1 |
Hi, |
2 |
|
3 |
|
4 |
On 11/4/06, Joe Knall <joe.knall@×××.net> wrote: |
5 |
> On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: |
6 |
> > On Saturday 04 November 2006 12:11, Joe Knall wrote: |
7 |
> > > can/does mounting a partition with noexec, ro etc. provide |
8 |
> > > additional security or are those limitations easy to circumvent? |
9 |
> > > |
10 |
> > > Example: webserver running chrooted |
11 |
> > > all libs and executables (apache, lib, usr ...) on read only |
12 |
> > > mounted partition /srv/www, data dirs (logs, htdocs ...) on |
13 |
> > > partition /srv/www/data mounted with noexec (but rw of course), no |
14 |
> > > cgi needed. |
15 |
> > > Server is started with "chroot /srv/www /apache/bin/httpd -k |
16 |
> > > start". |
17 |
> > |
18 |
> > Besides this, you must also add nodev to prevent those kinds of |
19 |
> > circumventions |
20 |
> > |
21 |
> > Paul |
22 |
> |
23 |
> correct, it's atually like this |
24 |
> /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) |
25 |
> /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) |
26 |
> |
27 |
|
28 |
|
29 |
I cannot have any kind of a intrepreted language supported in those |
30 |
environments.. |
31 |
or a simple perl/php/lisp "data" file can circunvent those attacks! |
32 |
|
33 |
> but I need a /dev, currently data/dev with null and urandom there, |
34 |
> writeable and not nodev (could as well be a separate partition). |
35 |
> Do you think this turns all the rest in vain? |
36 |
> |
37 |
> Joe |
38 |
> -- |
39 |
> gentoo-security@g.o mailing list |
40 |
> |
41 |
> |
42 |
|
43 |
|
44 |
-- |
45 |
Miguel Sousa Filipe |
46 |
-- |
47 |
gentoo-security@g.o mailing list |