From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0EFF21381F3 for ; Sun, 28 Apr 2013 08:44:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F3EEBE0912; Sun, 28 Apr 2013 08:44:29 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D50F9E0904 for ; Sun, 28 Apr 2013 08:44:28 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 4D02220A14 for ; Sun, 28 Apr 2013 04:44:26 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute3.internal (MEProxy); Sun, 28 Apr 2013 04:44:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=80YaaUkHITbxBzzaCocFGBGn qS0=; b=a8u86hTSbpQiM/Go3appY8+uwNDDiiWv4kLZc30k/rDHSGHgqn9i99s8 pHKdAewm/j+trMSs0B6McRZq7XAiBzFXeec8V+A70WTPnRGncGwU/A/Lrp0DS13X 051rA8Cb4CcFXqvjz7SdVp1U7rSaRVCCX4kVfblpM+6rLt8zCJ8= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=80Ya aUkHITbxBzzaCocFGBGnqS0=; b=PEhn+tOeHKDuy8xvKjbqDrg6xlJ293PYhZjQ d+hWZFFqTo5a6Kqg1f257T6Je4EgvuIx96I4pzWFsN7grURi3GCdw3WtaiHwAzm7 2f4kLLq3SSPrB94FFMiO52obF9QBz9Sdpv4aHIm5JaXlmfOkwGrZqhVioGMfffBK Q20eP/4= X-Sasl-enc: TdeEqj0ukX/ZnScBN7fbi/QZClsFXgZzfiu3EyFX/bRz 1367138665 Received: from [10.201.39.238] (unknown [46.115.39.39]) by mail.messagingengine.com (Postfix) with ESMTPA id 416F6200050 for ; Sun, 28 Apr 2013 04:44:25 -0400 (EDT) Message-ID: <517CE15F.2020104@binarywings.net> Date: Sun, 28 Apr 2013 10:44:15 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130413 Thunderbird/17.0.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Partitions - last questions... References: <51769E54.2050609@libertytrek.org> <5176B81E.8000805@binarywings.net> <20130423185932.1779e970@digimed.co.uk> <5177B88D.8010908@libertytrek.org> <5177D498.5080609@binarywings.net> <5177F662.8070606@libertytrek.org> <5177FABA.4010902@binarywings.net> <5178047E.2080005@libertytrek.org> In-Reply-To: <5178047E.2080005@libertytrek.org> X-Enigmail-Version: 1.6a1pre Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2TRAXONERLJCGEENPNNRJ" X-Archives-Salt: a0c8c51a-d11e-4028-8af1-2ecd00900d04 X-Archives-Hash: 9aac1778b5c810169fb918b86f7524b2 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2TRAXONERLJCGEENPNNRJ Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 24.04.2013 18:12, schrieb Tanstaafl: > On 2013-04-24 11:31 AM, Florian Philipp wrote: >> Am 24.04.2013 17:12, schrieb Tanstaafl: >>> Ok, but - does it make sense to add the noexec option to /var/tmp? Is= it >>> possible that there are other apps that need exec capability in there= ? >=20 >> It makes sense. Any world-writable directory should be noexec to make >> script injection harder. Other directories, too, like /var/www (if you= >> can, i.e. no cgi). I cannot tell you if any application might need it.= >> Try it. It is easy enough to revert, maybe even with a `mount -o >> remount`, I'm not sure. >> >> Also, look at >> http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noex= ec >=20 > Hmmm, this only talks about /tmp... I'm talking about /var/tmp... >=20 > So, I guess you're right, I'll just need to try it and see... >=20 Just stumbled across this: http://blog.siphos.be/2013/04/securely-handling-libffi/ Might be relevant, might be not. Regards, Florian Philipp ------enig2TRAXONERLJCGEENPNNRJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF84WUACgkQqs4uOUlOuU+CagCfed7XkxlRYvOdHSy4rHM0iEQO oFQAoIM+gXxrhpvmYovSGHelhj3p7MLE =E1gD -----END PGP SIGNATURE----- ------enig2TRAXONERLJCGEENPNNRJ--