday 16 February 2006 17:18, Alexander Skwar wrote: > >>>>>>Hemmann, Volker Armin wrote: > >>>>>>>On Thursday 16 February 2006 15:45, Alexander Skwar wrote: > > > > > >>>>Wrong again. If tmp is the only place somebody can write, then > >>>>it might save you (and it DID save my ass more than once now). > >>> > >>>since /tmp is not the only place where someone can write (/var/tmp anyone?) > > > > Several more indeed. Find comes to the rescue: > > > > 12087 0 drwxrwxrwt 2 root root 40 Jan 10 22:40 /dev/shm > > 252744 0 drwxrwxrwt 2 root root 72 Apr 20 2005 /var/spool/samba > > > > Yes, I CAN make files there, as a regular user. > > Yep, but you have to find those places. If you cannot execute > programs, that will be hard. With /tmp, an attacker knows > that he can write there. > > Granted, /dev/shm is also a rather common place that allows > everyone to write to. > > >>>yes really, you have to remount /usr everytime you update something. > >> > >> Jaja. You know, your exaggerations become boring... > > > > Well, no. It is correct. How do you expect to install something when /usr is mounted RO ? > > Well, you know, his arguments aren't /totally/ wrong. I already > said that they are true, in a sense - but I also said, that he's > exaggerating very much. Quite obviously, there's no way to write > to /usr if it is mounted read only. > > What I disagree with, is that his notion that a "mount -o > remount,rw /usr" is a lot of work. > > I also don't disagree that it IS extra work. I'm just saying > that it's not MUCH extra work. > > Alexander Skwar > -- > (German philosopher) Georg Wilhelm Hegel, on his deathbed, complained, > "Only one man ever understood me." He fell silent for a while and then added, > "And he didn't understand me." Hi, Please don't take this post as a signal for more battles. IMHO there are many true facts from both of you. Just a few point, as i have some (limited experience with hardened systems). 1.For 2-3 years using portage-tree in /var/portage, no problems so far, all it takes is a symlink in /usr & change in /etc/make.conf file. So i can mount all /usr as 'noexec'. 2.For a really important system (from security point of view) people could use some of Gentoo's hardened projects (grsec,SELinux,RSBAC). i've used 'grsec & RSBAC'. Logically grsec is less powerful but easier to manage, and RSBAC (as SELinux) is like a combat tank in a battle during middle age wars (concerning security settings). So there are tools quite for everything, if you wish and know how to use them. No system is perfect but some are almost ;) HTH.Rumen